Key Vault recovery disallowed by built-in policy

0
votes

The issue: Unable to recover deleted key vault.

Policy assigned: "Key vaults should have purge protection enabled"

Policy definition ID: "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53"

Policy effect: "Deny"

Even though "enableSoftDelete" is set to true before deletion, in the deleted list, the property is no longer present. When trying to recover the Vault, the policy gets triggered and it does not pass the check for the existence of the "enableSoftDelete" property thus not allowing the recovery as long as the policy effect is set to Deny.

I am not sure if this is a bug or if I am doing something wrong.

Key Vault properties before deletion Key Vault properties before deletion

Key Vault properties after deletion Key Vault properties after deletion

Policy If statement block Policy If statement block

1
azureazure-keyvaultazure-policy
What is the actual response when you try to recover the vault? I am no Policy expert, but the condition is is enableSoftDelete == false, not if it does not exist. Why are there multiples of the same condition in the if/anyOf block? I feel like there's more to this than we're seeing.Matt Small

1 Answers

0
votes

There is always a delay after changing the settings in Azure portal. It's better for you to check if soft-delete is enabled in Azure Key Vault before deleting, see here.

enter image description here

If the soft-delete is really enabled, you could try to delete and recover key using Azure CLI.

NOTE: You must add Access policies with delete and recover permission, if not, it will return access denied.