What service can be used to encrypt sensitive data at rest in Azure?

Azure Key Vault is specifically designed to securely store and manage sensitive information, such as encryption keys, secrets, and certificates. While it doesn't directly encrypt data at rest, it provides the keys and secrets necessary to perform encryption for sensitive data stored in other Azure services. By leveraging Azure Key Vault, you can ensure that sensitive data is encrypted using strong keys and that those keys are managed in a secure manner.

The other options do not serve the primary function of encrypting sensitive data at rest in Azure. Azure Blob Storage can store encrypted data but relies on key management through services like Azure Key Vault or Automatic Encryption for Blob Storage. Azure Monitor and Azure Application Insights are primarily focused on monitoring and logging applications and services, rather than providing encryption capabilities for sensitive data.