Share via

I deleted an HSM in KeyVault but I'm still paying for it

Timon Michel 20 Reputation points
2025-04-02T14:28:37.0433333+00:00

I wanted to create an 'Azure Key Vault', but have instead created an 'Azure Key Vault Managed HSM Pool' instead - which seems to be rather expensive. Is there a way that you can delete the HSM Pool before the Purge Period? I have configured the purge period to be 90 days without thinking much about it, since the 'Azure Key Vault' seemed rather cheap.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,411 questions
0 comments
Accepted answer
  1. Sakshi Devkante 2,905 Reputation points Microsoft External Staff
    2025-04-02T15:31:09.2733333+00:00

    Hello Timon,

    I understand that you have created 'Azure Key Vault Managed HSM Pool" instances and soft-deleted the keys, now you would like to avoid billing for these resources.

    Since you created a Managed HSM with a purge protection period, it remains in a soft-deleted state and cannot be permanently deleted until the retention period expires. During this time, you will continue to be billed for the HSM. Once the retention period ends, the Managed HSM will be automatically purged.

    Because purge protection is enabled, neither the HSM nor its keys can be purged before the retention period ends. Additionally, the retention period cannot be shortened after creation.

    The only option in this case is to work with your account team to contact our finance/billing department and request a refund. Please create a support request with the Billing team through the Azure Portal or by following this link. If you're unable to create a support ticket, let me know—I can submit one on your behalf using your entitlement and escalate it to the Billing team for a refund.

    Billing implications

    I hope this information is helpful.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alex Burlachenko 4,060 Reputation points
    2025-04-02T14:33:06.56+00:00

    Hi Timon,

    Unfortunately, once an Azure Key Vault Managed HSM is deleted, it enters the soft-delete state for the configured purge period (in your case, 90 days). During this time, the HSM resources are retained to allow recovery, and billing continues.

    No Early Purge: Azure does not allow manual purging before the set retention period ends. This is a security feature to prevent accidental data loss. Cost Implications: You will continue to be billed until the HSM is fully purged after 90 days.

    • If you no longer need the HSM, ensure it remains deleted (do not recover it).
    • For future deployments, double-check the service type Azure Key Vault (cheaper, for most use cases) vs. Managed HSM (premium, for high-security scenarios).
    • If you need a standard Key Vault, you can create one immediately it won’t conflict with the deleted HSM.

    Best regards,

    Alex

    P.S. If my answer help to you, please Accept my answer

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.