Key Vault ‘Enable Soft Delete’ and ‘Enable Purge Protection’ should be enabled


Enabling soft deletion ensures that even if the key vault is deleted, the key vault and its objects remain recoverable for next 90 days. In this span of 90 days, the key vault and its objects can be recovered or purged (permanent deletion). Enabling purge protection ensures that the key vault and its objects cannot be purged during the 90 day retention period.

Remediation Steps

Azure Portal

  • Navigate to Key Vaults and select the desired key vault.

  • Select Properties.

  • Under Soft-delete, select “Enable recovery of this vault and its objects.”

  • Under Purge protection, select “Enable purge protection of this vault and its objects during retention period.”

  • Select Save.

Azure CLI

  • To enable “Do Not Purge” and “Soft Delete” for a Key Vault:

az resource update --id /subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/<resourceGroupName>/providers/Microsoft.KeyVault/vaults/<keyVaultName> --set properties.enablePurgeProtection=true properties.enableSoftDelete=true


  • Ensure that an azurerm_key_vault contains the following:

    • purge_protection_enabled = true

    • soft_delete_enabled = true

Example Configuration

resource "azurerm_key_vault" "example" {
  purge_protection_enabled = true
  soft_delete_enabled = true
  # other required fields here