Key vaults should have deletion protection enabled

What does this mean?

Azure Key Vault stores secrets, keys, and certificates that your applications depend on. This recommendation ensures soft-delete and purge protection are enabled, retaining deleted vaults and secrets during a configurable retention period.

Benefits of implementation

• Protects against data loss from accidental deletion
• Prevents attackers from permanently wiping secrets
• Required by multiple compliance frameworks (CIS, BIO, MCSB)

Drawbacks and considerations

• Deleted vaults continue to incur costs during the retention period
• May slow down cleanup processes
• Deleted vault names remain reserved until the purge period expires

Implementation

Implementation guidance coming soon.

Related recommendations

Related recommendations will be linked here.