Transparent data encryption (TDE) helps protect Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics against the threat of malicious offline activity by encrypting data at rest.
[Reference:, https://docs.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-tde-overview, , , , , , Basic Concept: This question tests secure database administration, where the control must match the data state, access boundary, identity model, or compliance requirement., Why A is Correct: Transparent Data Encryption (TDE) is correct because it is the feature whose normal purpose matches the stated requirement. Transparent Data Encryption protects database files, backups, and logs at rest; it does not encrypt data in use or enforce user-level data visibility. The scenario wording points to that specific behavior: You need to ensure that the data in the data warehouse is encrypted at rest., Why B is Wrong: Advanced Data Security for this database is a security-related control, but its value depends on whether the requirement is identity, encryption, auditing, network isolation, or data exposure reduction. It is not the right enforcement point for this case; the scenario needs the control that governs the data or identity path being tested., Why C is Wrong: Always Encrypted protects sensitive columns from exposure to the database engine by encrypting and decrypting data at the client side with keys protected outside the database. It does not satisfy the required identity, encryption, firewall, auditing, or data-exposure boundary described in the scenario: You need to ensure that the data in the data warehouse is encrypted at rest., Why D is Wrong: Secure transfer required is a security-related control, but its value depends on whether the requirement is identity, encryption, auditing, network isolation, or data exposure reduction. It protects or manages a different security layer, so the required database access or protection behavior would still be incomplete., ]
