This chapter covers Azure Key Vault soft delete and purge protection, two critical data protection features that prevent accidental or malicious permanent deletion of secrets, keys, and certificates. For the AZ-500 exam, questions on these features appear in roughly 5-10% of the Compute Security domain (Objective 2.3). Understanding the default values, enablement methods, and behavior of soft delete and purge protection is essential for passing the exam and for securing production Key Vaults.
Jump to a section
Imagine a bank safety deposit box (Key Vault) that holds your most valuable items (secrets, keys, certificates). Normally, if you accidentally throw an item into the trash, it's gone forever. Soft delete is like having a locked, hidden trash can inside the vault that keeps discarded items for a set number of days (default 90). During that time, you can recover any item from the trash can intact. However, if someone with access empties the trash can (purges), the item is truly gone. Purge protection is a tamper-proof lock on that trash can that prevents anyone—even you—from emptying it until the retention period expires. This lock can only be set when the vault is created and cannot be removed. It ensures that even a malicious insider or compromised account cannot permanently destroy secrets before the retention period ends, giving you a guaranteed recovery window. The trash can has a maximum capacity (max soft-deleted objects per vault) and items are automatically deleted after the retention period. In Azure, the retention period is configurable from 7 to 90 days, and purge protection, once enabled, is irreversible.
What is Key Vault Soft Delete?
Soft delete is a data protection feature for Azure Key Vault that allows recovery of deleted vaults and vault objects (secrets, keys, certificates) after they have been deleted. Without soft delete, a delete operation is irreversible—the object is immediately and permanently removed. With soft delete enabled, deleted objects are retained in a "soft-deleted" state for a configurable retention period (default 90 days, minimum 7, maximum 90). During this period, the object is not accessible for use but can be recovered (undeleted) by an authorized user. After the retention period expires, the object is automatically purged (permanently deleted). Soft delete is enabled at the vault level and can be enabled during vault creation or after creation (though enabling after creation is not recommended as objects deleted before enablement are not protected).
How Soft Delete Works Internally
When a user issues a DELETE command on a secret, key, or certificate, Azure Key Vault does not immediately remove the underlying data. Instead, it marks the object as soft-deleted and moves it to a separate internal container. The object's name becomes unavailable for reuse until it is purged or the retention period expires. The object's metadata (e.g., creation date, expiration) is preserved. The soft-deleted object retains its unique identifier but is not returned in normal list operations (e.g., Get-AzKeyVaultSecret). To list soft-deleted objects, you must use the -IncludeDeleted parameter.
Key Components and Defaults
Retention period: Configurable from 7 to 90 days. Default is 90 days. Once set, it can be extended but not shortened.
Recovery: To recover a soft-deleted object, you use the Undo-AzKeyVaultSecretRemoval or equivalent cmdlet. The object is restored to its original state, including all tags and attributes.
Purge: To permanently delete a soft-deleted object before the retention period expires, you must have purge permission. Purge is irreversible.
Maximum soft-deleted objects per vault: 1000 objects (secrets, keys, certificates combined). If this limit is reached, no new soft deletes are allowed until some are purged or recovered.
Soft delete for vaults: The vault itself can also be soft-deleted. If a vault is deleted, it and all its objects are retained for the retention period. The vault name cannot be reused until purged.
Purge Protection
Purge protection is an optional feature that must be enabled when the vault is created. It cannot be enabled after creation. Once enabled, purge protection cannot be disabled. With purge protection on, no one (including the subscription owner or Microsoft support) can purge a soft-deleted vault or object until the retention period expires. This ensures that even if an attacker gains full access, they cannot permanently destroy secrets within the recovery window. Purge protection also applies to the vault itself. If a vault with purge protection is deleted, it cannot be purged until the retention period ends.
Configuration and Verification
You can enable soft delete and purge protection via Azure portal, PowerShell, CLI, or ARM templates.
Azure Portal:
When creating a Key Vault, check "Enable soft delete" and optionally check "Enable purge protection".
For existing vaults, go to Properties and enable soft delete (if not already enabled).
PowerShell:
# Enable soft delete on an existing vault
Set-AzKeyVault -VaultName 'MyVault' -EnableSoftDelete
# Enable purge protection during creation
New-AzKeyVault -VaultName 'MyVault' -ResourceGroupName 'MyRG' -Location 'EastUS' -EnableSoftDelete -EnablePurgeProtectionCLI:
# Enable soft delete on existing vault
az keyvault update --name MyVault --enable-soft-delete true
# Create vault with soft delete and purge protection
az keyvault create --name MyVault --resource-group MyRG --location eastus --enable-soft-delete true --enable-purge-protection trueVerification:
Get-AzKeyVault -VaultName 'MyVault' | Select-Object EnableSoftDelete, EnablePurgeProtectionaz keyvault show --name MyVault --query '[enableSoftDelete, enablePurgeProtection]'Interaction with Related Technologies
Azure Policy: You can enforce soft delete and purge protection using Azure Policy. The built-in policy "Key Vault should have soft delete enabled" audits or enforces the setting. Custom policies can require purge protection.
