Client-side encryption is performed outside of Azure; for example, data that is already encrypted when it is received in Azure, or data that is encrypted by a service application or an application that's running in the customer's data center. 

By using client-side encryption, Azure doesn't have access to the encryption keys and cannot decrypt this data. This way, you maintain complete control over the keys.