From 37aba3eb70152c770f30e7650d42bf9b375a9e84 Mon Sep 17 00:00:00 2001
From: Matthew Baldwin <5092332+msmbaldwin@users.noreply.github.com>
Date: Wed, 13 May 2026 11:32:09 -0700
Subject: [PATCH] Enable purge protection on key-vault-key-create vault

Adds enablePurgeProtection: true to the vault in key-vault-key-create/main.bicep
(and the regenerated azuredeploy.json).

Without purge protection, soft-deleted vault contents can be permanently
destroyed during the soft-delete retention window. Enabling purge
protection guarantees the configured retention window is honored, which
is the recommended Key Vault security baseline.

Validation:
- correlationId: 7347912a-341a-4d51-b344-9463a89d7a19
- deploymentName: kvk-deploy-e0068887
- region: eastus
- provisioningState: Succeeded

metadata.json updated with validationType: Manual and the
testResult.deployments block.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .../key-vault-key-create/azuredeploy.json              |  3 ++-
 .../microsoft.keyvault/key-vault-key-create/main.bicep |  1 +
 .../key-vault-key-create/metadata.json                 | 10 +++++++++-
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/quickstarts/microsoft.keyvault/key-vault-key-create/azuredeploy.json b/quickstarts/microsoft.keyvault/key-vault-key-create/azuredeploy.json
index 3bb007602a80..edfd3b412580 100644
--- a/quickstarts/microsoft.keyvault/key-vault-key-create/azuredeploy.json
+++ b/quickstarts/microsoft.keyvault/key-vault-key-create/azuredeploy.json
@@ -5,7 +5,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.42.1.51946",
-      "templateHash": "4335991112049834035"
+      "templateHash": "9113739717796369919"
     }
   },
   "parameters": {
@@ -91,6 +91,7 @@
         "enableRbacAuthorization": true,
         "enableSoftDelete": true,
         "softDeleteRetentionInDays": 90,
+        "enablePurgeProtection": true,
         "enabledForDeployment": false,
         "enabledForDiskEncryption": false,
         "enabledForTemplateDeployment": false,
diff --git a/quickstarts/microsoft.keyvault/key-vault-key-create/main.bicep b/quickstarts/microsoft.keyvault/key-vault-key-create/main.bicep
index a07d9d1d31b0..23fd6ac2873e 100644
--- a/quickstarts/microsoft.keyvault/key-vault-key-create/main.bicep
+++ b/quickstarts/microsoft.keyvault/key-vault-key-create/main.bicep
@@ -46,6 +46,7 @@ resource vault 'Microsoft.KeyVault/vaults@2023-07-01' = {
     enableRbacAuthorization: true
     enableSoftDelete: true
     softDeleteRetentionInDays: 90
+    enablePurgeProtection: true
     enabledForDeployment: false
     enabledForDiskEncryption: false
     enabledForTemplateDeployment: false
diff --git a/quickstarts/microsoft.keyvault/key-vault-key-create/metadata.json b/quickstarts/microsoft.keyvault/key-vault-key-create/metadata.json
index 8f50ae72a337..475646fded02 100644
--- a/quickstarts/microsoft.keyvault/key-vault-key-create/metadata.json
+++ b/quickstarts/microsoft.keyvault/key-vault-key-create/metadata.json
@@ -6,5 +6,13 @@
   "summary": "This template creates a Key Vault with Azure RBAC authorization and a key stored inside the key vault.",
   "githubUsername": "msmbaldwin",
   "docOwner": "msmbaldwin",
-  "dateUpdated": "2026-04-10"
+  "dateUpdated": "2026-05-13",
+  "validationType": "Manual",
+  "testResult": {
+    "deployments": {
+      "templateFileName": "main.bicep",
+      "correlationId": "7347912a-341a-4d51-b344-9463a89d7a19",
+      "deploymentName": "kvk-deploy-e0068887"
+    }
+  }
 }