SoftDeleteRetentionInDays parameter value not being passed to ARM

[Alfonso-Rey]

Description

When we deploy KeyVaults via PS on Windows or Azure Shell

New-AzKeyVault -Name "ps-keyvault01" -ResourceGroupName "terrformKeyvault" -Location "uksouth" -SoftDeleteRetentionInDays 90

Issue script & Debug output

PS C:\> New-AzKeyVault -Name "ps-keyvault01" -ResourceGroupName "terrformKeyvault" -Location "uksouth" -SoftDeleteRetentionInDays 90
DEBUG: 11:11:04 - NewAzureKeyVault begin processing with ParameterSet '__AllParameterSets'.
DEBUG: 11:11:04 - using account id 'alfonsorey@microsoft.com'...
DEBUG: 11:11:04 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: [Common.Authentication]: Authenticating using Account: 'alfonsorey@microsoft.com', environment: 'AzureCloud', tenant: '72f988bf-86f1-41af-91ab-2d7cd011db47'
DEBUG: 11:11:04 - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'72f988bf-86f1-41af-91ab-2d7cd011db47', Scopes:'https://management.core.windows.net//.default', AuthorityHost:'https://login.microsoftonline.com/',
UserId:'alfonsorey@microsoft.com'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - ce5d4707-0e61-4e5f-b7f1-8ff0450b52ee] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - ce5d4707-0e61-4e5f-b7f1-8ff0450b52ee] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - ce5d4707-0e61-4e5f-b7f1-8ff0450b52ee] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - ce5d4707-0e61-4e5f-b7f1-8ff0450b52ee] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - ce5d4707-0e61-4e5f-b7f1-8ff0450b52ee] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z] [WamBroker] WAM supported OS.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z] [WamBroker] ListWindowsWorkAndSchoolAccounts option was not enabled.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - 0434b048-f057-473d-9a31-db9654343606] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z] Found 1 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z] Returning 1 accounts
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - 850976f6-cafa-4486-ac1f-b772cdbb5f7d] MSAL MSAL.Desktop with assembly version '4.49.1.0'. CorrelationId(850976f6-cafa-4486-ac1f-b772cdbb5f7d)
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - 850976f6-cafa-4486-ac1f-b772cdbb5f7d] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - 850976f6-cafa-4486-ac1f-b772cdbb5f7d] LoginHint provided: False
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - 850976f6-cafa-4486-ac1f-b772cdbb5f7d] Account provided: True
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - 850976f6-cafa-4486-ac1f-b772cdbb5f7d] ForceRefresh: False
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - 850976f6-cafa-4486-ac1f-b772cdbb5f7d]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - True
HomeAccountId - False
CorrelationId - 850976f6-cafa-4486-ac1f-b772cdbb5f7d
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - 850976f6-cafa-4486-ac1f-b772cdbb5f7d] === Token Acquisition (SilentRequest) started:
  Scopes: https://management.core.windows.net//.default
 Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - 850976f6-cafa-4486-ac1f-b772cdbb5f7d] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - 850976f6-cafa-4486-ac1f-b772cdbb5f7d] Access token is not expired. Returning the found cache entry. [Current time (03/17/2023 10:11:04) - Expiration Time (03/17/2023 10:40:32
+00:00) - Extended Expiration Time (03/17/2023 10:40:32 +00:00)]
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - 850976f6-cafa-4486-ac1f-b772cdbb5f7d] Returning access token found in cache. RefreshOn exists ? False
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - 850976f6-cafa-4486-ac1f-b772cdbb5f7d] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - 850976f6-cafa-4486-ac1f-b772cdbb5f7d]
 === Token Acquisition finished successfully:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - 850976f6-cafa-4486-ac1f-b772cdbb5f7d]  AT expiration time: 17/03/2023 10:40:32 +00:00, scopes: https://management.core.windows.net//user_impersonation
https://management.core.windows.net//.default. source: Cache
