Unable to create KeyVault with purge protection disabled

[fxierh]

Describe the bug

First, --enable-purge-protection cannot be set to false:

$ az keyvault create -n ... -g ... -l eastus --enable-purge-protection false
(BadRequest) The property "enablePurgeProtection" cannot be set to false. Enabling the purge protection for a vault is an irreversible action.
Code: BadRequest
Message: The property "enablePurgeProtection" cannot be set to false. Enabling the purge protection for a vault is an irreversible action.

Second, unsetting --enable-purge-protection appears to be the same as setting it to true:

$ az keyvault create -n ... -g ... -l eastus --enable-rbac-authorization false 
{
...
    "enablePurgeProtection": null,
...
}
$ az keyvault set-policy -n ... --key-permissions create decrypt encrypt get --spn ...
...
$ az keyvault key create --vault-name ... --name ... --protection software
...
$ az keyvault delete -n ...
...
# Try re-create KV of the same name after a couple of minutes
$ az keyvault create -n ... -g ... -l eastus --enable-rbac-authorization false 
(ConflictError) A vault with the same name already exists in deleted state. You need to either recover or purge existing key vault. Follow this link https://go.microsoft.com/fwlink/?linkid=2149745 for more information on soft delete.
Code: ConflictError
Message: A vault with the same name already exists in deleted state. You need to either recover or purge existing key vault. Follow this link https://go.microsoft.com/fwlink/?linkid=2149745 for more information on soft delete.

Related command

az keyvault create

Errors

See above.

Issue script & Debug output

See above.

Expected behavior

Should be able to disable purge protection.

Environment Summary

$ az --version
azure-cli                         2.61.0

core                              2.61.0
telemetry                          1.1.0

Additional context

No response

[yonzhan]

Thank you for opening this issue, we will look into it.