How to disable Purge Protection for Azure Key Vault Managed HSM

Question

Is there a way to disable purge protection for an Azure Keyvault Managed HSM key?

We created a HSM key while setting up a server, as it seemed to be mandatory to create since we couldn't move forward without it. The HSM key is not being used but still it incurs a $76/day cost.

We tried deleting the HSM key but the purge protection is enabled, due to which we can't delete the resource permanently. This seems to be a problem as it would still incur the same cost throughout the retention period of 90 days. I'm looking for a way to either disable the purge protection or delete the HSM key permanently. Any suggestions ?

Answer 1

Hi @Ramit Sharma ,

It is not possible to disable purge protection. This is by-design since purge is irreversible and otherwise someone could delete your key vault without the option to recover.

If you enabled purge protection when creating the Managed HSM you will have to wait until the retention period has expired. If purge protection is enabled, it can't be disabled or overridden by anyone, including Microsoft. So you must wait for the retention period to end.

I would recommend raising a free Azure Billing support case to discuss the unused HSM services to ask about the fee and potential exclusion if your case is valid, but I cannot promise any outcome from this. https://azure.microsoft.com/en-ca/support/create-ticket/

https://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/recovery?tabs=azure-cli

If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions.