Enable Purge Protection and Soft-delete for all Key Vaults

What is Soft-delete?

Soft-delete is a data-loss protection setting that allows you to recover deleted items within the Key Vault like keys, secrets and certificates for a specified amount of time. Once Soft-delete has been enabled on your Key Vault it can not be disabled. Items in a Soft-delete state will automatically be deleted after the retention period has passed. Within this period soft-deleted items can still be purged.
Currently Soft-delete is enabled by default on new Key Vaults but this wasn’t always the case. Microsoft will enforce Soft-delete in 2025 on all existing Key Vaults.

What is Purge Protection?

Purge Protection is another layer of security that can only be enabled once Soft-delete is enabled. Some Azure Services which depend on your Key Vault require Purge Protection to be enabled.
When Purge Protection is enabled on your Key Vault a vault or an object within your Key Vault can not be purged until the retention period has passed. Once enabled it cannot be disabled.

Enable Soft-delete and Purge Protection using PowerShell

This script enables Purge Protection and Soft-delete for all Azure Key Vaults in all Subscriptions.
By default the retention period is 90 days.

## Enable Purge Protection and Soft-delete for all Keyvaults in all Subscriptions

$Subscription = Get-AzSubscription
foreach ($sub in $subscription) {
    Select-AzSubscription -SubscriptionId $sub.Id
    $keyvault = Get-AzKeyVault

    foreach ($kv in $keyvault) {

        ## Enable Soft-delete
        ($resource = Get-AzResource -ResourceId (Get-AzKeyVault -VaultName $kv.VaultName).ResourceId).Properties | Add-Member -MemberType "NoteProperty" -Name "enableSoftDelete" -Value "true"
        Set-AzResource -resourceid $resource.ResourceId -Properties $resource.Properties -force -Verbose 
    
        ## Enable PurgeProtection
        ($resource = Get-AzResource -ResourceId (Get-AzKeyVault -VaultName $kv.VaultName).ResourceId).Properties | Add-Member -MemberType "NoteProperty" -Name "enablePurgeProtection" -Value "true"
        Set-AzResource -resourceid $resource.ResourceId -Properties $resource.Properties -force -Verbose
    
    
    }
}

## Enable Purge Protection and Soft-delete for all Keyvaults in all Subscriptions

​

$Subscription = Get-AzSubscription

foreach ($sub in $subscription) {

    Select-AzSubscription -SubscriptionId $sub.Id

    $keyvault = Get-AzKeyVault

​

    foreach ($kv in $keyvault) {

​

        ## Enable Soft-delete

        ($resource = Get-AzResource -ResourceId (Get-AzKeyVault -VaultName $kv.VaultName).ResourceId).Properties | Add-Member -MemberType "NoteProperty" -Name "enableSoftDelete" -Value "true"

        Set-AzResource -resourceid $resource.ResourceId -Properties $resource.Properties -force -Verbose 

        ## Enable PurgeProtection

        ($resource = Get-AzResource -ResourceId (Get-AzKeyVault -VaultName $kv.VaultName).ResourceId).Properties | Add-Member -MemberType "NoteProperty" -Name "enablePurgeProtection" -Value "true"

        Set-AzResource -resourceid $resource.ResourceId -Properties $resource.Properties -force -Verbose

    }

}