Creating a service application in Azure Portal

1. Navigate to Azure Active Directory > App Registrations.

2. Use New Registration to create the BYOK service application with the following parameters:

   name

   Select a name, for example mybyokapp.

   account type

   Accounts in this organizational directory only. <directory name> only - Single tenant.

   application type

   Web

3. Navigate to Azure Active Directory > App Registrations > <mybyokapp> > API permissions.

4. Use Add a permission to add following permissions

   Azure Key Vault

   user_impersonation Type:Delegated

   Have full access to the Azure Key Vault service.

   Azure Service Management

   user_impersonation Type:Delegated Access

   Azure Service Management as organization users.

   Microsoft Graph

   User.Read Type:Delegated

   Sign in and read user profile.

5. Optional: Use Add a permission to add the following permission and allow auto rotation of client secrets. This configuration recommended for enhanced security.

   Application.ReadWrite.All Type:Application

   Read and write all applications.

   Use Grant Admin Consent for <directory name> to grant permissions. You will need Global administrator rights to grant these permissions

6. Navigate to Azure > Subscriptions > <your subscription> > Access Control (IAM).

7. In Role Assignments, select Role > Reader > Members > <BYOK application>.

8. Navigate to Azure > <directory name> > Enterprise Applications > <BYOK application> > Permissions.

9. Check that the service principal, which has the same name as the BYOK application, has all required permissions.