Microsoft AzureOverview
The Key Vault contains object keys, secrets, and certificates. Accidental unavailability of a Key Vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the Key Vault objects.
It is recommended that the Key Vault be made recoverable by enabling the "Do Not Purge" and "Soft Delete" functions. This prevents the loss of encrypted data, including storage accounts, SQL databases, and/or dependent services provided by Key Vault objects (Keys, Secrets, Certificates), etc. This may happen in the case of accidental deletion by a user or disruptive activity by a malicious user.
NOTE: In February 2025, Microsoft will enable soft-delete protection on all key vaults, and users can no longer opt out of or turn off soft-delete.
WARNING: A current limitation is that role assignments disappear when the Key Vault is deleted. After recovery, all role assignments will need to be recreated.
Rationale
There could be scenarios where users accidentally run delete/purge commands on Key Vault, or an attacker/malicious user deliberately does so to cause disruption. Deleting or purging a Key Vault leads to immediate data loss, as keys encrypting data and secrets/certificates allowing access/services will become non-accessible.
There is a Key Vault property that plays a role in permanent unavailability of a Key Vault:
enablePurgeProtection: Setting this parameter to "true" for a Key Vault ensures that even if the Key Vault is deleted, the Key Vault itself or its objects remain recoverable for the next 90 days. Key Vault/objects can be recovered or purged (permanently deleted) during those 90 days. If no action is taken, the key vault and its objects will subsequently be purged.
Enabling the enablePurgeProtection parameter on Key Vaults ensures that Key Vaults and their objects cannot be deleted/purged permanently.
Impact
Once purge protection and soft delete are enabled for a Key Vault, the action is irreversible.
Default Value
When a new Key Vault is created,
enableSoftDeleteis enabled by default, andenablePurgeProtectionis disabled by default.
References
- https://docs.microsoft.com/en-us/azure/key-vault/key-vault-soft-delete-cli
- https://blogs.technet.microsoft.com/kv/2017/05/10/azure-key-vault-recovery-options/
- https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy#gs-8-define-and-implement-backup-and-recovery-strategy
- https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection#dp-8-ensure-security-of-key-and-certificate-repository
Additional Information
When a key is used for SQL server TDE or Encrypting Storage Account, the features "Do Not Purge" and "Soft Delete" are enabled by default by the Azure Backend for the corresponding Key Vault.
WARNING: A current limitation of the soft-delete feature across all Azure services is that role assignments disappear when Key Vault is deleted. After recovery, all role assignments will need to be recreated.
Remediation guidance
From Azure Portal
- Open the Key Vault using the
Open in Azurebutton. - Ensure that the status of
Soft-deleteisSoft delete has been enabled on this key vault - For
Purge protection, selectEnable purge protection (enforce a mandatory retention period for deleted vaults and vault objects)
Using Azure CLI
az resource update --id <resourceID> --set properties.enablePurgeProtection=true properties.enableSoftDelete=true
Using Azure PowerShell
Update-AzKeyVault -VaultName <vaultName> -ResourceGroupName <resourceGroupName> -EnablePurgeProtection
Multiple Remediation Paths
Azure
SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.
az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>
ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.
PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.
References for Service-Wide Patterns
- Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
- Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
- Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure
Operational Rollout Workflow
Use this sequence to reduce risk and avoid repeated drift.
1. Contain at Service-Wide Scope First (Recommended)
- Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.
az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>
2. Remediate Existing Affected Assets
- Execute the control-specific Console/CLI steps documented above for each flagged resource.
- Prioritize internet-exposed and production assets first.
3. Validate and Prevent Recurrence
- Re-scan after each remediation batch.
- Track exceptions with owner and expiry date.
- Add preventive checks in IaC/CI pipelines.
Query logic
These are the stored checks tied to this control.
The key vault is recoverable
Connectors
Covered asset types
Expected check: eq []
{
kmsVaults(
where:
{
OR: [
{enableSoftDelete_NOT: true }
{enablePurgeProtection_NOT: true }
] }
) {...AssetFragment}
}
