A Microsoft Purview Data Loss Prevention (DLP) policy is the appropriate mechanism to address this requirement. A DLP policy can be configured with a rule to detect specific sensitive information types, such as the built-in "Azure Storage Account Key," within content. By scoping the policy to the Exchange email location, it will monitor outgoing emails. A key action available for rules in an Exchange-scoped DLP policy is to automatically encrypt the email message using Microsoft Purview Message Encryption. Therefore, creating and correctly configuring such a policy directly meets the stated goal.

B. No: This option is incorrect. The proposed solution uses the exact Microsoft Purview feature designed for this purpose. A DLP policy is capable of identifying sensitive content in emails and applying protective actions, including encryption, making it a valid solution.

1. Microsoft Learn | Learn about data loss prevention: "Data loss prevention (DLP) is a system that you can configure to... take protective actions... For example

if a user tries to send an email that contains a sensitive information type... your DLP policy can... encrypt the email." This document confirms that DLP policies are the correct tool for this task.

URL: https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp

2. Microsoft Learn | Data loss prevention policy actions: This document details the actions available in a DLP policy. For the Exchange location

it lists "Encrypt the email message" as a primary action under "Restrict access or encrypt the content in Microsoft 365 locations."

URL: https://learn.microsoft.com/en-us/purview/dlp-policy-actions#restrict-access-or-encrypt-the-content-in-microsoft-365-locations

3. Microsoft Learn | Azure Storage Account Key (deprecated) entity definition: This page confirms that "Azure Storage Account Key" is a recognized sensitive information type (SIT) that a DLP policy can detect.

URL: https://learn.microsoft.com/en-us/purview/sit-entity-azure-storage-account-key-deprecated