Enable purge protection on key-vault-create vault

msmbaldwin · Copilot · msmbaldwin · commit 94ea243a8c9f · 2026-05-13T11:32:09.000-07:00
Adds enablePurgeProtection: true to the vault in key-vault-create/main.bicep
(and the regenerated azuredeploy.json).

Without purge protection, soft-deleted vault contents can be permanently
destroyed during the soft-delete retention window. Enabling purge
protection guarantees the configured retention window is honored, which
is the recommended Key Vault security baseline.

Validation:
- correlationId: 08a19c7d-365d-455d-bbac-4de41d42a718
- deploymentName: kvc-deploy-2b2b8b3f
- region: eastus
- provisioningState: Succeeded

metadata.json updated with validationType: Manual and the
testResult.deployments block.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/quickstarts/microsoft.keyvault/key-vault-create/azuredeploy.json b/quickstarts/microsoft.keyvault/key-vault-create/azuredeploy.json
@@ -5,7 +5,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.42.1.51946",
-      "templateHash": "9714026315215760608"
+      "templateHash": "5424899472990749957"
     }
   },
   "parameters": {
@@ -88,6 +88,7 @@
         "tenantId": "[parameters('tenantId')]",
         "enableSoftDelete": true,
         "softDeleteRetentionInDays": 90,
+        "enablePurgeProtection": true,
         "sku": {
           "name": "[parameters('skuName')]",
           "family": "A"
diff --git a/quickstarts/microsoft.keyvault/key-vault-create/main.bicep b/quickstarts/microsoft.keyvault/key-vault-create/main.bicep
@@ -41,6 +41,7 @@ resource kv 'Microsoft.KeyVault/vaults@2023-07-01' = {
     tenantId: tenantId
     enableSoftDelete: true
     softDeleteRetentionInDays: 90
+    enablePurgeProtection: true
     sku: {
       name: skuName
       family: 'A'
diff --git a/quickstarts/microsoft.keyvault/key-vault-create/metadata.json b/quickstarts/microsoft.keyvault/key-vault-create/metadata.json
@@ -6,5 +6,13 @@
   "summary": "This template creates a Key Vault with Azure RBAC authorization and a secret stored inside the key vault.",
   "githubUsername": "seanbamsft",
   "docOwner": "mumian",
-  "dateUpdated": "2026-04-10"
+  "dateUpdated": "2026-05-13",
+  "validationType": "Manual",
+  "testResult": {
+    "deployments": {
+      "templateFileName": "main.bicep",
+      "correlationId": "08a19c7d-365d-455d-bbac-4de41d42a718",
+      "deploymentName": "kvc-deploy-2b2b8b3f"
+    }
+  }
 }
