What it is
A Key Vault with purge protection disabled. Soft-delete lets you recover a deleted vault during a retention window, but with purge protection off, someone (or an automated cleanup) can purge the vault immediately, destroying the keys permanently.
Why it happens
Soft-delete is on by default, which lulls teams into thinking deletes are reversible. Purge protection, the setting that actually blocks early permanent deletion, is not enabled by default and can't be turned on retroactively as easily as people assume.
So vaults get provisioned in the unsafe state and nobody notices until a bad delete happens. The gap between "soft-delete is on" and "this vault is actually safe from a permanent delete" is where the damage lives.
What it costs / blast radius
If a vault holding the keys that encrypt your databases or storage is purged, the encrypted data becomes unrecoverable. This is a data-loss event, not a cost event. The blast radius is every resource that depended on those keys, which can mean entire databases or storage accounts that can no longer be decrypted.
See it
resource kv 'Microsoft.KeyVault/vaults@2023-07-01' = {
name: 'corp-kv'
properties: {
enableSoftDelete: true
// enablePurgeProtection missing -> not protected
}
}resource kvFixed 'Microsoft.KeyVault/vaults@2023-07-01' = {
name: 'corp-kv'
properties: {
enableSoftDelete: true
enablePurgeProtection: true // blocks early permanent deletion
}
}How StratoLens helps
StratoLens continuously inventories every Key Vault across every subscription and flags any with purge protection disabled. It also tracks config drift, so it tells you the moment a previously-protected vault is weakened. You find out from a report, not from an outage.