RBAC: Soft delete and purge operations require specific permissions: Microsoft.KeyVault/vaults/delete for vault deletion, Microsoft.KeyVault/vaults/purge/action for purging. The Key Vault Contributor role does not include purge permission; you need the Key Vault Administrator role.
Logging and Monitoring: Soft delete and purge events are logged in Azure Activity Log. You can set alerts for purge operations to detect potential malicious activity.
Azure Backup: For additional protection, you can use Azure Backup for Key Vault, which takes snapshots of secrets and keys. Soft delete is complementary but not a replacement for backup.
Purge Protection and Recovery Scenarios
Accidental Delete: User deletes a secret. With soft delete, the admin can recover it within 90 days. Without soft delete, it's gone.
Malicious Insider: A disgruntled admin deletes a vault and attempts to purge it. With purge protection, they cannot purge until retention expires, giving time for investigation and recovery.
Subscription Deletion: If a subscription is deleted, Key Vaults with soft delete and purge protection are not lost; they are soft-deleted and can be recovered by opening a support ticket.
Exam Traps
Default retention period: 90 days, not 30 or 7.
Purge protection cannot be enabled after vault creation.
Purge protection cannot be disabled once enabled.
Soft delete can be enabled after creation, but objects deleted before enablement are not recoverable.
Maximum soft-deleted objects per vault: 1000.
Purge permission is separate from delete permission.
Soft delete is not enabled by default for new vaults created via portal or CLI (though some SDKs may enable it automatically).
Step-by-Step Recovery Process
List soft-deleted secrets: Get-AzKeyVaultSecret -VaultName MyVault -IncludeDeleted
Recover a secret: Undo-AzKeyVaultSecretRemoval -VaultName MyVault -Name MySecret
Verify recovery: Get-AzKeyVaultSecret -VaultName MyVault -Name MySecret
For vault recovery, use Get-AzKeyVault -InRemovedState and Restore-AzKeyVault -VaultName MyVault -ResourceGroupName MyRG -Location EastUS.
Summary of Key Values
| Feature | Default | Range | Changeable after creation? | |---------|---------|-------|----------------------------| | Soft delete | Disabled | N/A | Yes (enable only) | | Retention period | 90 days | 7-90 days | Yes (extend only) | | Purge protection | Disabled | N/A | No (must enable at creation) | | Max soft-deleted objects | 1000 | Fixed | No |
Conclusion
Soft delete and purge protection are essential for compliance and data security. On the AZ-500 exam, focus on the defaults, enablement restrictions, and the difference between delete and purge permissions. Remember that purge protection is a one-time decision that cannot be reversed.
Enable Soft Delete on Vault
Soft delete must be enabled on the Key Vault either at creation time or after. During creation via portal, check the 'Enable soft delete' checkbox. For existing vaults, use PowerShell `Set-AzKeyVault -VaultName 'MyVault' -EnableSoftDelete` or CLI `az keyvault update --name MyVault --enable-soft-delete true`. Once enabled, all future deletions of secrets, keys, certificates, and the vault itself will be soft deletes. Objects deleted before soft delete was enabled remain permanently deleted. The retention period defaults to 90 days but can be set between 7 and 90 days using the `-SoftDeleteRetentionInDays` parameter during creation.
Delete a Secret (Soft Delete)
When a user with delete permissions issues a delete command (e.g., `Remove-AzKeyVaultSecret -VaultName MyVault -Name MySecret`), the secret is not permanently removed. Instead, it enters a soft-deleted state. The secret's name becomes unavailable for reuse. The secret is still present in the vault's internal storage but is marked as deleted. It is not returned in normal list operations. To list soft-deleted secrets, use `Get-AzKeyVaultSecret -VaultName MyVault -IncludeDeleted`. The secret's metadata (e.g., expiration, tags) is preserved. The soft-deleted secret can be recovered or purged.
Recover a Soft-Deleted Secret
To recover a soft-deleted secret, use `Undo-AzKeyVaultSecretRemoval -VaultName MyVault -Name MySecret`. This restores the secret to its original state, including all attributes and tags. The secret becomes active again and can be used immediately. The recovery operation requires the Key Vault Contributor role or higher (or a custom role with `Microsoft.KeyVault/vaults/secrets/recover/action`). Recovery is only possible within the retention period. After the retention period expires, the secret is automatically purged and cannot be recovered.
