Azure Resource Graph sample queries for Azure Key Vault

This page is a collection of Azure Resource Graph sample queries for Azure Key Vault.

Sample queries

Count key vault resources

This query uses count instead of summarize to count the number of records returned. Only key vaults are included in the count.

Resources
| where type =~ 'microsoft.keyvault/vaults'
| count

az graph query -q "Resources | where type =~ 'microsoft.keyvault/vaults' | count"

Search-AzGraph -Query "Resources | where type =~ 'microsoft.keyvault/vaults' | count"

Key vaults without soft delete enabled

This query identifies key vaults that don't have soft delete enabled, which is a critical security feature that allows recovery of deleted key vault objects.

Resources
| where type =~ 'microsoft.keyvault/vaults'
| where properties.enableSoftDelete == false or isnull(properties.enableSoftDelete)
| project name, resourceGroup, subscriptionId, location, properties.enableSoftDelete

az graph query -q "Resources | where type =~ 'microsoft.keyvault/vaults' | where properties.enableSoftDelete == false or isnull(properties.enableSoftDelete) | project name, resourceGroup, subscriptionId, location, properties.enableSoftDelete"

Search-AzGraph -Query "Resources | where type =~ 'microsoft.keyvault/vaults' | where properties.enableSoftDelete == false or isnull(properties.enableSoftDelete) | project name, resourceGroup, subscriptionId, location, properties.enableSoftDelete"

Key vaults without purge protection enabled

This query finds key vaults that don't have purge protection enabled. Purge protection is recommended for production environments to prevent permanent deletion of key vault objects during the retention period.

Resources
| where type =~ 'microsoft.keyvault/vaults'
| where properties.enablePurgeProtection != true
| project name, resourceGroup, subscriptionId, location, softDeleteEnabled = properties.enableSoftDelete, purgeProtectionEnabled = properties.enablePurgeProtection

az graph query -q "Resources | where type =~ 'microsoft.keyvault/vaults' | where properties.enablePurgeProtection != true | project name, resourceGroup, subscriptionId, location, softDeleteEnabled = properties.enableSoftDelete, purgeProtectionEnabled = properties.enablePurgeProtection"

Search-AzGraph -Query "Resources | where type =~ 'microsoft.keyvault/vaults' | where properties.enablePurgeProtection != true | project name, resourceGroup, subscriptionId, location, softDeleteEnabled = properties.enableSoftDelete, purgeProtectionEnabled = properties.enablePurgeProtection"

Key vaults using RBAC authorization

This query lists key vaults that use Azure RBAC for authorization instead of access policies. RBAC authorization is the recommended approach for managing access to key vault data plane.

Resources
| where type =~ 'microsoft.keyvault/vaults'
| extend rbacEnabled = properties.enableRbacAuthorization
| project name, resourceGroup, subscriptionId, location, rbacEnabled
| where rbacEnabled == true

az graph query -q "Resources | where type =~ 'microsoft.keyvault/vaults' | extend rbacEnabled = properties.enableRbacAuthorization | project name, resourceGroup, subscriptionId, location, rbacEnabled | where rbacEnabled == true"

Search-AzGraph -Query "Resources | where type =~ 'microsoft.keyvault/vaults' | extend rbacEnabled = properties.enableRbacAuthorization | project name, resourceGroup, subscriptionId, location, rbacEnabled | where rbacEnabled == true"

Key vaults with public network access enabled

This query identifies key vaults that allow public network access. For enhanced security, consider restricting access to specific networks or using private endpoints.

Resources
| where type =~ 'microsoft.keyvault/vaults'
| extend networkDefaultAction = tostring(properties.networkAcls.defaultAction)
| where networkDefaultAction =~ 'Allow' or isnull(networkDefaultAction)
| project name, resourceGroup, subscriptionId, location, networkDefaultAction

az graph query -q "Resources | where type =~ 'microsoft.keyvault/vaults' | extend networkDefaultAction = tostring(properties.networkAcls.defaultAction) | where networkDefaultAction =~ 'Allow' or isnull(networkDefaultAction) | project name, resourceGroup, subscriptionId, location, networkDefaultAction"

Search-AzGraph -Query "Resources | where type =~ 'microsoft.keyvault/vaults' | extend networkDefaultAction = tostring(properties.networkAcls.defaultAction) | where networkDefaultAction =~ 'Allow' or isnull(networkDefaultAction) | project name, resourceGroup, subscriptionId, location, networkDefaultAction"

Key vaults security configuration summary

This query provides a comprehensive security posture summary for all key vaults, including soft delete status, purge protection, RBAC authorization, and network settings.

