@azkamil Thanks for the feedback. We are actively investigating and will get back to you soon.

@azkamil There is no way that I can see, nor find documented, that allows you to export an LTR backup file. You can delete an existing LTR backup file. You may, however, export a specific database instance. There is an export functionality when viewing an Azure SQL Database instance in the Azure Portal. The export functionality creates a backup file in a designated storage account (with accessibility options), where the .bacpac file can be downloaded.
Please let me know if you require additional information.
Regards,
Mike

Can you confirm that this page is correct? Not only do some of the commands not work (currently using AzureRM module v5.6) - e.g. Get-AzureRmSqlDatabaseLongTermRetentionBackup is not a valid cmdlet and Get-AzureRmSqlDatabaseBackupLongTermRetentionPolicy ... -Current parameter cannot be found - but it also appears to be published approx 4 days in the future (4/10/2018).

@bladeski @azkamil Yes, there is a delay in the rollout. The April 10, 2018 date of the document publication indicates the date the document becomes live. So, next Tuesday is the 10th of April, and you should not be having these issues. Please let me know if you have any questions or need more information.
Regards,
Mike

@Mike We cannot use Export as a service(powershell), since it needs lax firewall settings.
We export with DAC library in dedicated VM, which needs to be maintained by us.
So some protection against compromised accounts in LTR is desirable.

@azkamil Thanks for providing additional feedback. I am going to forward on to the content owner for review as a means for product enhancement or documentation feedback (limitations).

LTR backup files cannot be downloaded if that what you mean by exporting. They are created using an internal storage subscription and cannot be accessed from outside. Re deleting backups, can you describe the scenario you want to mitigate? Only the owner of the SQL database can explicitly delete the backup.

What we need is an assurance, that no single account can delete all backups of a database. This account might be hacked or something similar.
Azure Backup has nice feature where it postpones deletion of backups(14 days) and alerts the users.
https://azure.microsoft.com/en-us/updates/azure-backup-security-feature/

We provide a method for the user to delete some or all LTR backups if they are deemed unnecessary. However, we also maintain at least 7 days of backups for point in time recovery. The user can increase the retention for the PITR backups to maximum 35 days. These backups cannot be deleted by the user.

@azkamil does this response from Sasha sufficiently answer your question?

thank for replies! Unfortunately this does not solver our problem.
Consider following scenario

The malicious attacker corrupts some of old data, that might be unnoticed, since it is not accessed on daily basis.
After waiting 35 days attacker deletes all LTR backup of corrupted data.
Then we don't have any valid data and all backup is gone, including PITR, since it restores to already corrupt state. This why I think supervised/notified deletion of LTR backup is very important.

@azkamil If you would like to file a product feature request and track it / get your peers to vote on it, go to https://feedback.azure.com/forums/908035-sql-server
Thanks,
carl

@anosov1960 please see the most recent replies on this thread

For this case, I recommend using Azure Monitor. It already has activity log which contains information on who made the request. Customers could set up an activity alert as described in the following doc.
https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-create-activity-log-alerts-with-resource-manager-template?toc=/azure/azure-monitor/toc.json. For example, you can set up a LTR backups delete notification. This can be dobe via Portal or pshell.

please-close