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:  ExpiresOn: 2023-03-17T10:40:32.0000000+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: '72f988bf-86f1-41af-91ab-2d7cd011db47', UserId: 'alfonsorey@microsoft.com'
DEBUG: [Common.Authentication]: Authenticating using Account: 'alfonsorey@microsoft.com', environment: 'AzureCloud', tenant: '72f988bf-86f1-41af-91ab-2d7cd011db47'
DEBUG: 11:11:04 - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'72f988bf-86f1-41af-91ab-2d7cd011db47', Scopes:'https://management.core.windows.net//.default', AuthorityHost:'https://login.microsoftonline.com/',
UserId:'alfonsorey@microsoft.com'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - 81774502-4fbf-4f2e-aa4e-8d6f30ada2a2] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - 81774502-4fbf-4f2e-aa4e-8d6f30ada2a2] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - 81774502-4fbf-4f2e-aa4e-8d6f30ada2a2] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - 81774502-4fbf-4f2e-aa4e-8d6f30ada2a2] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - 81774502-4fbf-4f2e-aa4e-8d6f30ada2a2] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z] [WamBroker] WAM supported OS.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z] [WamBroker] ListWindowsWorkAndSchoolAccounts option was not enabled.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - 082e7e93-fc50-4b29-b533-fe754d295e80] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z] Found 1 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z] Returning 1 accounts
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - f54ffea3-eea2-4ee7-8e5f-612ec633b26c] MSAL MSAL.Desktop with assembly version '4.49.1.0'. CorrelationId(f54ffea3-eea2-4ee7-8e5f-612ec633b26c)
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - f54ffea3-eea2-4ee7-8e5f-612ec633b26c] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - f54ffea3-eea2-4ee7-8e5f-612ec633b26c] LoginHint provided: False
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - f54ffea3-eea2-4ee7-8e5f-612ec633b26c] Account provided: True
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - f54ffea3-eea2-4ee7-8e5f-612ec633b26c] ForceRefresh: False
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - f54ffea3-eea2-4ee7-8e5f-612ec633b26c]
=== Request Data ===
Authority Provided? - True
Scopes - https://management.core.windows.net//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - True
HomeAccountId - False
CorrelationId - f54ffea3-eea2-4ee7-8e5f-612ec633b26c
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - f54ffea3-eea2-4ee7-8e5f-612ec633b26c] === Token Acquisition (SilentRequest) started:
  Scopes: https://management.core.windows.net//.default
 Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - f54ffea3-eea2-4ee7-8e5f-612ec633b26c] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - f54ffea3-eea2-4ee7-8e5f-612ec633b26c] Access token is not expired. Returning the found cache entry. [Current time (03/17/2023 10:11:04) - Expiration Time (03/17/2023 10:40:32
+00:00) - Extended Expiration Time (03/17/2023 10:40:32 +00:00)]
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - f54ffea3-eea2-4ee7-8e5f-612ec633b26c] Returning access token found in cache. RefreshOn exists ? False
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - f54ffea3-eea2-4ee7-8e5f-612ec633b26c] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - f54ffea3-eea2-4ee7-8e5f-612ec633b26c]
 === Token Acquisition finished successfully:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:04Z - f54ffea3-eea2-4ee7-8e5f-612ec633b26c]  AT expiration time: 17/03/2023 10:40:32 +00:00, scopes: https://management.core.windows.net//user_impersonation
https://management.core.windows.net//.default. source: Cache
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId:  ExpiresOn: 2023-03-17T10:40:32.0000000+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: '72f988bf-86f1-41af-91ab-2d7cd011db47', UserId: 'alfonsorey@microsoft.com'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com/subscriptions/f799acb6-27df-4b01-ad21-eb5ba7d2bffe/resources?$filter=resourceType eq 'Microsoft.KeyVault/vaults'&api-version=2016-09-01

Headers:
x-ms-client-request-id        : 01d6eb7d-e6c3-47ec-9693-573cc584520c
accept-language               : en-US

