Key Vault recovery disallowed by policy.

Tudor Vlad Bresan 1 Reputation point

The issue: Unable to recover deleted key vault.

Policy assigned: "Key vaults should have purge protection enabled"
Policy definition ID: "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53"
Policy effect: "Deny"

Even though "enableSoftDelete" is set to true before deletion, in the deleted list, the property is no longer present. When trying to recover the Vault, the policy gets triggered and it does not pass the check for the existence of the "enableSoftDelete" property thus not allowing the recovery as long as the policy effect is set to Deny.

I am not sure if this is a bug or if I am doing something wrong.

Key Vault properties before deletion

Key Vault properties after deletion


Policy If-statement block


Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
664 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
509 questions
{count} votes