question

TudorVladBresan-6228 avatar image
0 Votes"
TudorVladBresan-6228 asked AzDan commented

Key Vault recovery disallowed by policy.

The issue: Unable to recover deleted key vault.

Policy assigned: "Key vaults should have purge protection enabled"
Policy definition ID: "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53"
Policy effect: "Deny"

Even though "enableSoftDelete" is set to true before deletion, in the deleted list, the property is no longer present. When trying to recover the Vault, the policy gets triggered and it does not pass the check for the existence of the "enableSoftDelete" property thus not allowing the recovery as long as the policy effect is set to Deny.

I am not sure if this is a bug or if I am doing something wrong.


Key Vault properties before deletion

88185-keyvault-prop-pre-delete.jpg
Key Vault properties after deletion

88080-keyvault-prop-post-delete.jpg

Policy If-statement block

88241-policy-if-statement.png








azure-key-vaultazure-policy
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes, Soft delete is enabled for the KeyVault.

When setting the policy to Audit/Disabled, I am able to recover the keyvault without any issues.

The problem is when I set the Policy to deny the creation of a keyvault if SoftDelete and PurgeProtection is not enabled. Even though they are enabled before I delete the vault, when trying to recover it, the "enableSoftDelete" property is missing.

0 Votes 0 ·
AzDan avatar image AzDan TudorVladBresan-6228 ·

Hi,

Not sure if you managed to get this fixed, but when creating a similar policy recently, I have seen the below within an example I have been using:

                              {
                                  "not": {
                                      "field": "Microsoft.KeyVault/vaults/createMode",
                                      "equals": "recover"
                                  }
                              },

I haven't had a chance to test, but it could be worth adding that into your policy rule and see if it resolves the issue, it would need to go under the allof section of the policy.

Hope that helps

Dan

0 Votes 0 ·

0 Answers