As of April 2022, soft-delete and purge protection will be required to be enabled in Azure SQL on a key vault when configuring Transparent Data Encryption (TDE) with Customer Managed Key (CMK) on the server or managed instance.
Previously, purge protection for TDE with CMK in Azure SQL was recommended but had to be switched on as it wasn’t a mandatory requirement.
What does this mean for you?
With soft-delete and purge protection on for all databases, security is increased against malicious or accidental deletion of a key vault. No one within the organisation or at Microsoft will be able to purge your key vaults during the soft delete retention period.
To avoid inconvenience, be sure to turn on purge protection for all your key vaults. As of April 1st, if this is not enabled and you attempt to set a key from the same vault as the TDE Protector, you will receive an error message requiring you to turn on purge protector and then re-do your operation.
Find out more
Full documentation is available here: Azure Key Vault soft-delete | Microsoft Docs and you can use a built-in Azure policy to audit your key vaults and discover which do not already have purge protection enabled.