Update Function Key Vault Access Policies

The Key vault must be updated to allow the Function App to decrypt the policy files. The Forwarder is using policy to confirm the authenticity of audit logs it receives from Event Hub and to digitally sign the aggregated logs that it sends to ESA. Update the Key vault access policies with function identity. To update the key vault access policies:

  1. From Azure console navigate to Key Vaults, select the Key Vault created in Key Vault.
  2. Select Access policies.
  3. Click Create.
  4. Select the following permissions in Permissions tab: a. Get under Key Management Operations. b. Unwrap Key under Cryptographic Operations. c. Get under Secret Permissions.
  5. Proceed Next to Principal.
  6. For Principal provide function identity a. For functions with user-assigned identity enter identity recorded in step Function User-Assigned Managed Identity b. For functions with system-assigned identity enter function name recorded in step Install Log Forwarder via ARM template
  7. Proceed Next to Application and Next again to Review + Create.
  8. Review permissions and Create.

Last modified : January 16, 2026