diff --git a/internal/services/keyvault/key_vault_secret_resource.go b/internal/services/keyvault/key_vault_secret_resource.go
index 62bfac7d6486..be672918d2c6 100644
--- a/internal/services/keyvault/key_vault_secret_resource.go
+++ b/internal/services/keyvault/key_vault_secret_resource.go
@@ -101,6 +101,16 @@ func resourceKeyVaultSecret() *pluginsdk.Resource {
 
 			"tags": tags.SchemaWithMax(15),
 		},
+
+		CustomizeDiff: pluginsdk.CustomDiffWithAll(
+			pluginsdk.ForceNewIfChange("expiration_date", func(ctx context.Context, oldVal, newVal interface{}, meta interface{}) bool {
+				// if change from non-nil to nil, we need to force new
+				if oldVal != nil && oldVal.(string) != "" {
+					return newVal == nil || newVal.(string) == ""
+				}
+				return false
+			}),
+		),
 	}
 }
 
diff --git a/website/docs/r/key_vault_secret.html.markdown b/website/docs/r/key_vault_secret.html.markdown
index c6387f8e3731..b09bbfe3c6d7 100644
--- a/website/docs/r/key_vault_secret.html.markdown
+++ b/website/docs/r/key_vault_secret.html.markdown
@@ -87,7 +87,7 @@ The following arguments are supported:
 
 * `not_before_date` - (Optional) Key not usable before the provided UTC datetime (Y-m-d'T'H:M:S'Z').
 
-* `expiration_date` - (Optional) Expiration UTC datetime (Y-m-d'T'H:M:S'Z').
+* `expiration_date` - (Optional) Expiration UTC datetime (Y-m-d'T'H:M:S'Z'). Removing this forces a new resource to be created.
 
 ## Attributes Reference