Purge a Soft-Deleted Secret (Without Purge Protection)
If purge protection is not enabled, a user with purge permissions can permanently delete a soft-deleted secret before the retention period expires using `Remove-AzKeyVaultSecret -VaultName MyVault -Name MySecret -InRemovedState -Force`. This is irreversible. The purge permission is separate from delete permission; it is granted via the Key Vault Administrator role or a custom role with `Microsoft.KeyVault/vaults/secrets/purge/action`. Purging frees up the secret name for reuse and removes all data immediately.
Enable Purge Protection
Purge protection can only be enabled during vault creation. It cannot be added later. To enable, check 'Enable purge protection' in the portal or use the `-EnablePurgeProtection` parameter in PowerShell or CLI. Once enabled, it cannot be disabled. With purge protection, no one can purge a soft-deleted vault or object until the retention period expires. This includes the subscription owner and Microsoft support. This ensures that even if an attacker gains full access, they cannot permanently destroy secrets within the recovery window. Purge protection is recommended for production vaults containing sensitive data.
Enterprise Scenario 1: Financial Services Compliance
A bank uses Azure Key Vault to store encryption keys for customer transaction data. Regulatory requirements (e.g., PCI DSS) mandate that deleted keys must be recoverable for at least 90 days. The bank enables soft delete with a retention period of 90 days and purge protection on all vaults. This ensures that even if a developer accidentally deletes a key, it can be recovered without data loss. Purge protection prevents a malicious insider from permanently destroying keys to cover tracks. The bank also uses Azure Policy to enforce soft delete and purge protection across all subscriptions, with audit logs sent to a SIEM for monitoring. Performance impact is negligible; the only consideration is that soft-deleted objects count towards the vault's object limit (1000), so the bank monitors the count and purges unneeded objects after the retention period.
Enterprise Scenario 2: Multi-Tenant SaaS Provider
A SaaS company hosts customer secrets in separate Key Vaults per tenant. They enable soft delete to allow recovery from accidental deletions, but they do not enable purge protection because they want the ability to immediately purge a tenant's secrets upon account closure. However, they face a problem: if a customer accidentally deletes a secret and then closes their account, the soft-deleted secret remains for 90 days, consuming storage. To handle this, they set a shorter retention period (7 days) and automate purging of soft-deleted objects after account closure. They also use RBAC to restrict purge permissions to a security admin group only. The company learned the hard way that without purge protection, a compromised admin account could purge all secrets instantly; they now use Azure AD Privileged Identity Management (PIM) to elevate privileges only when needed.
Common Misconfigurations
Enabling soft delete after creation but forgetting to enable purge protection: This leaves the vault vulnerable to immediate purging by an attacker with purge permissions.
Setting retention period too short: A 7-day retention may not be enough for organizations with slow incident response processes.
Not monitoring soft-deleted object count: When the 1000-object limit is reached, new delete operations fail, potentially causing application errors.
Assuming soft delete is enabled by default: It is not; you must explicitly enable it.
Performance and Scale
Soft delete has negligible performance impact on normal operations. The main consideration is the soft-deleted object limit (1000 per vault). For vaults with high turnover, you may need to regularly purge or recover objects to stay under the limit. The retention period does not affect performance. Purge protection adds no performance overhead; it only restricts purge operations.
What Goes Wrong
Scenario: A security admin accidentally deletes a vault without purge protection. They immediately realize and try to recover, but a malicious script purges the vault before they can act. Data is lost permanently.
Scenario: An organization enables soft delete but not purge protection. An attacker compromises an admin account and purges all secrets, causing a major outage.
Scenario: A developer deletes a secret, then tries to create a new one with the same name but fails because the soft-deleted secret still exists. They must recover or purge the old one first.
These scenarios highlight why purge protection is critical for production environments.
What AZ-500 Tests
Objective 2.3 (Compute Security) includes questions on Key Vault soft delete and purge protection. The exam expects you to know:
The default retention period (90 days)
That purge protection can only be enabled at vault creation and cannot be disabled
That soft delete can be enabled after creation but does not protect previously deleted objects
The maximum number of soft-deleted objects (1000)
The difference between delete and purge permissions
How to recover soft-deleted objects
That purge protection prevents purging until retention expires
Common Wrong Answers and Why
"Soft delete is enabled by default." Wrong. Soft delete must be explicitly enabled. Many candidates assume it's on because Azure Security Center recommends it, but it is not default.
"Purge protection can be enabled at any time." Wrong. It must be enabled during vault creation. This is a common trap.
"Purge protection prevents deletion of the vault." Wrong. Purge protection does not prevent deletion; it prevents purging of soft-deleted objects. The vault can still be deleted (soft-deleted).
"You can recover a soft-deleted object after the retention period." Wrong. After retention expires, the object is automatically purged and cannot be recovered.
"Soft delete only protects secrets, not keys or certificates." Wrong. It protects all three object types and the vault itself.
