I assume you’re referring to the Customer Key Management with Azure Key Vault in Atlas. However I want to note that from a baseline perspective Atlas always uses storage level encryption underneath the data files. What we’re talking about here is encryption of the files themselves as they’re written to the backing filesystem.
Re (1) for each node in your cluster, a node-level master key will be created via envelope encryption, derived from your Azure Key Vault key: then a database-level key will be created derived from that node level key for each database in that replica. This all happens transparently to you and allows you to do online key rotation without having to re-write your data.
Re (2) No it’s automatically encrypted at this point and the MongoDB process decrypts it before returning data to a client.
Re (3) If you want to separately add another layer of encryption on top you may want to explore MongoDB’s Client-Side Field Level Encryption for the subset of your schema that has the highest data classification level where you’re willing to trade off some queryability for the fact that the data is never decrypted outside your systems: in this model you can do point queries but not range queries. The MongoDB drivers can be configured to automatically decrypt. You do not need to do this if you’re just trying to control the cluster-level key e.g. in (1) above.
Re (4) If you’ve enabled MongoDB’s Encrypted Storage Engine with Customer Key Management on this cluster then you’re good to go (that would automatically be set if you had configured your Azure Key Vault).
Re (5) Correct you get that automatically in Atlas as long as you’re using your own key management (whether Azure Key Vault, AWS KMS, or GCP KMS)