Encryption keys in Azure can be controlled by the platform or the customer.

Encryption keys, known as platform-managed keys (PMKs), are created, kept, and controlled exclusively by Azure. PMKs are not used in customer interactions. For instance, PMKs are the default type of keys used for Azure Data Encryption-at-Rest.