![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 44%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDO%3C/text%3E%3C/svg%3E)
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
996 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 0%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESW%3C/text%3E%3C/svg%3E)
Hi @Daniel Omonemu , I understand you have enabled built-in Azure Policy "Storage account encryption scopes should use customer-managed keys to encrypt data at rest" with "Deny" effect. You question why storage accounts can still use MMK (Microsoft-Managed Key).
Storage account encryption scopes need to be created for your storage account. It is different from the key that is scoped to the entire storage account. When you define an encryption scope, you specify a key that may be scoped to a container or an individual blob. When the encryption scope is applied to a blob, the blob is encrypted with that key.
It's possible to have storage account with MMK as the key for the entire storage account, and then you define an encryption scope using CMK (Customer-Managed Key). The policy only enforces the CMK for encryption scope. It does not enforce CMK for the entire storage account.
Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.