Skip to content

Use Key Vault Soft Delete#

Reliability · Key Vault · Azure.KeyVault.SoftDelete

Enable Soft Delete on Key Vaults to protect vaults and vault items from accidental deletion.

Description#

Soft Delete is a feature of Key Vault that retains Key Vaults and Key Vault items after initial deletion. A soft deleted vault or vault item can be restored within the configured retention period.

By default, new Key Vaults created through the portal will have soft delete for 90 days configured.

Once enabled, soft delete can not be disabled. When soft delete is enabled, it is possible to purge soft deleted vaults and vault items.

Recommendation#

Consider enabling soft delete on Key Vaults to enable recovery of vaults and vault items.

Examples#

Configure with Azure template#

To deploy Key Vaults that pass this rule:

  • Set the properties.enableSoftDelete property to true.

For example:

{
    "comments": "Create or update a Key Vault.",
    "type": "Microsoft.KeyVault/vaults",
    "name": "vault-001",
    "apiVersion": "2019-09-01",
    "location": "eastus",
    "properties": {
        "accessPolicies": [],
        "tenantId": "[subscription().tenantId]",
        "sku": {
            "name": "Standard",
            "family": "A"
        },
        "enableSoftDelete": true,
        "enablePurgeProtection": true
    }
}

Last update: 2021-09-24