Security roles in Azure Backup
The ability to restrict vault credentials to certain operations would be extremely useful from a security standpoint. Right now, Azure Backup can protect against accidental or non-malicious data loss, but its ability to protect against intended data destruction is limited. If the underlying server Azure Backup is running on is compromised, an attacker can simply delete all of the backups for that system. This makes Azure's utility as a replacement for traditional physical off-site backups (e.g. tape drives) much less useful.
Being able to assign "roles" to vault credentials would be one way to solve this. For example, a role might have write-only privileges but no ability to delete existing backups. The process of deleting old backups as per the retention policy could then be performed manually or potentially as a server-side task based on a configuration in the Azure Portal. This feature would give companies such as mine far more confidence in the service.
For an example of such a system I recommend taking a look at Tarsnap's tarsnap-keymgmt command. In addition, the tarsnap-recrypt command allows changing the encryption key associated with one or more existing backups so new restrictions on pre-existing backups can be retrospectively applied. We consider Tarsnap's flexibility in this respect a massive plus over competitors, but its Windows support is extremely minimal.