Skip to main content
Back to the Footgun Database
SecurityCriticalCommonAZF-0002

Key Vault purge protection is off by default, so a deleted vault can be gone for good

Without purge protection, a deleted Key Vault can be permanently purged before the retention window ends, taking the data its keys encrypted with it.

Footgun ID
AZF-0002 (Azure Footgun No. 2)
Azure service
Azure Key Vault
Resource type
Microsoft.KeyVault/vaults
Updated
July 1, 2026

What it is

A Key Vault with purge protection disabled. Soft-delete lets you recover a deleted vault during a retention window, but with purge protection off, someone (or an automated cleanup) can purge the vault immediately, destroying the keys permanently.

Impact (reliability)
Permanent, unrecoverable loss of keys and secrets if the vault is purged
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

Soft-delete is on by default, which lulls teams into thinking deletes are reversible. Purge protection, the setting that actually blocks early permanent deletion, is not enabled by default and can't be turned on retroactively as easily as people assume.

So vaults get provisioned in the unsafe state and nobody notices until a bad delete happens. The gap between "soft-delete is on" and "this vault is actually safe from a permanent delete" is where the damage lives.

What it costs / blast radius

If a vault holding the keys that encrypt your databases or storage is purged, the encrypted data becomes unrecoverable. This is a data-loss event, not a cost event. The blast radius is every resource that depended on those keys, which can mean entire databases or storage accounts that can no longer be decrypted.

See it

Footgun: purge protection unset (defaults to disabled)
resource kv 'Microsoft.KeyVault/vaults@2023-07-01' = {
  name: 'corp-kv'
  properties: {
    enableSoftDelete: true
    // enablePurgeProtection missing -> not protected
  }
}
Fix: enable purge protection so early permanent deletion is blocked
resource kvFixed 'Microsoft.KeyVault/vaults@2023-07-01' = {
  name: 'corp-kv'
  properties: {
    enableSoftDelete: true
    enablePurgeProtection: true   // blocks early permanent deletion
  }
}

How StratoLens helps

StratoLens continuously inventories every Key Vault across every subscription and flags any with purge protection disabled. It also tracks config drift, so it tells you the moment a previously-protected vault is weakened. You find out from a report, not from an outage.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Built for Azure infrastructure teams who need complete visibility across their entire estate.