Purge a Soft-Deleted Azure Key Vault

If you came here you probably already know that deleting a Key Vault in Azure is not as easy as it sounds. Sure, it’s gone from the Azure portal. However, when you try to create a new one with the same name, you’ll find out that it was not fully deleted.

This is by design. Azure’s soft-delete feature retains deleted Key Vaults for 90 days so you can recover them if the deletion was accidental. Since February 2025, soft-delete is mandatory and cannot be disabled.

The following recipe shows how to get rid of the Key Vault for good. This is irreversible — a purged vault and all its secrets, keys, and certificates are permanently gone.

Step 1. Install Azure CLI. The example below uses Homebrew on macOS.

brew update && brew install azure-cli

Step 2. Login and list soft-deleted Key Vaults. If you have multiple subscriptions, use --subscription to target the right one.

az login
az keyvault list-deleted

Step 3. Purge it. If the command fails, try adding --location <region> — some tenants require it.

az keyvault purge --name <keyvault-name>
# or, if location is required:
az keyvault purge --name <keyvault-name> --location <region>