A financial institution is designing a defense-in-depth strategy against ransomware.

They use Azure Backup for their critical servers. An attacker who gains Global Administrator privileges must not be able to permanently delete backup data immediately.

Which two features should you ensure are enabled on the Recovery Services vault?

To protect against ransomware and compromised administrator accounts, Azure Backup provides Soft Delete (which retains deleted backup data for 14 days) and Multi-user authorization (MUA). MUA uses an Azure Resource Guard to ensure that critical operations (like disabling soft delete or reducing retention policies) require authorization from a separate security administrator, preventing a single compromised Global Admin from destroying the backups.