Things have changed. Now KeyVault can be in a different region or sub, but in the same tenant: https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-existing-account?WT.mc_id=Portal-Microsoft_Azure_Storage&tabs=azure-portal

Still though keep in mind it's different for Azure Disk Encryption: https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault?tabs=azure-portal#create-a-key-vault

No one has pointed out that a Standard tier keyvault does not support automatic key rotation, its only an feature offered with priemium tier pricing. Correct answer would be A. KeyVault2 and KeyVault3 only

D is the answer. https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-existing-account?tabs=azure-portal You can use a new or existing key vault to store customer-managed keys. The storage account and key vault may be in different regions or subscriptions in the same tenant.

D. KeyVault1, KeyVault2, and KeyVault3

The storage account and the key vault or managed HSM can be in different Azure Active Directory (Azure AD) tenants, regions, and subscriptions.

On reference link: The storage account and the key vault or managed HSM can be different Azure Active Directory (Azure AD) tenants, regions, and subscriptions.

D for sure

Answer: D Explanation: Things have changed. Now KeyVault can be in a different region or sub, but in the same tenant: https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-existingaccount? WT.mc_id=Portal-Microsoft_Azure_Storage&tabs=azure-portal On reference link: The storage account and the key vault or managed HSM can be different Azure Active Directory (Azure AD) tenants, regions, and subscriptions.

You can either create your own keys and store them in the key vault or managed HSM, or you can use the Azure Key Vault APIs to generate keys. The storage account and the key vault or managed HSM can be different Azure Active Directory (Azure AD) tenants, regions, and subscriptions. https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview

You can use all the key Vaultes in the same Tenant, answer is D

Confirmed - ttps://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-existing-account?WT.mc_id=Portal-Microsoft_Azure_Storage&tabs=azure-portal

Answer is correct. The disk encryption part is the key: To ensure that encryption secrets don't cross regional boundaries, you must create and use a key vault that's in the same region and tenant as the VMs to be encrypted.

D Things have changed. Now KeyVault can be in a different region or sub, but in the same tenant: https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-existingaccount? WT.mc_id=Portal-Microsoft_Azure_Storage&tabs=azure-portal On reference link: The storage account and the key vault or managed HSM can be different Azure Active Directory (Azure AD) tenants, regions, and subscriptions.

Explanation: No, the Key Vault and the Azure Storage Account do not need to be in the same region when using customer-managed keys for Azure Storage encryption1. The storage account and the Key Vault or Managed Hardware Security Module (HSM) can be in different Microsoft Entra tenants, regions, and subscriptions

B. KeyVault1 only

it's D: keyvault it's same geographical area and subscription