Key Vault ‘Enable Soft Delete’ and ‘Enable Purge Protection’ should be enabled


Enabling soft deletion ensures that even if the key vault is deleted, the key vault and its objects remain recoverable for next 90 days. In this span of 90 days, the key vault and its objects can be recovered or purged (permanent deletion). Enabling purge protection ensures that the key vault and its objects cannot be purged during the 90 day retention period.

Portal Remediation Steps

  • Navigate to Key Vaults and select the desired key vault.

  • Select Properties.

  • Under Soft-delete, select “Enable recovery of this vault and its objects.”

  • Under Purge protection, select “Enable purge protection of this vault and its objects during retention period.”

  • Select Save.

CLI Remediation Steps

  • To enable “Do Not Purge” and “Soft Delete” for a Key Vault:

az resource update --id /subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/<resourceGroupName>/providers/Microsoft.KeyVault/vaults/<keyVaultName> --set properties.enablePurgeProtection=true properties.enableSoftDelete=true