Segregation of Duties / Restrict ability to DELETE Backup Vault
In our main Azure instance we are backing up our on Prem VMs and our Cloud VMs. The concern is the Domain Admins have the ability to delete ALL our VMs both on Prem and in the Cloud and then proceed to delete the Azure Vault. We would like the ability to granularly control permission so that a user does not have the capability to Delete a Backup Vault. This doesn't appear to be a level control we can find within Azure without moving to a new Azure instance which adds other complications
Stefan Cuypers commented
We're looking at Azure Backup to replace our current tape backup system and the lack of this is a show stopper. The monthly tapes are now handed over to another department so no single person can erase data on the live systems and destroy the tapes.
AWS Glacier has a similar option where data can be locked such that no one can delete it before it expires. That's particularly useful to protect against the unfortunate scenario where data is maliciously deleted. With such a "vault lock", a hacker or disgruntled employee with full access to the Azure account could not delete the data that runs the business.
There are historical occurrences of such a disaster where a company was forced to shut down because they didn't pay extortion fees to hackers: http://www.infoworld.com/article/2608076/data-center/murder-in-the-amazon-cloud.html . A "vault lock" would prevent such a scenario.