In {AzureSqlDbServer} BYOK is missing. TDE with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties.
  • Recommended Mitigation

    under 'Transparent data encryption', set customer-managed key and assign a key. check 'Make selected key the default TDE protector'