Recover Deleted Key Vault in Azure

Azure Key Vault is a cloud service that helps store and securely access secrets. The secret could be anything we want to secure, like API keys, credentials, etc. It provides data encryption when it’s moving from a key vault to a client application, making it more secure. Have you accidentally deleted Key Vault from the resource group? In this article, we will see how to recover deleted key vault in Azure using the Azure Az PowerShell cmdlet.

Pre-requisites
1. Azure subscription with access to deploy Azure resources.
2. Az PowerShell module installed on the local machine.
3. Azure Key Vault soft-delete should be enabled on the vaults to be recovered.

What is a key vault soft-delete?

Key vault’s soft-delete feature enables the recovery of deleted vaults and deleted key vault objects (like keys, secrets, and certificates), Microsoft Azure retains soft-deleted key vault for a specified period (90 days by default). The service further provides a mechanism to recover the deleted object. Read more about it here.

How to restore a deleted key vault?

Follow the below three steps to recover the soft-deleted Azure Key Vault using the Az PowerShell module.

1. Connect to the Azure account

Execute the below command in PowerShell to connect to a specific Azure Tenant.

Connect-AzAccount

2. Check what key vaults are eligible for recovery

Let us now check what Azure Key Vaults are eligible for recovery from the deleted state. The below command will list down all the soft deleted key vaults in the last 90 days. Specify VaultName parameter to check a specific key vault for recovery or specify Location parameter to check all eligible vaults from a particular location within the logged-in Tenant.

Get-AzKeyVault -InRemovedState

3. Undo key vault deletion

Run the below command to recover a specific soft deleted key vault from a particular location and resource group.

Undo-AzKeyVaultRemoval -VaultName VaultName -ResourceGroupName ResourceGroupName -Location Location
Recover deleted Key Vault in Azure

We have just seen how to recover a deleted key vault in Azure.

How to recover deleted key vault objects?

Follow below quick steps to recover soft deleted key vault keys, secrets, or certificates.

  1. Log in to the Azure portal.
  2. Navigate to the key vault containing soft-deleted secrets, keys, or certificates.
  3. Select the blade corresponding to the secret type you want to manage (keys, secrets, or certificates).
  4. At the top of the screen, click on “Manage deleted (keys, secrets, or certificates).
  5. A context pane will appear on the right side of your screen.
  6. Select the secret, key, or certificate you want to recover and select the recovery option.

Pro tips:
1. If you also have deleted the resource group along with the Key Vault, you would need to create the resource group with the same name before recovering the Key Vault.
2. Soft-Delete feature in Azure Key-Vault would be compulsory by February 2025.

Kunal Rathi

Been working in the data engineering and analytics space for over a decade. Helping customers transform their data into insights, Cloud & DevOps enthusiast.