The Azure Storage account in the SOC subscription hosts copies of disk snapshots in immutable blob storage, and a dedicated key vault keeps the snapshots' hash values and copies of the VMs' BEKs.
The team has exclusive access to that subscription, which contains the resources that must be kept protected, inviolable, and monitored. The system and organization controls (SOC) team uses a discrete Azure SOC subscription. The scenario works for production VMs with unencrypted disks.
