Am reading the walkthrough for enabling auto unseal for Azure Key Vault:
It’s asking me to create a service principal with extremely elevated permissions (Owner over my subscription, lots of Active Directory API permissions)
Why are these permissions needed? My technical understanding of the auto unseal process would lead me to think that in reality the service principal/managed service identity only needs very limited permissions over the key vault where the unseal key is stored.
Are the minimum permissions the SP/MSI needs documented anywhere?