Master the Microsoft Azure Architect Design (AZ-304) 2025 – Unleash Your Cloud Genius!

The correct answer in the context of encrypting disks of virtual machines using BitLocker with an on-premises Hardware Security Module (HSM) is to use Azure Key Vault effectively. Deploying one Azure Key Vault per region allows the company to manage their cryptographic keys centrally while also offering enhanced security and compliance features necessary for key management.

By setting up Azure Key Vault, which integrates with BitLocker, the company can leverage Azure's capabilities to encrypt and control access to their keys, thus enabling secure encryption of VM disks. This is particularly important in scenarios where the company needs to maintain a secure environment that adheres to compliance requirements, as Azure Key Vault offers secure storage and management for cryptographic keys and secrets.

In contrast, exporting a security key from the on-premises HSM would not be the ideal solution since it compromises the hardware isolation that HSMs provide. Configuring Azure Storage Service Encryption does not directly involve BitLocker, as it focuses on data-at-rest encryption rather than specific virtual machine disk encryption which BitLocker handles. Using Azure Disk Encryption with a single Azure AD service principal may not fully leverage the key management and regional strategies that are best practiced for an enterprise-scale scenario, particularly when integrating with an on-premises HSM.