This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
This article covers two recovery features of Azure Key Vault, soft delete and purge protection. This document provides an overview of these features, and shows you how to manage them through the Azure portal, Azure CLI, and Azure PowerShell.
Important
If a key vault does not have soft-delete protection enabled, deleting a key deletes it permanently. Customers are strongly encouraged to turn on soft delete enforcement for their vaults via Azure Policy.
For more information about Key Vault, see
An Azure subscription - create one for free
A Key Vault - you can create one using Azure portal Azure CLI, or Azure PowerShell
The user needs the following permissions (at subscription level) to perform operations on soft-deleted vaults:
| Permission | Description |
|---|---|
| Microsoft.KeyVault/locations/deletedVaults/read | View the properties of a soft deleted key vault |
| Microsoft.KeyVault/locations/deletedVaults/purge/action | Purge a soft deleted key vault |
| Microsoft.KeyVault/locations/operationResults/read | To check purging state of vault |
| Key Vault Contributor | To recover soft-deleted vault |
Soft delete and purge protection are two different key vault recovery features.
Soft delete is designed to prevent accidental deletion of your key vault and keys, secrets, and certificates stored inside key vault. Think of soft-delete like a recycle bin. When you delete a key vault or a key vault object, it remains recoverable for a user configurable retention period or a default of 90 days. Key vaults in the soft deleted state can also be purged (permanently deleted), allowing you to recreate key vaults and key vault objects with the same name. Both recovering and deleting key vaults and objects require elevated access policy permissions. Once soft delete has been enabled, it cannot be disabled.
It is important to note that key vault names are globally unique, so you aren't able to create a key vault with the same name as a key vault in the soft deleted state. Similarly, the names of keys, secrets, and certificates are unique within a key vault. You aren't able to create a secret, key, or certificate with the same name as another in the soft deleted state.
Purge protection is designed to prevent the deletion of your key vault, keys, secrets, and certificates by a malicious insider. Think of it as a recycle bin with a time based lock. You can recover items at any point during the configurable retention period. You will not be able to permanently delete or purge a key vault until the retention period elapses. Once the retention period elapses the key vault or key vault object is purged automatically.
Note
Purge Protection is designed so that no administrator role or permission can override, disable, or circumvent purge protection. When purge protection is enabled, it cannot be disabled or overridden by anyone including Microsoft. This means you must recover a deleted key vault or wait for the retention period to elapse before reusing the key vault name.
For more information about soft-delete, see Azure Key Vault soft-delete overview
Verify if a key-vault has soft-delete enabled
Get-AzKeyVault -VaultName "ContosoVault"
Delete key vault
Remove-AzKeyVault -VaultName 'ContosoVault'
List all soft-deleted key vaults
Get-AzKeyVault -InRemovedState
Recover soft-deleted key-vault
Undo-AzKeyVaultRemoval -VaultName ContosoVault -ResourceGroupName ContosoRG -Location westus
Purge soft-deleted key-vault (WARNING! THIS OPERATION WILL PERMANENTLY DELETE YOUR KEY VAULT)
Remove-AzKeyVault -VaultName ContosoVault -InRemovedState -Location westus
Enable purge-protection on key-vault
Update-AzKeyVault -VaultName ContosoVault -ResourceGroupName ContosoRG -EnablePurgeProtection
Grant permissions to recover and purge certificates
Set-AzKeyVaultAccessPolicy -VaultName ContosoVault -UserPrincipalName user@contoso.com -PermissionsToCertificates recover,purge
Delete a Certificate
Remove-AzKeyVaultCertificate -VaultName ContosoVault -Name 'MyCert'
List all deleted certificates in a key vault
Get-AzKeyVaultCertificate -VaultName ContosoVault -InRemovedState
Recover a certificate in the deleted state
Undo-AzKeyVaultCertificateRemoval -VaultName ContosoVault -Name 'MyCert'
Purge a soft-deleted certificate (WARNING! THIS OPERATION WILL PERMANENTLY DELETE YOUR CERTIFICATE)
Remove-AzKeyVaultcertificate -VaultName ContosoVault -Name 'MyCert' -InRemovedState
Grant permissions to recover and purge keys
Set-AzKeyVaultAccessPolicy -VaultName ContosoVault -UserPrincipalName user@contoso.com -PermissionsToKeys recover,purge
Delete a key
Remove-AzKeyVaultKey -VaultName ContosoVault -Name 'MyKey'
List all deleted keys in a key vault
Get-AzKeyVaultKey -VaultName ContosoVault -InRemovedState
To recover a soft-deleted key
Undo-AzKeyVaultKeyRemoval -VaultName ContosoVault -Name ContosoFirstKey
Purge a soft-deleted key (WARNING! THIS OPERATION WILL PERMANENTLY DELETE YOUR KEY)
Remove-AzKeyVaultKey -VaultName ContosoVault -Name ContosoFirstKey -InRemovedState
Grant permissions to recover and purge secrets
Set-AzKeyVaultAccessPolicy -VaultName ContosoVault -UserPrincipalName user@contoso.com -PermissionsToSecrets recover,purge
Delete a secret named SQLPassword
Remove-AzKeyVaultSecret -VaultName ContosoVault -Name SQLPassword
List all deleted secrets in a key vault
Get-AzKeyVaultSecret -VaultName ContosoVault -InRemovedState
Recover a secret in the deleted state
Undo-AzKeyVaultSecretRemoval -VaultName ContosoVault -Name SQLPassword
Purge a secret in deleted state (WARNING! THIS OPERATION WILL PERMANENTLY DELETE YOUR KEY)
Remove-AzKeyVaultSecret -VaultName ContosoVault -Name SQLPassword -InRemovedState
Training
Certification
Microsoft Certified: Information Protection and Compliance Administrator Associate - Certifications
Demonstrate the fundamentals of data security, lifecycle management, information security, and compliance to protect a Microsoft 365 deployment.