Common Pitfalls to Avoid

• AIP vs Key Vault vs Policy

  • AIP = classifies & labels documents/emails.

  • Key Vault = stores secrets/keys/certificates.

  • Policy = enforces rules on resources.

  • Exam trap: “Encrypt and classify sensitive documents” → AIP, not Key Vault.

• Encryption Confusion

  • Storage = SSE (default), CMK via Key Vault for control.

  • SQL DB = Transparent Data Encryption (TDE).

  • VM Disks = Azure Disk Encryption (BitLocker/DM-Crypt).

  • Transit = TLS/SSL or VPN.

  • Exam trap: “Azure Storage is unencrypted by default.” → False, it’s encrypted automatically.

• Tags vs Locks vs Management Groups

  • Tags = labels for cost/organization.

  • Locks = prevent delete/modify (override RBAC).

  • Management Groups = apply policies across subscriptions.

  • Exam trap: “Tags prevent deletion of resources.” (False — Locks do).

• Retention vs Backup vs ASR

  • Retention = lifecycle rules (how long data stays).

  • Backup = point-in-time restore.

  • ASR = failover to another region.

  • Exam trap: “Keep VM backups for 30 days” = Retention Policy in Recovery Services Vault.

Quick Recall Hacks

• “Classify and label sensitive docs” → AIP

• “Encrypt SQL at rest” → TDE

• “Encrypt VM disks” → Azure Disk Encryption

• “Customer-managed keys” → Key Vault

• “Prevent accidental deletion” → Locks

• “Apply rules across subscriptions” → Management Groups

• “Cost tracking by department” → Tags

• “Retain backups for compliance” → Retention Policy

What to Expect in the Exam

• 1–2 direct questions on encryption methods (TDE, ADE, SSE).

• 1–2 scenario questions on tags, locks, management groups.

• A confusion trap around AIP vs Key Vault vs Policy.

• A compliance/retention question (backup lifecycle).

Final Exam Strategy

1. If the scenario is about data in files/emails → think AIP.

2. If it’s about data in storage/SQL/disks → think Encryption at Rest.

3. If it’s about governing resources → think Policy/Locks/Tags/Mgmt Groups.

4. If it’s about data lifecycle → think Retention Policies.

5. Always check for keywords like “classify,” “encrypt,” “prevent deletion,” or “across all subscriptions.”