You need to back up data in an Azure storage account. You want to protect against accidental deletion and ransomware. Which feature should you enable?

Correct answer: Immutable storage with legal hold

Option B, immutable storage with legal hold, is the correct choice because it enforces a write-once-read-many (WORM) policy that prevents any principal, including storage account owners and administrators, from modifying or deleting blobs for the duration of the hold, which is the definitive protection against both accidental deletion and ransomware that encrypts and re-uploads data. Option A, soft delete for blobs, only retains deleted blobs for a configurable retention period and can still be purged by a sufficiently privileged principal or ransomware that understands the Azure API, so it does not provide true immutability. Option C, Azure Backup, creates recoverable copies but does not prevent the original data from being overwritten or deleted at the storage account layer by an attacker with storage access. Option D, RA-GRS, replicates data to a secondary region for read access and disaster recovery but does not protect against logical deletion or ransomware, which would replicate to the secondary region as well.