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Pragma                        : no-cache
x-ms-ratelimit-remaining-subscription-reads: 11999
x-ms-request-id               : 0f82b14b-6cc9-49ca-a748-d1823ec9f287
x-ms-correlation-request-id   : 0f82b14b-6cc9-49ca-a748-d1823ec9f287
x-ms-routing-request-id       : FRANCESOUTH:20230317T101106Z:0f82b14b-6cc9-49ca-a748-d1823ec9f287
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
Cache-Control                 : no-cache
Date                          : Fri, 17 Mar 2023 10:11:06 GMT

Body:
{
  "value": [
    {
      "id": "/subscriptions/f799acb6-27df-4b01-ad21-eb5ba7d2bffe/resourceGroups/terrformKeyvault/providers/Microsoft.KeyVault/vaults/kv-terraform05",
      "name": "kv-terraform05",
      "type": "Microsoft.KeyVault/vaults",
      "location": "uksouth",
      "tags": {}
    },
    {
      "id": "/subscriptions/f799acb6-27df-4b01-ad21-eb5ba7d2bffe/resourceGroups/terrformKeyvault/providers/Microsoft.KeyVault/vaults/kv-terraform06",
      "name": "kv-terraform06",
      "type": "Microsoft.KeyVault/vaults",
      "location": "uksouth",
      "tags": {}
    },
    {
      "id": "/subscriptions/f799acb6-27df-4b01-ad21-eb5ba7d2bffe/resourceGroups/terrformKeyvault/providers/Microsoft.KeyVault/vaults/kv-terraform07",
      "name": "kv-terraform07",
      "type": "Microsoft.KeyVault/vaults",
      "location": "uksouth",
      "tags": {}
    },
    {
      "id": "/subscriptions/f799acb6-27df-4b01-ad21-eb5ba7d2bffe/resourceGroups/terrformKeyvault/providers/Microsoft.KeyVault/vaults/kv-terraform08",
      "name": "kv-terraform08",
      "type": "Microsoft.KeyVault/vaults",
      "location": "uksouth",
      "tags": {}
    }
  ]
}

