New Key Vault creation fails due to purge protection validation error

[pseckar]

Describe the bug

When creating new Key Vault with a name that does not exist, the deployment using az cli fails due to error. I am using Bicep and I am setting the enablePurgeProtection to false. Previously, I have set it to true for a vault with different name in the same resource group.

Related command

az deployment group create --resource-group <rg> --parameters <path-to-bicepparam>

Errors

The property \"enablePurgeProtection\" cannot be set to false. Enabling the purge protection for a vault is an irreversible action.

Issue script & Debug output

Part of the ARM json:

"keyVault": {
              "type": "Microsoft.KeyVault/vaults",
              "apiVersion": "2025-05-01",
              "name": "[__bicep.sanitizeResourceName(format('{0}-{1}', variables('resourcePrefix'), parameters('resourceName')))]",
              "location": "[parameters('location')]",
              "tags": "[parameters('tags')]",
              "properties": {
                "sku": {
                  "name": "standard",
                  "family": "A"
                },
                "tenantId": "[subscription().tenantId]",
                "enableRbacAuthorization": true,
                "enablePurgeProtection": false,
                "softDeleteRetentionInDays": 90
              }
            }

Expected behavior

I am able to create Key Vault with unused name and disabled purge protection.

Environment Summary

azure-cli 2.78.0

core 2.78.0
telemetry 1.1.0

Extensions:
azure-iot 0.21.5

Dependencies:
msal 1.34.0b1
azure-mgmt-resource 23.3.0

Python location 'C:\Program Files\Microsoft SDKs\Azure\CLI2\python.exe'
Config directory 'C:\Users<username>.azure'
Extensions directory 'C:\Users<username>.azure\cliextensions'

Python (Windows) 3.13.7 (tags/v3.13.7:bcee1c3, Aug 14 2025, 14:15:11) [MSC v.1944 64 bit (AMD64)]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• Keyvault creation without purge protection fails #13006
• Command az keyvault create should not allow setting enable-purge-protection to false #28586

---

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Solution 1:

It is not expected behavior. It is a bug and change is on the way. It will be available in few days.

Reference:

• Keyvault creation without purge protection fails #13006 (comment)

Solution 2:

Thank you for opening this issue, we will look into it.

Reference:

• Command az keyvault create should not allow setting enable-purge-protection to false #28586 (comment)

Powered by issue-sentinel

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Azure/deployments-owners.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Azure/deployments-owners.

[microsoft-github-policy-service]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Azure/deployments-owners.

[pseckar]

I've realized that the problem is that for property enablePurgeProtection the value false is never valid, not even in case the vault would be created brand new. Solution is to skip enablePurgeProtection in the specs entirely, and since the default value is false then the outcome is the same. The property's purpose seems to be to only enable the protection.

As a result, this is not strictly a bug, rather an unexpected behavior that is not well documented. However I'll close this ticket with this resolution.