Compliance Misconception — Azure Solutions Architect (AZ-305)
You assumed a compliance or governance model that doesn't match the service's actual capabilities.
Data Residency and BYOK as Specific Compliance Boundaries
A Log Analytics workspace with encryption at rest, RBAC, and diagnostic logging enabled looks compliant until the scenario specifies that logs must remain in a particular region. Deploying that workspace in the wrong region violates data residency regardless of encryption state. Similarly, a Microsoft-managed key does not satisfy a customer-managed key mandate even if the data is encrypted. Compliance requirements name specific controls with specific enforcement boundaries. Match each stated requirement to its corresponding Azure control before evaluating whether a proposed architecture satisfies the scope. General compliance posture is not a substitute for meeting named controls.
The Scenario
A European company needs GDPR compliance for customer data stored in Azure. You recommend deploying in the West Europe region and enabling encryption at rest with platform-managed keys. Region placement and encryption are necessary but nowhere near sufficient. GDPR requires: data residency controls (regions are a start), right to deletion (you must implement data purge APIs), consent management (application-level, not infrastructure-level), data processing records (Azure Activity Log and custom audit trails), and a Data Protection Officer. The exam tests whether you know that GDPR is a legal and procedural framework, not just a technical checklist.
How to Spot It
- •Azure Compliance Manager shows your compliance score and gives recommendations, but a high score does not equal compliance. Compliance is a shared responsibility — Microsoft certifies infrastructure controls; you implement data handling, consent, and access controls.
- •GDPR right to erasure means you must be able to find and delete all data for a specific individual across all storage systems — Cosmos DB, SQL Database, Blob Storage, Application Insights, Log Analytics. If your architecture spreads personal data across multiple stores, you need a data map and deletion pipeline. The exam tests this.
- •Azure Policy can enforce data residency (restrict resource deployment to specific regions) and Azure Purview can classify sensitive data. But neither implements consent management or data subject access requests — those are application-level responsibilities the exam expects you to identify.
Decision Rules
Whether inbound OWASP Top 10 inspection that satisfies a regional data-residency compliance constraint is fulfilled by a globally distributed edge WAF (Azure Front Door with WAF policy) or a regionally colocated L7 WAF (Azure Application Gateway WAF_v2), where both satisfy the L7 inspection requirement but only one preserves the geographic inspection boundary.
Domain Coverage
Difficulty Breakdown
Related Patterns