DEBUG: [Common.Authentication]: Authenticating using Account: 'alfonsorey@microsoft.com', environment: 'AzureCloud', tenant: '72f988bf-86f1-41af-91ab-2d7cd011db47'
DEBUG: 11:11:06 - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync - TenantId:'72f988bf-86f1-41af-91ab-2d7cd011db47', Scopes:'https://graph.microsoft.com//.default', AuthorityHost:'https://login.microsoftonline.com/', UserId:'alfonsorey@microsoft.com'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://graph.microsoft.com//.default ] ParentRequestId:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:06Z - 57d9954a-cf41-42b6-b385-03871d702522] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:06Z - 57d9954a-cf41-42b6-b385-03871d702522] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:06Z - 57d9954a-cf41-42b6-b385-03871d702522] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:06Z - 57d9954a-cf41-42b6-b385-03871d702522] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:06Z - 57d9954a-cf41-42b6-b385-03871d702522] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:06Z] [WamBroker] WAM supported OS.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:06Z] [WamBroker] ListWindowsWorkAndSchoolAccounts option was not enabled.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:06Z - cae05b43-fbba-4f9a-b171-d6fda638aa47] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:06Z] Found 1 cache accounts and 0 broker accounts
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:06Z] Returning 1 accounts
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:06Z - 243481db-00b3-4a3f-9490-1c3c9c10fd75] MSAL MSAL.Desktop with assembly version '4.49.1.0'. CorrelationId(243481db-00b3-4a3f-9490-1c3c9c10fd75)
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:06Z - 243481db-00b3-4a3f-9490-1c3c9c10fd75] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:06Z - 243481db-00b3-4a3f-9490-1c3c9c10fd75] LoginHint provided: False
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:06Z - 243481db-00b3-4a3f-9490-1c3c9c10fd75] Account provided: True
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:06Z - 243481db-00b3-4a3f-9490-1c3c9c10fd75] ForceRefresh: False
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:06Z - 243481db-00b3-4a3f-9490-1c3c9c10fd75]
=== Request Data ===
Authority Provided? - True
Scopes - https://graph.microsoft.com//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - True
HomeAccountId - False
CorrelationId - 243481db-00b3-4a3f-9490-1c3c9c10fd75
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:06Z - 243481db-00b3-4a3f-9490-1c3c9c10fd75] === Token Acquisition (SilentRequest) started:
  Scopes: https://graph.microsoft.com//.default
 Authority Host: login.microsoftonline.com
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:06Z - 243481db-00b3-4a3f-9490-1c3c9c10fd75] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:06Z - 243481db-00b3-4a3f-9490-1c3c9c10fd75] Access token is not expired. Returning the found cache entry. [Current time (03/17/2023 10:11:06) - Expiration Time (03/17/2023 10:54:36
+00:00) - Extended Expiration Time (03/17/2023 10:54:36 +00:00)]
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:06Z - 243481db-00b3-4a3f-9490-1c3c9c10fd75] Returning access token found in cache. RefreshOn exists ? False
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:06Z - 243481db-00b3-4a3f-9490-1c3c9c10fd75] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:06Z - 243481db-00b3-4a3f-9490-1c3c9c10fd75]
 === Token Acquisition finished successfully:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows 10 Enterprise [2023-03-17 10:11:06Z - 243481db-00b3-4a3f-9490-1c3c9c10fd75]  AT expiration time: 17/03/2023 10:54:36 +00:00, scopes: email openid profile https://graph.microsoft.com//AuditLog.Read.All
https://graph.microsoft.com//Directory.AccessAsUser.All https://graph.microsoft.com//.default. source: Cache
DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://graph.microsoft.com//.default ] ParentRequestId:  ExpiresOn: 2023-03-17T10:54:36.0000000+00:00
DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: '72f988bf-86f1-41af-91ab-2d7cd011db47', UserId: 'alfonsorey@microsoft.com'
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://graph.microsoft.com/v1.0/me

Headers:
x-ms-client-request-id        : 01d6eb7d-e6c3-47ec-9693-573cc584520c
accept-language               : en-US

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Transfer-Encoding             : chunked
Strict-Transport-Security     : max-age=31536000
request-id                    : 28574620-cdee-4780-8c64-053159a6965c
client-request-id             : 28574620-cdee-4780-8c64-053159a6965c
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"North Europe","Slice":"E","Ring":"4","ScaleUnit":"003","RoleInstance":"DB1PEPF00023935"}}
x-ms-resource-unit            : 1
OData-Version                 : 4.0
Cache-Control                 : no-cache
Date                          : Fri, 17 Mar 2023 10:11:06 GMT

Body:
{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
  "businessPhones": [
    "+34 (91) 3919324"
  ],
  "displayName": "Alfonso Rey",
  "givenName": "Alfonso",
  "jobTitle": "SUPPORT ENG",
  "mail": "alfonsorey@microsoft.com",
  "mobilePhone": null,
  "officeLocation": "MADRID-LA FINCA/Mobile",
  "preferredLanguage": null,
  "surname": "Rey",
  "userPrincipalName": "alfonsorey@microsoft.com",
  "id": "505cdc4c-3e0c-4ebf-91f6-c479c0b7769e"
}

DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
PUT

Absolute Uri:
https://management.azure.com/subscriptions/f799acb6-27df-4b01-ad21-eb5ba7d2bffe/resourceGroups/terrformKeyvault/providers/Microsoft.KeyVault/vaults/ps-keyvault01?api-version=2022-07-01

Headers:
x-ms-client-request-id        : 01d6eb7d-e6c3-47ec-9693-573cc584520c
accept-language               : en-US

