Microsoft Azure Security Engineer Associate AZ-500 Practice Question
You manage a Recovery Services vault that backs up several Azure virtual machines. New financial-services regulations require that recovery points remain unalterable and undeletable for at least 60 days, even by subscription owners or backup administrators, while still permitting restore operations during that period. Soft delete is already enabled on the vault. Which Azure Backup feature should you enable and configure to satisfy the compliance requirement?
Turn on multi-user authorization (MUA) for the Delete backup data operation.
Enable purge protection on the Azure Key Vault that stores the vault's encryption key.
Extend the soft delete retention period of the vault from 14 to 60 days.
Enable immutable vault locking in the Recovery Services vault and set the immutability period to 60 days.
Immutable vault locking makes every new recovery point "write-once, read-many" for the configured immutability period. While the vault is in an Unlocked state you can increase (but not decrease) the immutability duration; after it is Locked even subscription owners cannot disable soft delete, shorten retention, or delete backup data until the period elapses. Restores remain possible throughout. Soft delete alone merely keeps deleted data for the retention period but still allows administrators to initiate deletion, so it does not meet the strict immutability requirement. Multi-user authorization adds an extra approval step but ultimately still lets recovery points be removed, and Key Vault purge protection is unrelated to Azure Backup.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is immutable vault locking in Azure Backup?
Open an interactive chat with Bash
How does soft delete differ from immutable vault locking?