Verify that the Key Vault is Recoverable

Framework Reference: A.8.13 Integration: Azure – Key Vault (Soft Delete & Purge Protection)

What this check does
This Auto Check verifies that purge protection is enabled on all Azure Key Vaults to ensure recoverability in the event of deletion.

Check Logic:
IF enablePurgeProtection = true
THEN PASS
ELSE FAIL

This property must be explicitly set on the Key Vault.
Note: enableSoftDelete is enabled by default and enforced by Microsoft starting February 2025. This check does not validate enableSoftDelete, only enablePurgeProtection.

How to fix it

1. Remediate via Azure Portal

2. Go to Key vaults in Azure

3. Click the vault you want to configure

4. Under Settings, open Properties

5. Enable Purge Protection

Note: Once enabled, purge protection cannot be disabled

Click Save

Remediate via Azure CLI

az resource update \  --id /subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.KeyVault/vaults/<key_vault_name> \  --set properties.enablePurgeProtection=true 

Remediate via PowerShell

Update-AzKeyVault  -VaultName <vault_name>  -ResourceGroupName <resource_group> `  -EnablePurgeProtection

Exceptions
None. This is a mandatory data protection control.

Further resources

• https://docs.microsoft.com/en-us/azure/key-vault/key-vault-soft-delete-cli

• https://learn.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview

• https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-8-define-and-implement-backup-and-recovery-strategy

• https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-8-ensure-security-of-key-and-certificate-repository