Which service in Azure should you use for different types of data protection?

Database encryption - SQL TDE and Always Encrypt, built into the SQL Server Engine 

File encryption - Azure Storage Service - SSE - For Server Side Encryption
Can also do client side encryption using .NET SDK libraries (Azure Storage Client Libraries), which generates a CEK (content encryption key) which is stored in Azure Key Vault.
Object encryption     - Azure Storage Service - SSE
Can also do client side encryption using .NET SDK libraries (Azure Storage Client Libraries), which generates a CEK (content encryption key) which is stored in Azure Key Vault.
Volume Encryption - Azure Disk Encryption - OS Specific (BitLocker on Windows, dm-crypt on Linux)  

Certificate and Key Lifecycle management - Azure Key Vault - Integrates with most Azure services like Application Gateway.

Actual Data Field Level / attribute encryption ?
Available in SQL Server.
Column Masking - Simple Masking versus Dynamic Data Masking
Available in SQL Server
Summary
This post was just meant to provide a quick overview of the different encryption and masking capabilities available in Azure. It is a work in progress.