Creating a Service Principal

1. Create a service application in Azure.
2. Register the application in the Azure Active Directory using App Registrations.

3. Use New Registration to create the BYOK service application with the following parameters:

   • name - Select a name, for example mybyokapp.

   • account type - Accounts in this organizational directory only. <directory name> only - Single tenant.

   • application type - Web

4. Navigate to Azure Active Directory > App Registrations > <mybyokapp> > API permissions.

5. Use Add a permission to add following permissions

   Azure Key Vault

   user_impersonation Type:Delegated

   Have full access to the Azure Key Vault service.

   Azure Service Management

   user_impersonation Type:Delegated Access

   Azure Service Management as organization users.

   Microsoft Graph

   User.Read Type:Delegated

   Sign in and read user profile.

6. Optional: Add the following permission to allow auto rotation of client secrets.

   Important: This configuration is recommended for enhanced security and requires admin consent.

   Application.ReadWrite.All Type:Application

   Read and write all applications.

   Use Grant Admin Consent for <directory name> to grant permissions. You will need global administrator rights to grant these permissions

7. Navigate to Azure > Subscriptions > <your subscription> > Access Control (IAM).

8. In Role Assignments, select Role > Reader > Members, then select your application mybyokapp.

9. Navigate to Azure > <directory name> > Enterprise Applications > mybyokapp > Permissions.

10. Check that the service principal, which has the same name as the BYOK application, has all required permissions.