Use Key Vault Soft Delete
March 21, 2025 ยท View on GitHub
SYNOPSIS
Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion.
DESCRIPTION
Soft Delete is a feature of Key Vault that retains Key Vaults and Key Vault items after initial deletion. A soft deleted vault or vault item can be restored within the configured retention period.
By default, new Key Vaults created through the portal will have soft delete for 90 days configured.
Once enabled, soft delete can not be disabled. When soft delete is enabled, it is possible to purge soft deleted vaults and vault items.
RECOMMENDATION
Consider enabling soft delete on Key Vaults to enable recovery of vaults and vault items.
EXAMPLES
Configure with Azure template
To deploy Key Vaults that pass this rule:
- Set the
properties.enableSoftDeleteproperty totrue.
For example:
{
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2023-07-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"sku": {
"family": "A",
"name": "premium"
},
"tenantId": "[tenant().tenantId]",
"softDeleteRetentionInDays": 90,
"enableSoftDelete": true,
"enablePurgeProtection": true,
"enableRbacAuthorization": true,
"networkAcls": {
"defaultAction": "Deny",
"bypass": "AzureServices"
}
}
}
Configure with Bicep
To deploy Key Vaults that pass this rule:
- Set the
properties.enableSoftDeleteproperty totrue.
For example:
resource vault 'Microsoft.KeyVault/vaults@2023-07-01' = {
name: name
location: location
properties: {
sku: {
family: 'A'
name: 'premium'
}
tenantId: tenant().tenantId
softDeleteRetentionInDays: 90
enableSoftDelete: true
enablePurgeProtection: true
enableRbacAuthorization: true
networkAcls: {
defaultAction: 'Deny'
bypass: 'AzureServices'
}
}
}
Configure with Azure CLI
az keyvault update -n '<name>' -g '<resource_group>' --retention-days 90
Configure with Azure Policy
To address this issue at runtime use the following policies:
- Key vaults should have soft delete enabled
/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d.