From 94ea243a8c9f2887fd3e582490cb4d4eeb57cf7c Mon Sep 17 00:00:00 2001
From: Matthew Baldwin <5092332+msmbaldwin@users.noreply.github.com>
Date: Wed, 13 May 2026 11:32:09 -0700
Subject: [PATCH] Enable purge protection on key-vault-create vault

Adds enablePurgeProtection: true to the vault in key-vault-create/main.bicep
(and the regenerated azuredeploy.json).

Without purge protection, soft-deleted vault contents can be permanently
destroyed during the soft-delete retention window. Enabling purge
protection guarantees the configured retention window is honored, which
is the recommended Key Vault security baseline.

Validation:
- correlationId: 08a19c7d-365d-455d-bbac-4de41d42a718
- deploymentName: kvc-deploy-2b2b8b3f
- region: eastus
- provisioningState: Succeeded

metadata.json updated with validationType: Manual and the
testResult.deployments block.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .../key-vault-create/azuredeploy.json                  |  3 ++-
 .../microsoft.keyvault/key-vault-create/main.bicep     |  1 +
 .../microsoft.keyvault/key-vault-create/metadata.json  | 10 +++++++++-
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/quickstarts/microsoft.keyvault/key-vault-create/azuredeploy.json b/quickstarts/microsoft.keyvault/key-vault-create/azuredeploy.json
index e6d4c8fd6e19..977115c55918 100644
--- a/quickstarts/microsoft.keyvault/key-vault-create/azuredeploy.json
+++ b/quickstarts/microsoft.keyvault/key-vault-create/azuredeploy.json
@@ -5,7 +5,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.42.1.51946",
-      "templateHash": "9714026315215760608"
+      "templateHash": "5424899472990749957"
     }
   },
   "parameters": {
@@ -88,6 +88,7 @@
         "tenantId": "[parameters('tenantId')]",
         "enableSoftDelete": true,
         "softDeleteRetentionInDays": 90,
+        "enablePurgeProtection": true,
         "sku": {
           "name": "[parameters('skuName')]",
           "family": "A"
diff --git a/quickstarts/microsoft.keyvault/key-vault-create/main.bicep b/quickstarts/microsoft.keyvault/key-vault-create/main.bicep
index 0da59bac4ca9..9aa5db06a7be 100644
--- a/quickstarts/microsoft.keyvault/key-vault-create/main.bicep
+++ b/quickstarts/microsoft.keyvault/key-vault-create/main.bicep
@@ -41,6 +41,7 @@ resource kv 'Microsoft.KeyVault/vaults@2023-07-01' = {
     tenantId: tenantId
     enableSoftDelete: true
     softDeleteRetentionInDays: 90
+    enablePurgeProtection: true
     sku: {
       name: skuName
       family: 'A'
diff --git a/quickstarts/microsoft.keyvault/key-vault-create/metadata.json b/quickstarts/microsoft.keyvault/key-vault-create/metadata.json
index 83e4c2c0c2c4..bf897b7fc7a1 100644
--- a/quickstarts/microsoft.keyvault/key-vault-create/metadata.json
+++ b/quickstarts/microsoft.keyvault/key-vault-create/metadata.json
@@ -6,5 +6,13 @@
   "summary": "This template creates a Key Vault with Azure RBAC authorization and a secret stored inside the key vault.",
   "githubUsername": "seanbamsft",
   "docOwner": "mumian",
-  "dateUpdated": "2026-04-10"
+  "dateUpdated": "2026-05-13",
+  "validationType": "Manual",
+  "testResult": {
+    "deployments": {
+      "templateFileName": "main.bicep",
+      "correlationId": "08a19c7d-365d-455d-bbac-4de41d42a718",
+      "deploymentName": "kvc-deploy-2b2b8b3f"
+    }
+  }
 }