Body:
{
  "location": "uksouth",
  "properties": {
    "tenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47",
    "sku": {
      "name": "standard",
      "family": "A"
    },
    "accessPolicies": [
      {
        "tenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47",
        "objectId": "505cdc4c-3e0c-4ebf-91f6-c479c0b7769e",
        "permissions": {
          "keys": [
            "all"
          ],
          "secrets": [
            "all"
          ],
          "certificates": [
            "all"
          ],
          "storage": [
            "all"
          ]
        }
      }
    ],
    "vaultUri": "",
    "softDeleteRetentionInDays": 90,
    "networkAcls": {
      "bypass": "AzureServices",
      "defaultAction": "Allow"
    }
  }
}

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Forbidden

Headers:
Pragma                        : no-cache
x-ms-failure-cause            : gateway
x-ms-request-id               : 34e6db75-2383-4848-9d99-96d3a1342578
x-ms-correlation-request-id   : 34e6db75-2383-4848-9d99-96d3a1342578
x-ms-routing-request-id       : FRANCESOUTH:20230317T101108Z:34e6db75-2383-4848-9d99-96d3a1342578
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
Connection                    : close
Cache-Control                 : no-cache
Date                          : Fri, 17 Mar 2023 10:11:08 GMT

Body:
{
  "error": {
    "code": "RequestDisallowedByPolicy",
    "target": "ps-keyvault01",
    "message": "Resource 'ps-keyvault01' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"Deny Key Vault less than 90 days of soft delete -
2301200040003891\",\"id\":\"/subscriptions/f799acb6-27df-4b01-ad21-eb5ba7d2bffe/resourceGroups/terrformKeyvault/providers/Microsoft.Authorization/policyAssignments/23c5292621e34f81b9a3d920\"},\"policyDefinition\":{\"name\":\"Deny Key Vault less than 90 days of soft delete -
2301200040003891\",\"id\":\"/subscriptions/f799acb6-27df-4b01-ad21-eb5ba7d2bffe/providers/Microsoft.Authorization/policyDefinitions/cab92d23-aef3-4476-9e31-f604a9c52598\"}}]'.",
    "additionalInfo": [
      {
        "type": "PolicyViolation",
        "info": {
          "evaluationDetails": {
            "evaluatedExpressions": [
              {
                "result": "True",
                "expressionKind": "Field",
                "expression": "type",
                "path": "type",
                "expressionValue": "Microsoft.KeyVault/vaults",
                "targetValue": "Microsoft.KeyVault/vaults",
                "operator": "Equals"
              },
              {
                "result": "True",
                "expressionKind": "Field",
                "expression": "Microsoft.KeyVault/vaults/enableSoftDelete",
                "path": "properties.enableSoftDelete",
                "targetValue": "false",
                "operator": "Exists"
              }
            ]
          },
          "policyDefinitionId": "/subscriptions/f799acb6-27df-4b01-ad21-eb5ba7d2bffe/providers/Microsoft.Authorization/policyDefinitions/cab92d23-aef3-4476-9e31-f604a9c52598",
          "policyDefinitionName": "cab92d23-aef3-4476-9e31-f604a9c52598",
          "policyDefinitionDisplayName": "Deny Key Vault less than 90 days of soft delete - 2301200040003891",
          "policyDefinitionEffect": "deny",
          "policyAssignmentId": "/subscriptions/f799acb6-27df-4b01-ad21-eb5ba7d2bffe/resourceGroups/terrformKeyvault/providers/Microsoft.Authorization/policyAssignments/23c5292621e34f81b9a3d920",
          "policyAssignmentName": "23c5292621e34f81b9a3d920",
          "policyAssignmentDisplayName": "Deny Key Vault less than 90 days of soft delete - 2301200040003891",
          "policyAssignmentScope": "/subscriptions/f799acb6-27df-4b01-ad21-eb5ba7d2bffe/resourceGroups/terrformKeyvault",
          "policyAssignmentParameters": {}
        }
      }
    ]
  }
}

