Creating a service principal

1. Create a service application in Azure.
2. Register this application in the Azure Active Directory using App Registrations.
3. In the application’s API permissions, set the permissions for the BYOK service application.
4. In each Key Vault’s settings, open the Access Policies and set the following permissions for the BYOK service principal application: Select All in Key permissions and all options in Secrets and Certificate permissions.
5. Do not select Purge protection on the Key Vaults.
6. In your subscription’s Access Control (IAM), select Role Assignments, and select the Reader role for the BYOK application

When new Key Vaults are created, the permissions have to be set for them as well.