AZ-204 – Question 138

You are developing an application to transfer data between on-premises file servers and Azure Blob storage. The application stores keys, secrets, and certificates in Azure Key Vault and makes use of the Azure Key Vault APIs.

You want to configure the application to allow recovery of an accidental deletion of the key vault or key vault objects for 90 days after deletion.

What should you do?

A. Run the Add-AzKeyVaultKey cmdlet.
B. Run the az keyvault update –enable-soft-delete true –enable-purge-protection true CLI.
C. Implement virtual network service endpoints for Azure Key Vault.
D. Run the az keyvault update –enable-soft-delete false CLI.

Correct Answer: B

When soft-delete is enabled, resources marked as deleted resources are retained for a specified period (90 days by default). The service further provides a mechanism for recovering the deleted object, essentially undoing the deletion.
Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled.
When purge protection is on, a vault or an object in the deleted state cannot be purged until the retention period has passed. Soft-deleted vaults and objects can still be recovered, ensuring that the retention policy will be followed.
The default retention period is 90 days, but it is possible to set the retention policy interval to a value from 7 to 90 days through the Azure portal. Once the retention policy interval is set and saved it cannot be changed for that vault.