Sensitive credentials, certificates and keys can be protected with Azure Key Vaults, which controls both the secrets and also access to them. For compliance and governance, monitor and audit the key use.
Instead of hard-coding connection strings inside an app’s code or in a config file, you can manage and control access by using a URI and without writing custom code.
Azure Disk Encryption (ADE) – Full disk encryption of OS and Data disks, using BitLocker (Windows) or DM-Crypt (Linux). It’s noteworthy that although transparent Storage Service Encryption (SSE) encrypts the disk data at rest for Azure managed disks, it happens at the storage (i.e., hardware-level); ADE is not automatically-enabled. You must configure that specific to the virtual machine and within the operating system. The biggest risk of relying on SSE is that if someone downloads the VHD or snapshot for a virtual machine it will not be encrypted.
Azure SQL database Always Encrypted – Once a database column has been protected, access to the data requires an application with the Always Encrypted driver. The request is made from the Key Vault and access granted. There is some clever caching to keep the performance.
Azure App Service – In the Azure portal App Service Certificates page and the Certificate Configuration blade, select the Step 1: Store to import a private key certificate .PFX. Then, Step 2: Verify and finally Step 3: Assign in order to use it. From the App Service page, in Settings>>TLS/SSL settings>>Private Key Certificates (.pfx) tab allows you to Import Key Vault Certificate.