Enabling Azure Disk Encryption requires the creation of a dedicated account to be able to access a Key Vault for the backup of disk encryption keys. This occurs through enabling an Application Registration in the desired tenant and providing the associated Service Principal Key Wrap and Secret Set rights to the Key Vault in question.
All virtual machine disks are accessible by WebAPI off their underlying Storage volume (either through Storage Account Access or through Snapshot usage with Managed Disks). In the case of Storage Accounts, a single factor of access exists for retrieval of disk Images from the internet (knowledge of URI and Storage Account key). Different controls may be implemented to reduce the threat of data loss. Core to these controls is the requirement for all data to be encrypted at REST.