Specific Numbers and Terms
Memorize these for the exam:
Retention period: 7-90 days, default 90
Max soft-deleted objects per vault: 1000
Purge protection: cannot be disabled once enabled
Soft delete: can be enabled after creation
Purge permission: Microsoft.KeyVault/vaults/secrets/purge/action (or equivalent for keys/certificates)
Recovery cmdlet: Undo-AzKeyVaultSecretRemoval
List soft-deleted: Get-AzKeyVaultSecret -IncludeDeleted
Edge Cases
If a vault is deleted with purge protection enabled, the vault name cannot be reused until the retention period expires and the vault is purged automatically.
If you try to create a vault with the same name as a soft-deleted vault, the creation will fail.
Azure Policy can enforce soft delete, but it cannot enforce purge protection because purge protection is only settable at creation.
RBAC: The Key Vault Contributor role can delete objects but cannot purge. You need Key Vault Administrator or a custom role with purge action.
How to Eliminate Wrong Answers
When you see an answer that says "purge protection can be enabled later," eliminate it immediately. If an answer says "soft delete is enabled by default," eliminate it. Focus on the words "enable" vs. "disable" and "creation" vs. "after creation." Remember that purge protection is a one-time decision.
Soft delete retention period defaults to 90 days, configurable from 7 to 90 days.
Purge protection can only be enabled during vault creation and cannot be disabled.
Soft delete can be enabled after creation, but objects deleted before enablement are not recoverable.
Maximum of 1000 soft-deleted objects per vault.
Purge permission is separate from delete permission; Key Vault Contributor cannot purge.
Recovery of soft-deleted objects requires `Undo-AzKeyVaultSecretRemoval` (or equivalent).
Soft delete and purge protection apply to secrets, keys, certificates, and the vault itself.
These come up on the exam all the time. Here's how to tell them apart.
Soft Delete Only
Can be enabled after vault creation.
Allows purging of soft-deleted objects by users with purge permissions.
Retention period configurable 7-90 days.
No protection against malicious purge by compromised admin.
Suitable for non-critical or test vaults.
Soft Delete + Purge Protection
Must be enabled at vault creation; cannot be added later.
Prevents any purge until retention period expires, even by admins.
Same retention period options.
Protects against malicious or accidental permanent deletion.
Recommended for production vaults with sensitive data.
Mistake
Soft delete is enabled by default on all new Key Vaults.
Correct
Soft delete is NOT enabled by default. You must explicitly enable it during or after vault creation. The Azure Security Center recommends it, but it is not automatic.
Mistake
Purge protection can be enabled on an existing vault.
Correct
Purge protection can only be enabled during vault creation. It cannot be added later. This is a common exam trap.
Mistake
Purge protection prevents the vault from being deleted.
Correct
Purge protection does not prevent deletion; it prevents the permanent purging of soft-deleted objects. The vault can still be deleted (soft-deleted) and later recovered.
Mistake
You can recover a soft-deleted object at any time.
Correct
Recovery is only possible within the retention period (7-90 days). After that, the object is automatically purged and cannot be recovered.
Mistake
Soft delete only applies to secrets, not keys or certificates.
Correct
Soft delete applies to all three object types (secrets, keys, certificates) and to the vault itself.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, you can enable soft delete on an existing Key Vault using the Azure portal, PowerShell (`Set-AzKeyVault -EnableSoftDelete`), or CLI (`az keyvault update --enable-soft-delete true`). However, any objects deleted before soft delete was enabled are not recoverable. Soft delete only protects objects deleted after it is enabled.
No, you cannot disable soft delete once it is enabled. This is by design to ensure data protection. If you need to permanently delete an object, you must purge it (if purge protection is not enabled) or wait for the retention period to expire.
Deleting a secret (without soft delete) permanently removes it. With soft delete, deleting moves the secret to a soft-deleted state where it can be recovered. Purging permanently removes the soft-deleted secret before the retention period expires. Purge requires separate permissions and is irreversible.
To recover a soft-deleted vault, use the Azure portal, PowerShell (`Restore-AzKeyVault`), or CLI (`az keyvault recover`). You must specify the vault name, resource group, and location. The vault and all its objects are restored. Recovery is only possible within the retention period.
If the vault reaches 1000 soft-deleted objects, no further soft deletes are allowed. You must either recover or purge some objects to free up space. The limit applies to the combined count of soft-deleted secrets, keys, and certificates.
No, Azure Policy cannot enforce purge protection because it must be enabled at vault creation and cannot be changed later. However, you can use Azure Policy to audit whether purge protection is enabled on existing vaults and to enforce soft delete.
Soft-deleted objects do not incur additional charges beyond the normal Key Vault pricing. However, they count towards the 1000-object limit. Storage costs are minimal as the objects are retained in the same vault.
You've just covered Key Vault Soft Delete and Purge Protection — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?