Verify that the Key Vault is Recoverable
What this check does
This Auto Check verifies that purge protection is enabled on all Azure Key Vaults to ensure recoverability in the event of deletion.
Check Logic:
IF enablePurgeProtection = true
THEN PASS
ELSE FAIL
This property must be explicitly set on the Key Vault.
Note: enableSoftDelete
is enabled by default and enforced by Microsoft starting February 2025. This check does not validate enableSoftDelete
, only enablePurgeProtection
.
How to fix it
- Remediate via Azure Portal
- Go to Key vaults in Azure
- Click the vault you want to configure
- Under Settings, open Properties
- Enable Purge Protection
Note: Once enabled, purge protection cannot be disabled
Click Save
Remediate via Azure CLI
az resource update \
--id /subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.KeyVault/vaults/<key_vault_name> \
--set properties.enablePurgeProtection=true
Remediate via PowerShell
Update-AzKeyVault `
-VaultName <vault_name> `
-ResourceGroupName <resource_group> `
-EnablePurgeProtection
Exceptions
None. This is a mandatory data protection control.
Further resources
- https://docs.microsoft.com/en-us/azure/key-vault/key-vault-soft-delete-cli
- https://learn.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview
- https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-governance-strategy#gs-8-define-and-implement-backup-and-recovery-strategy
- https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-data-protection#dp-8-ensure-security-of-key-and-certificate-repository