Resources
| where type =~ 'microsoft.keyvault/vaults'
| extend 
    softDeleteEnabled = tobool(properties.enableSoftDelete),
    purgeProtectionEnabled = tobool(properties.enablePurgeProtection),
    rbacEnabled = tobool(properties.enableRbacAuthorization),
    networkDefaultAction = tostring(properties.networkAcls.defaultAction),
    sku = tostring(properties.sku.name)
| project name, resourceGroup, subscriptionId, location, sku, softDeleteEnabled, purgeProtectionEnabled, rbacEnabled, networkDefaultAction
| order by name asc

az graph query -q "Resources | where type =~ 'microsoft.keyvault/vaults' | extend softDeleteEnabled = tobool(properties.enableSoftDelete), purgeProtectionEnabled = tobool(properties.enablePurgeProtection), rbacEnabled = tobool(properties.enableRbacAuthorization), networkDefaultAction = tostring(properties.networkAcls.defaultAction), sku = tostring(properties.sku.name) | project name, resourceGroup, subscriptionId, location, sku, softDeleteEnabled, purgeProtectionEnabled, rbacEnabled, networkDefaultAction | order by name asc"

Search-AzGraph -Query "Resources | where type =~ 'microsoft.keyvault/vaults' | extend softDeleteEnabled = tobool(properties.enableSoftDelete), purgeProtectionEnabled = tobool(properties.enablePurgeProtection), rbacEnabled = tobool(properties.enableRbacAuthorization), networkDefaultAction = tostring(properties.networkAcls.defaultAction), sku = tostring(properties.sku.name) | project name, resourceGroup, subscriptionId, location, sku, softDeleteEnabled, purgeProtectionEnabled, rbacEnabled, networkDefaultAction | order by name asc"

Key vaults by location

This query counts key vaults grouped by Azure region, which is useful for understanding the geographic distribution of your key management resources.

Resources
| where type =~ 'microsoft.keyvault/vaults'
| summarize count() by location
| order by count_ desc

az graph query -q "Resources | where type =~ 'microsoft.keyvault/vaults' | summarize count() by location | order by count_ desc"

Search-AzGraph -Query "Resources | where type =~ 'microsoft.keyvault/vaults' | summarize count() by location | order by count_ desc"

Key vaults by SKU type

This query groups key vaults by their SKU tier (standard or premium). Premium SKUs are required for HSM-protected keys.

Resources
| where type =~ 'microsoft.keyvault/vaults'
| extend skuName = tostring(properties.sku.name)
| summarize count() by skuName

az graph query -q "Resources | where type =~ 'microsoft.keyvault/vaults' | extend skuName = tostring(properties.sku.name) | summarize count() by skuName"

Search-AzGraph -Query "Resources | where type =~ 'microsoft.keyvault/vaults' | extend skuName = tostring(properties.sku.name) | summarize count() by skuName"

Key vaults with subscription name

The following query shows a complex use of join with kind as leftouter. The query limits the joined table to subscriptions resources and with project to include only the original field subscriptionId and the name field renamed to SubName. The field rename avoids join adding it as name1 since the field already exists in resources. The original table is filtered with where and the following project includes columns from both tables. The query result is all key vaults displaying type, the name of the key vault, and the name of the subscription it's in.

Resources
| join kind=leftouter (ResourceContainers | where type=='microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId
| where type == 'microsoft.keyvault/vaults'
| project type, name, SubName

az graph query -q "Resources | join kind=leftouter (ResourceContainers | where type=='microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type == 'microsoft.keyvault/vaults' | project type, name, SubName"

Search-AzGraph -Query "Resources | join kind=leftouter (ResourceContainers | where type=='microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId | where type == 'microsoft.keyvault/vaults' | project type, name, SubName"

Next steps

Learn more about the query language.
Learn more about how to explore resources.

Last updated on 2026-01-26