What it is
A Key Vault with enableSoftDelete set to false. Soft-delete is the retention window that keeps deleted secrets, keys, certificates, and even a deleted vault recoverable for a set period. With it off, a delete is permanent the instant it happens. This is distinct from purge protection (see AZF-0002): soft-delete is the recovery window itself, and purge protection is the stronger control that stops that window from being cut short.
Why it happens
Soft-delete is the foundation the whole recovery story sits on, and disabling it removes the safety net entirely. Azure has been tightening this over time and now enforces soft-delete on for new vaults, so a disabled state today almost always means a legacy vault created before enforcement, or one where the flag was cleared during an earlier grace window and never restored.
Those old vaults do not fix themselves. They keep running with no retention, and because everything works normally right up until a delete, the missing safety net is invisible during day-to-day use. The gap only reveals itself the moment someone deletes the wrong secret, or an automation script tears down a vault, and there is nothing to restore from.
What it costs / blast radius
The blast radius is loss, not exposure. (Azure behavior; authored assessment.) An accidental delete, a bad script, or a malicious insider can wipe a secret, a signing key, or the entire vault with no recovery window to fall back on. If that key was protecting encrypted data, the data can become unrecoverable along with it. There is no dollar figure here; the cost is an outage or permanent data loss that a single click or a single misfired pipeline can trigger.
See it
// Reflects a pre-enforcement legacy vault; Azure now enforces soft-delete,
// so this enableSoftDelete: false will NOT deploy on a new vault today.
resource kv 'Microsoft.KeyVault/vaults@2023-07-01' = {
name: 'corp-kv'
location: location
properties: {
tenantId: tenant().tenantId
sku: { family: 'A', name: 'standard' }
enableSoftDelete: false // a delete is permanent and immediate, no restore
}
}resource kv 'Microsoft.KeyVault/vaults@2023-07-01' = {
name: 'corp-kv'
location: location
properties: {
tenantId: tenant().tenantId
sku: { family: 'A', name: 'standard' }
enableSoftDelete: true // deletes are recoverable within the retention window
softDeleteRetentionInDays: 90 // give yourself the full window
enablePurgeProtection: true // stop the window being cut short (see AZF-0002)
}
}How StratoLens helps
StratoLens flags Key Vaults with soft-delete disabled automatically, continuously, across every subscription in your tenant, so the legacy vaults that predate Azure's enforcement do not sit unnoticed until the day a delete goes wrong. You find the vaults with no safety net while you can still add one.