Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Ensure Purge Protection is Enabled for Key Vaults

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that purge protection is enabled for Azure Key Vaults to prevent permanent deletion of key vault objects. Key vaults contain critical security objects including keys, secrets, and certificates. Deletion of a key vault can cause immediate data loss or loss of security functions such as authentication, validation, verification, and non-repudiation that are supported by the key vault objects. Purge protection ensures that even if a key vault is deleted, the key vault and its objects remain recoverable during the configurable retention period (minimum 7 days, maximum 90 days).

Security
Reliability

Purge protectionn prevents both accidental deletion by users and malicious deletion attempts from causing permanent data loss. Deleting or purging a key vault leads to immediate data loss, as keys encrypting data and secrets or certificates allowing access to services will become inaccessible. Enabling purge protection ensures that even if a key vault is deleted, the key vault and its objects remain recoverable during the configurable retention period. If no action is taken, the key vault and its objects will be purged once the retention period elapses. Purge protection provides a critical safety mechanism that prevents permanent deletion during the retention period, allowing organizations time to detect and recover from accidental or malicious deletion events. This is essential for maintaining business continuity, meeting regulatory compliance requirements, and protecting encrypted data across Azure services that depend on key vault objects for encryption, authentication, and access control.

As of February 2025, Microsoft enabled soft delete protection on all key vaults. Users can no longer opt out of or turn off soft delete. All key vaults automatically have soft delete enabled with a retention period that can be configured between 7 and 90 days (default is 90 days). Purge protection is an additional layer of protection that can be enabled on top of soft delete.

Once purge protection is enabled for a key vault, it cannot be disabled. This is a one-way operation designed to ensure maximum data protection. While purge protection prevents permanent deletion, it does not prevent the need to recreate access permissions after recovery.

Audit

To determine if purge protection is enabled for your Azure Key Vaults, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Key vaults blade available at https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults.

03 Click on the name (link) of the Azure Key Vault that you want to examine.

04 In the left navigation panel, under Settings, select Properties.

05 On the Properties page, locate the Purge protection section.

06 Verify the status next to Purge protection:

  • If Enable purge protection (enforce a mandatory retention period for deleted vaults and vault objects) is selected (checked), purge protection is enabled for the selected key vault.
  • If the checkbox is not selected, purge protection is not enabled for the selected key vault.

07 Repeat steps no. 3 - 6 for each Azure Key Vault in the current subscription.

08 Repeat steps no. 2 - 7 for each Azure subscription in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list \
	--query '[].{id:id, name:name}'

02 The command output should return the requested subscription identifiers (IDs) and names: 

[
	{
		"id": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
		"name": "Production Subscription"
	},
	{
		"id": "abcd1234-abcd-1234-abcd-abcd1234abcd",
		"name": "Development Subscription"
	}
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set \
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run resource list command (Windows/macOS/Linux) with custom query filters to list the names and resource groups of all key vaults in the selected subscription: 

az resource list \
	--query "[?type=='Microsoft.KeyVault/vaults'].{name:name, resourceGroup:resourceGroup}"

05 The command output should return the requested key vault names and resource groups: 

[
	{
		"name": "production-keyvault",
		"resourceGroup": "production-rg"
	},
	{
		"name": "development-keyvault",
		"resourceGroup": "development-rg"
	}
]

06 Run resource show command (Windows/macOS/Linux) using the resource group and key vault name to get the purge protection setting for a specific key vault: 

az resource show \
	--resource-group production-rg \
	--name production-keyvault \
	--resource-type "Microsoft.KeyVault/vaults" \
	--query properties.enablePurgeProtection

07 The command output should return the purge protection status:

If purge protection is disabled:

null

or 
false

If the resource show command returns null or false, purge protection is not enabled for the selected Azure Key Vault.

If purge protection is enabled: 

true

If the command returns true, purge protection is enabled for the selected Azure Key Vault.

08 Repeat steps no. 6 - 7 for each key vault in the selected subscription.

09 Repeat steps no. 3 - 8 for each Azure subscription in your Microsoft Azure cloud account.

Remediation / Resolution

To enable purge protection for your Azure Key Vaults, perform the following operations:

Important Note: Once purge protection is enabled for a key vault, it cannot be disabled. This is a permanent, one-way operation.

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Key vaults blade available at https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults.

03 Click on the name (link) of the Azure Key Vault that you want to configure.

04 In the left navigation panel, under Settings, select Properties.

05 On the Properties page, locate the Purge protection section.

06 Select (check) the radio button or checkbox next to Enable purge protection (enforce a mandatory retention period for deleted vaults and vault objects).

07 Click Save from the top menu bar to apply the configuration change.

08 Repeat steps no. 3 - 7 for each Azure Key Vault that requires purge protection in the current subscription.

09 Repeat steps no. 2 - 8 for each Azure subscription in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list \
	--query '[].{id:id, name:name}'

02 The command output should return the requested subscription identifiers (IDs) and names: 

[
	{
		"id": "abcdabcd-1234-abcd-1234-abcdabcdabcd",
		"name": "Production Subscription"
	},
	{
		"id": "abcd1234-abcd-1234-abcd-abcd1234abcd",
		"name": "Development Subscription"
	}
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to configure as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set \
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run resource list command (Windows/macOS/Linux) with custom query filters to list the names and resource groups of all key vaults in the selected subscription: 

az resource list \
	--query "[?type=='Microsoft.KeyVault/vaults'].{name:name, resourceGroup:resourceGroup}"

05 The command output should return the requested key vault names and resource groups: 

[
	{
		"name": "production-keyvault",
		"resourceGroup": "production-rg"
	},
	{
		"name": "development-keyvault",
		"resourceGroup": "development-rg"
	}
]

06 Run resource update command (Windows/macOS/Linux) to enable purge protection for a specific key vault: 

az resource update \
	--resource-group production-rg \
	--name production-keyvault \
	--resource-type "Microsoft.KeyVault/vaults" \
	--set properties.enablePurgeProtection=true

07 The command output should return the updated key vault configuration. Verify that enablePurgeProtection is set to true in the properties.

08 Repeat steps no. 6 - 7 for each key vault that requires purge protection in the selected subscription.

09 Repeat steps no. 3 - 8 for each Azure subscription in your Microsoft Azure cloud account.

References

Publication date Jan 28, 2026

Related KeyVault rules