Use Key Vault Soft Delete

March 21, 2025 ยท View on GitHub

SYNOPSIS

Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion.

DESCRIPTION

Soft Delete is a feature of Key Vault that retains Key Vaults and Key Vault items after initial deletion. A soft deleted vault or vault item can be restored within the configured retention period.

By default, new Key Vaults created through the portal will have soft delete for 90 days configured.

Once enabled, soft delete can not be disabled. When soft delete is enabled, it is possible to purge soft deleted vaults and vault items.

RECOMMENDATION

Consider enabling soft delete on Key Vaults to enable recovery of vaults and vault items.

EXAMPLES

Configure with Azure template

To deploy Key Vaults that pass this rule:

  • Set the properties.enableSoftDelete property to true.

For example:

{
  "type": "Microsoft.KeyVault/vaults",
  "apiVersion": "2023-07-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "sku": {
      "family": "A",
      "name": "premium"
    },
    "tenantId": "[tenant().tenantId]",
    "softDeleteRetentionInDays": 90,
    "enableSoftDelete": true,
    "enablePurgeProtection": true,
    "enableRbacAuthorization": true,
    "networkAcls": {
      "defaultAction": "Deny",
      "bypass": "AzureServices"
    }
  }
}

Configure with Bicep

To deploy Key Vaults that pass this rule:

  • Set the properties.enableSoftDelete property to true.

For example:

resource vault 'Microsoft.KeyVault/vaults@2023-07-01' = {
  name: name
  location: location
  properties: {
    sku: {
      family: 'A'
      name: 'premium'
    }
    tenantId: tenant().tenantId
    softDeleteRetentionInDays: 90
    enableSoftDelete: true
    enablePurgeProtection: true
    enableRbacAuthorization: true
    networkAcls: {
      defaultAction: 'Deny'
      bypass: 'AzureServices'
    }
  }
}

Configure with Azure CLI

az keyvault update -n '<name>' -g '<resource_group>' --retention-days 90

Configure with Azure Policy

To address this issue at runtime use the following policies: