Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,098 questions
Key Vault recovery disallowed by policy.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 44%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETV%3C/text%3E%3C/svg%3E)
Tudor Vlad Bresan
1
Reputation point
The issue: Unable to recover deleted key vault.
Policy assigned: "Key vaults should have purge protection enabled"
Policy definition ID: "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53"
Policy effect: "Deny"
Even though "enableSoftDelete" is set to true before deletion, in the deleted list, the property is no longer present. When trying to recover the Vault, the policy gets triggered and it does not pass the check for the existence of the "enableSoftDelete" property thus not allowing the recovery as long as the policy effect is set to Deny.
I am not sure if this is a bug or if I am doing something wrong.
Key Vault properties before deletion
Key Vault properties after deletion
Policy If-statement block
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT 33,696 Reputation points Microsoft Employee2021-04-15T22:52:32.427+00:00 Is "enable recovery" set on the vault in the Portal?
https://learn.microsoft.com/en-us/azure/key-vault/general/key-vault-recovery?tabs=azure-portal
-
Tudor Vlad Bresan 1 Reputation point
2021-04-16T07:01:10.57+00:00 Yes, Soft delete is enabled for the KeyVault.
When setting the policy to Audit/Disabled, I am able to recover the keyvault without any issues.
The problem is when I set the Policy to deny the creation of a keyvault if SoftDelete and PurgeProtection is not enabled. Even though they are enabled before I delete the vault, when trying to recover it, the "enableSoftDelete" property is missing.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 72%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
Dan 176 Reputation points2021-08-17T15:32:15.297+00:00 Hi,
Not sure if you managed to get this fixed, but when creating a similar policy recently, I have seen the below within an example I have been using:
{ "not": { "field": "Microsoft.KeyVault/vaults/createMode", "equals": "recover" } },I haven't had a chance to test, but it could be worth adding that into your policy rule and see if it resolves the issue, it would need to go under the allof section of the policy.
Hope that helps
Dan
Sign in to comment