DEBUG: 11:11:09 - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
New-AzKeyVault : Resource 'ps-keyvault01' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"Deny Key Vault less than 90 days of soft delete -
2301200040003891","id":"/subscriptions/f799acb6-27df-4b01-ad21-eb5ba7d2bffe/resourceGroups/terrformKeyvault/providers/Microsoft.Authorization/policyAssignments/23c5292621e34f81b9a3d920"},"policyDefinition":{"name":"Deny Key Vault less than 90 days of soft delete -
2301200040003891","id":"/subscriptions/f799acb6-27df-4b01-ad21-eb5ba7d2bffe/providers/Microsoft.Authorization/policyDefinitions/cab92d23-aef3-4476-9e31-f604a9c52598"}}]'.
At line:1 char:1
+ New-AzKeyVault -Name "ps-keyvault01" -ResourceGroupName "terrformKeyv ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [New-AzKeyVault], CloudException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.NewAzureKeyVault

DEBUG: 11:11:09 - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.KeyVault:4.9.1; CommandName: New-AzKeyVault; PSVersion: 5.1.22621.963; IsSuccess: False; Duration: 00:00:04.6249460; Exception: Resource 'ps-keyvault01' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"Deny Key Vault
less than 90 days of soft delete - 2301200040003891","id":"/subscriptions/f799acb6-27df-4b01-ad21-eb5ba7d2bffe/resourceGroups/terrformKeyvault/providers/Microsoft.Authorization/policyAssignments/23c5292621e34f81b9a3d920"},"policyDefinition":{"name":"Deny Key Vault less than 90
days of soft delete - 2301200040003891","id":"/subscriptions/f799acb6-27df-4b01-ad21-eb5ba7d2bffe/providers/Microsoft.Authorization/policyDefinitions/cab92d23-aef3-4476-9e31-f604a9c52598"}}]'.;
DEBUG: 11:11:09 - NewAzureKeyVault end processing.

Environment data

Found PowerShell [Microsoft.PowerShell]
Version: 7.3.3.0

Name                           Value
----                           -----
PSVersion                      5.1.22621.963
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.22621.963
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Module versions

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     2.11.2     Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault...}
Script     4.9.1      Az.KeyVault                         {Add-AzKeyVaultCertificate, Add-AzKeyVaultCertificateContact, Add-AzKeyVaultKey, Add-AzKeyVaultManagedStorageAccount...}

Error output

New-AzKeyVault : Resource 'ps-keyvault01' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"Deny Key Vault less than 90 days of soft delete -
2301200040003891","id":"/subscriptions/f799acb6-27df-4b01-ad21-eb5ba7d2bffe/resourceGroups/terrformKeyvault/providers/Microsoft.Authorization/policyAssignments/23c5292621e34f81b9a3d920"},"policyDefinition":{"name":"Deny Key Vault less than 90 days of soft delete -
2301200040003891","id":"/subscriptions/f799acb6-27df-4b01-ad21-eb5ba7d2bffe/providers/Microsoft.Authorization/policyDefinitions/cab92d23-aef3-4476-9e31-f604a9c52598"}}]'.
At line:1 char:1
+ New-AzKeyVault -Name "ps-keyvault01" -ResourceGroupName "terrformKeyv ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [New-AzKeyVault], CloudException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.KeyVault.NewAzureKeyVault

[isra-fel]

Hi @Alfonso-Rey , I checked the log, the command did set soft delete retention days to 90

DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
PUT

Absolute Uri:
https://management.azure.com/subscriptions/f799acb6-27df-4b01-ad21-eb5ba7d2bffe/resourceGroups/terrformKeyvault/providers/Microsoft.KeyVault/vaults/ps-keyvault01?api-version=2022-07-01

Headers:
x-ms-client-request-id        : 01d6eb7d-e6c3-47ec-9693-573cc584520c
accept-language               : en-US

