Share via

Azure Managed HSM accidentally created - deleted but unable to purge or raise support ticket

Michael McCoy FD 0 Reputation points
2026-06-10T13:38:49.67+00:00

Azure Managed HSM accidentally created - deleted but unable to purge or raise support ticket

I accidentally created an Azure Key Vault Managed HSM while setting up a proof-of-concept SharePoint scanning solution, but it wasnt used and was set up 100% in error.

The Managed HSM was discovered following thr first invocie and has now been deleted.

My concerns are:

  1. Whether the deleted Managed HSM continues to incur charges while in a soft-deleted state.

Whether purge protection is preventing permanent deletion.

Whether there is any way to purge the HSM if I am Subscription Owner / Global Admin.

Whether anyone has successfully obtained billing relief for an accidental Managed HSM deployment.

Additional information:

  • Subscription type: Pay as you go
  • Region: UK
  • Current status: Deleted
  • Unable to raise a support ticket through Azure portal or Billing to contact any one

Any guidance would be appreciated, particularly around ongoing billing and purge options.

Azure Dedicated HSM
Azure Dedicated HSM

An Azure service that provides hardware security module management.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Divyesh Govaerdhanan 11,065 Reputation points MVP Volunteer Moderator
    2026-06-10T22:47:40.8033333+00:00

    Hello Michael McCoy FD,

    Welcome to Microsoft Q&A,

    1. Yes, unfortunately. The docs state explicitly:

      "Soft-deleted Managed HSM resources will continue to be billed at their full hourly rate until they're purged."

      The underlying resources remain allocated even in a deleted state. Purging it as soon as possible is the only way to stop charges.
    2. Only if it was explicitly enabled when the HSM was created. Purge protection is not enabled by default. It requires a deliberate --enable-purge-protection flag. If it wasn't set during your accidental creation, you can purge right now. If it was enabled, no one, not even Microsoft, can override it until the retention period ends (default 90 days). To check whether purge protection is on, run: 
         az keyvault show --subscription <subscription-id> -g <resource-group> --hsm-name <hsm-name>
    3. Subscription Owner and Global Admin are not sufficient on their own, you need the Managed HSM Contributor role to purge soft-deleted HSMs. As Owner, you can assign this to yourself.
      az keyvault purge --subscription <subscription-id> --hsm-name <hsm-name> --location <location> 
         
      [https://learn.microsoft.com/en-us/cli/azure/keyvault?view=azure-cli-latest#az-keyvault-purge](https://learn.microsoft.com/en-us/cli/azure/keyvault?view=azure-cli-latest#az-keyvault-purge)
    4. Billing relief is handled via Azure Billing Support. To raise a ticket when the portal option isn't working, go directly to: https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade Select Billing as the issue type. Billing support is free on all plans, including Pay-As-You-Go. Explain that it was an accidental creation that was never activated or used. Microsoft reviews these on a case-by-case basis and has granted credits for genuine accidental deployments.

    Please Upvote and accept the answer if it helps

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.