Answer-first summary for fast verification
Answer: Remove the linked service from Df1.
## Detailed Explanation To encrypt an Azure Data Factory (ADF) resource using a customer-managed key from Azure Key Vault, the **first and mandatory step** is to ensure the data factory is completely empty before enabling customer-managed key encryption. ### Why Option C is Correct: - **Microsoft Documentation Requirement**: According to official Azure Data Factory documentation, a customer-managed key can only be configured on an empty data factory. The factory must not contain any resources such as linked services, pipelines, data flows, or datasets. - **Encryption Process Constraint**: The encryption configuration process requires a clean factory state to properly apply the customer-managed key encryption to all future resources and data. - **First Step Logic**: Since Df1 currently contains a linked service, removing it is the prerequisite action that must be completed before any other configuration steps can proceed. ### Analysis of Other Options: **Option A (Add a private endpoint connection to vault1)**: - While private endpoints enhance security for Key Vault access, this is not the first step. The factory must be empty before encryption configuration can begin. **Option B (Enable Azure role-based access control on vault1)**: - RBAC configuration is important for access control but can be configured at any time. The factory emptiness requirement takes precedence. **Option D (Create a self-hosted integration runtime)**: - Self-hosted integration runtime is unrelated to the encryption process and serves different purposes for hybrid data movement scenarios. ### Recommended Sequence: 1. Remove all resources from Df1 (linked services, pipelines, etc.) 2. Configure customer-managed key encryption using key1 from vault1 3. Recreate necessary resources after encryption is enabled 4. Implement additional security measures like private endpoints or RBAC as needed This approach ensures compliance with Azure Data Factory's encryption requirements and follows Microsoft's recommended implementation sequence.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
You have an Azure Data Factory (V2) resource named Df1 that contains a linked service. An Azure Key Vault named vault1 contains an encryption key named key1. To encrypt Df1 using key1, what is the first step you should take?
A
Add a private endpoint connection to vault1.
B
Enable Azure role-based access control on vault1.
C
Remove the linked service from Df1.
D
Create a self-hosted integration runtime.
No comments yet.