Creating a Service Principal

  1. Create a service application in Azure.
  2. Register the application in the Azure Active Directory using App Registrations.

  3. Use New Registration to create the BYOK service application with the following parameters:

    • name - Select a name, for example mybyokapp.

    • account type - Accounts in this organizational directory only. <directory name> only - Single tenant.

    • application type - Web

  4. Navigate to Azure Active Directory > App Registrations > <mybyokapp> > API permissions.

  5. Use Add a permission to add following permissions

    Azure Key Vault
    user_impersonation Type:Delegated
    Have full access to the Azure Key Vault service.
    Azure Service Management
    user_impersonation Type:Delegated Access
    Azure Service Management as organization users.
    Microsoft Graph
    User.Read Type:Delegated
    Sign in and read user profile.

    Note: If you do not have access to Microsoft Graph, you must enter an Application Object ID when you create the Azure Cloud Service Provider. You can find this in Azure under Azure > Azure Active Directory > App Registrations > <your BYOK application>.

  6. Optional: Add one of the following permissions to allow auto rotation of client secrets.

    Important: This configuration is recommended for enhanced security and requires admin consent.

    If your Azure license allows role assignments:  

    1. Navigate to Azure Active Directory > App Registrations > <mybyokapp> > Roles and Administrators.

    2. Click the 'Cloud Application Administrator' role.

    3. Click Add Assignments.

    4. Start typing the name of the BYOK service application in the search box, and check the checkbox for the corresponding Enterprise application.

    5. Click Add.

    If your Azure license does not allow role assignments:  

    1. Navigate to Azure Active Directory > App Registrations > <mybyokapp> > API Permissions.

    2. Use Add a permission to add the following permission: 

      • Application.ReadWrite.All Type:Application

        Read and write all applications.

      This can be found under Microsoft Graph > Application Permissions.

    3. Use Grant Admin Consent for <directory name> to grant permissions. You will need global administrator rights to grant these permissions.

  7. Navigate to Azure > Subscriptions > <your subscription> > Access Control (IAM).

  8. In Role Assignments, select Role > Reader > Members, then select your application mybyokapp.

  9. Navigate to Azure > <directory name> > Enterprise Applications > mybyokapp > Permissions.

  10. Check that the service principal, which has the same name as the BYOK application, has all required permissions.