Key Vault recovery disallowed by policy.

Tudor Vlad Bresan 1 Reputation point
2021-04-15T10:11:59.603+00:00

The issue: Unable to recover deleted key vault.

Policy assigned: "Key vaults should have purge protection enabled"
Policy definition ID: "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53"
Policy effect: "Deny"

Even though "enableSoftDelete" is set to true before deletion, in the deleted list, the property is no longer present. When trying to recover the Vault, the policy gets triggered and it does not pass the check for the existence of the "enableSoftDelete" property thus not allowing the recovery as long as the policy effect is set to Deny.

I am not sure if this is a bug or if I am doing something wrong.

Key Vault properties before deletion

88185-keyvault-prop-pre-delete.jpg
Key Vault properties after deletion

88080-keyvault-prop-post-delete.jpg

Policy If-statement block

88241-policy-if-statement.png

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
664 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
509 questions
{count} votes