Body:
{
  "location": "uksouth",
  "properties": {
    "tenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47",
    "sku": {
      "name": "standard",
      "family": "A"
    },
    "accessPolicies": [
      {
        "tenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47",
        "objectId": "505cdc4c-3e0c-4ebf-91f6-c479c0b7769e",
        "permissions": {
          "keys": [
            "all"
          ],
          "secrets": [
            "all"
          ],
          "certificates": [
            "all"
          ],
          "storage": [
            "all"
          ]
        }
      }
    ],
    "vaultUri": "",
    "softDeleteRetentionInDays": 90,              <-------------- here
    "networkAcls": {
      "bypass": "AzureServices",
      "defaultAction": "Allow"
    }
  }
}

Could you double check the detail of the policy?

[Alfonso-Rey]

Hi Yeming, good day.

Thanks for the prompt reply. This is the condition of the policy:

"if": { "allOf": [ { "field": "type", "equals": "Microsoft.KeyVault/vaults" }, { "anyOf": [ { "field": "Microsoft.KeyVault/vaults/enableSoftDelete", "exists": "false" }, { "field": "Microsoft.KeyVault/vaults/enableSoftDelete", "equals": "false" }, { "field": "Microsoft.KeyVault/vaults/softDeleteRetentionInDays", "less": 90 } ] } ] }, "then": { "effect": "deny" }

With AZ CLI (Shell) If I force the policy to kick in by setting a lower number of retention days, it works as expected: [cid:b92b2481-a6aa-4ea6-9968-9e1a00b21481] If I set 90 days, it creates the keyvault with no issues. [cid:27ec623b-39b6-4791-ae6d-d00da5fca191]

Looking forward to your comments.

Thanks

Alfonso Rey

---

From: Yeming Liu @.> Sent: Friday, March 17, 2023 11:28 AM To: Azure/azure-powershell @.> Cc: Alfonso Rey Pardinas @.>; Mention @.> Subject: Re: [Azure/azure-powershell] SoftDeleteRetentionInDays parameter value not being passed to ARM (Issue #21231)

Hi @Alfonso-Reyhttps://github.com/Alfonso-Rey , I checked the log, the command did set soft delete retention days to 90

DEBUG: ============================ HTTP REQUEST ============================

HTTP Method: PUT

Absolute Uri: https://management.azure.com/subscriptions/f799acb6-27df-4b01-ad21-eb5ba7d2bffe/resourceGroups/terrformKeyvault/providers/Microsoft.KeyVault/vaults/ps-keyvault01?api-version=2022-07-01

Headers: x-ms-client-request-id : 01d6eb7d-e6c3-47ec-9693-573cc584520c accept-language : en-US

Body: { "location": "uksouth", "properties": { "tenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47", "sku": { "name": "standard", "family": "A" }, "accessPolicies": [ { "tenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47", "objectId": "505cdc4c-3e0c-4ebf-91f6-c479c0b7769e", "permissions": { "keys": [ "all" ], "secrets": [ "all" ], "certificates": [ "all" ], "storage": [ "all" ] } } ], "vaultUri": "", "softDeleteRetentionInDays": 90, <-------------- here "networkAcls": { "bypass": "AzureServices", "defaultAction": "Allow" } } }

Could you double check the detail of the policy?

— Reply to this email directly, view it on GitHubhttps://github.com/Azure/azure-powershell/issues/21231#issuecomment-1473623828, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A3IJRCTEQU34VY6VCQ6WLJDW4Q4FHANCNFSM6AAAAAAV6KQNU4. You are receiving this because you were mentioned.Message ID: @.***>

[isra-fel]

Hi Alfonso, it's this part of the policy blocked the creation

              {
                "field": "Microsoft.KeyVault/vaults/enableSoftDelete",
                "exists": "false"
              },

Truth is, since 2020, newly created key vaults have soft delete turned on by default. So it doesn't make sense to check "exists": "false".

[ghost]

Hi, we're sending this friendly reminder because we haven't heard back from you in a while. We need more information about this issue to help address it. Please be sure to give us your input within the next 7 days. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!