diff --git a/build/jobs/add-aad-test-environment.yml b/build/jobs/add-aad-test-environment.yml
index fe97b0b20f..1aea4ab6e0 100644
--- a/build/jobs/add-aad-test-environment.yml
+++ b/build/jobs/add-aad-test-environment.yml
@@ -36,34 +36,21 @@ steps:
           resource   = $resource
       }
 
-      # If a deleted keyvault exists, remove it first
+      # If a deleted keyvault with purge protection exists, try to restore it.
       $environmentName = "$(DeploymentEnvironmentName)".ToLower() -replace "\.", "" 
       Write-Host "Installed module and set variables"
 
       $vaultName = "${environmentName}-ts"
-      if (Get-AzKeyVault -VaultName $vaultName -Location "westus" -InRemovedState)
+      $vaultLocation = "westus"
+      $vaultResourceGroupName = $ResourceGroupName
+      if (Get-AzKeyVault -VaultName $vaultName -Location $vaultLocation -InRemovedState)
       {
-          Write-Host "Attempting to delete vault ${vaultName}"
-          try
-          {
-              Remove-AzKeyVault -VaultName $vaultName -InRemovedState -Location "westus" -Force
-          }
-          catch
-          {
-              if ($_.ErrorDetails -eq "Operation 'DeletedVaultPurge' is not allowed.")
-              {
-                  # With purge protection enabled, it's impossible to delete a Key Vault before its expiration.
+          Write-Host "Attempting to restore vault ${vaultName}"
 
-                  Write-Error "Unable to delete vault ${vaultName}."
-                  Write-Error $_.ErrorDetails
-              }
-              else
-              { 
-                  throw $_
-              }
-          }
+          Undo-AzKeyVaultRemoval -VaultName $vaultName -ResourceGroupName $vaultResourceGroupName -Location $vaultLocation -Confirm
+          Write-Host "KeyVault $vaultName is restored"
       }
-      Write-Host "Cleaned up keyvaults"
+      Write-Host "Restored keyvaults"
 
       try 
       {
diff --git a/build/jobs/provision-deploy.yml b/build/jobs/provision-deploy.yml
index c1e6bb03dd..f520e5b679 100644
--- a/build/jobs/provision-deploy.yml
+++ b/build/jobs/provision-deploy.yml
@@ -95,8 +95,8 @@ jobs:
         Write-Host "Check for keyvaults in removed state..."
         if (Get-AzKeyVault -VaultName $webAppName -Location $(ResourceGroupRegion) -InRemovedState)
         {
-            Remove-AzKeyVault -VaultName $webAppName -InRemovedState -Location $(ResourceGroupRegion) -Force
-            Write-Host "Deleted KeyVault in RemovedState."
+            Undo-AzKeyVaultRemoval -VaultName $webAppName -ResourceGroupName $parameters.resourceGroup -Location $(ResourceGroupRegion) -Confirm
+            Write-Host "KeyVault $webAppName is restored"
         }
 
         Write-Host "Provisioning Resource Group"
diff --git a/release/scripts/PowerShell/FhirServerRelease/Public/Add-AadTestAuthEnvironment.ps1 b/release/scripts/PowerShell/FhirServerRelease/Public/Add-AadTestAuthEnvironment.ps1
index 9a26d273dd..0b23f4b5bc 100644
--- a/release/scripts/PowerShell/FhirServerRelease/Public/Add-AadTestAuthEnvironment.ps1
+++ b/release/scripts/PowerShell/FhirServerRelease/Public/Add-AadTestAuthEnvironment.ps1
@@ -64,7 +64,7 @@ function Add-AadTestAuthEnvironment {
 
     if (!$keyVault) {
         Write-Host "Creating keyvault with the name $KeyVaultName"
-        New-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $ResourceGroupName -Location $EnvironmentLocation -EnableRbacAuthorization | Out-Null
+        New-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $ResourceGroupName -Location $EnvironmentLocation | Out-Null
     }
 
     $retryCount = 0