Use Key Vault Purge Protection
March 21, 2025 ยท View on GitHub
SYNOPSIS
Enable Purge Protection on Key Vaults to prevent early purge of vaults and vault items.
DESCRIPTION
Purge Protection is a feature of Key Vault that prevents purging of vaults and vault items. When soft delete is configured without purge protection, deleted vaults and vault items can be purged. Purging deletes the vault and/ or vault items immediately, and is irreversible.
When purge protection is enabled, vaults and vault items can no longer be purged. Deleted vaults and vault items will be recoverable until the configured retention period. By default, the retention period is 90 days.
Purge protection is not enabled by default.
RECOMMENDATION
Consider enabling purge protection on Key Vaults to enforce retention of vaults and vault items for up to 90 days.
EXAMPLES
Configure with Azure template
To deploy Key Vaults that pass this rule:
- Set the
properties.enablePurgeProtectionproperty totrue.
For example:
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2023-07-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"sku": {
"family": "A",
"name": "premium"
},
"tenantId": "[tenant().tenantId]",
"softDeleteRetentionInDays": 90,
"enableSoftDelete": true,
"enablePurgeProtection": true,
"enableRbacAuthorization": true,
"networkAcls": {
"defaultAction": "Deny",
"bypass": "AzureServices"
}
}
}
Configure with Bicep
To deploy Key Vaults that pass this rule:
- Set the
properties.enablePurgeProtectionproperty totrue.
For example:
resource vault 'Microsoft.KeyVault/vaults@2023-07-01' = {
name: name
location: location
properties: {
sku: {
family: 'A'
name: 'premium'
}
tenantId: tenant().tenantId
softDeleteRetentionInDays: 90
enableSoftDelete: true
enablePurgeProtection: true
enableRbacAuthorization: true
networkAcls: {
defaultAction: 'Deny'
bypass: 'AzureServices'
}
}
}
Configure with Azure CLI
az keyvault update -n '<name>' -g '<resource_group>' --enable-purge-protection
Configure with Azure PowerShell
Update-AzKeyVault -ResourceGroupName '<resource_group>' -Name '<name>' -EnablePurgeProtection
Configure with Azure Policy
To address this issue at runtime use the following policies:
- Key vaults should have deletion protection enabled
/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53.