Sign into Azure AD portal at https://portal.azure.com/![](/download/attachments/37591060/image2021-6-23_23-2-29.png?version=1&modificationDate=1624485749000&api=v2)
Click "Create a resource"
![](/download/attachments/37591060/image2021-6-23_23-5-36.png?version=1&modificationDate=1624485936000&api=v2)
In the search box, enter "key vault" and then select "Key Vault" from the drop-down list
![](/download/attachments/37591060/image2021-6-23_23-7-17.png?version=1&modificationDate=1624486037000&api=v2)
Click the "Create" button
![](/download/attachments/37591060/image2021-6-23_23-15-3.png?version=1&modificationDate=1624486503000&api=v2)
Select the Resource group that you have already created for SafeID Token Service, e.g. "SafeIdTokenService"
Enter the "Key vault name", e.g. "SafeIdTokenService"
Change other options if neccessary
Click the "Access policy" button
![](/download/attachments/37591060/image2021-6-23_23-22-44.png?version=1&modificationDate=1624486963000&api=v2)
Make sure the "Permission model" is set to "Vault access policy"
Click "+Add Access Policy"
![](/download/attachments/37591060/image2021-6-24_13-24-2.png?version=1&modificationDate=1624537470000&api=v2)
Click the down-down arrow on the right of Secret permissions, and then select "Get" and "List"
Click "None selected" under "Select principal"
![](/download/attachments/37591060/image2021-6-23_23-39-48.png?version=1&modificationDate=1624487988000&api=v2)
Enter "all" in the search box, and then select "All Users"
Click the "Select" button
![](/download/attachments/37591060/image2021-6-24_13-33-8.png?version=1&modificationDate=1624538016000&api=v2)
Click "None selected" under "Authorized application"
![](/download/attachments/37591060/image2021-6-24_13-36-41.png?version=1&modificationDate=1624538230000&api=v2)
In the search box, enter the name of the application that you have previously created for STS, and then select it
Click the "Select" button
![](/download/attachments/37591060/image2021-6-24_13-38-13.png?version=1&modificationDate=1624538321000&api=v2)
Now, click the "Add" button to add this new access policy
![](/download/attachments/37591060/image2021-6-23_23-58-15.png?version=1&modificationDate=1624489095000&api=v2)
Click the "Review + create" button
![](/download/attachments/37591060/image2021-6-24_0-4-25.png?version=1&modificationDate=1624489465000&api=v2)
Review the settings, make sure all are correct
Finally, click the "Create" button to create a new key vault
![](/download/attachments/37591060/image2021-6-24_0-5-46.png?version=1&modificationDate=1624489546000&api=v2)
Wait until the new key vault has been successfully created.
Now that the key vault has been created. We are going to save the username and passwords of the access user as secrets in the key vault.
Click "Go to resource"
Click "Secrets" on the navigation pane
![](/download/attachments/37591060/image2021-6-24_0-19-4.png?version=1&modificationDate=1624490343000&api=v2)
Click "Generate/Import" to create the first secret, i.e. AccessUserName
![](/download/attachments/37591060/image2021-6-24_0-23-29.png?version=1&modificationDate=1624490609000&api=v2)
In the "Name" box, enter "AccessUserName"
In the "Value" box, enter the user name of the access user with global admin privileges
Click "Create"
![](/download/attachments/37591060/image2021-6-24_0-27-20.png?version=1&modificationDate=1624490839000&api=v2)
Click "Generate/Import" again to create the second secret, i.e. AccessUserPassword
![](/download/attachments/37591060/image2021-6-24_0-36-51.png?version=1&modificationDate=1624491411000&api=v2)
In the "Name" box, enter "AccessUserPassword"
In the "Value" box, enter the password of the access user with global admin privileges
Click "Create"
![](/download/attachments/37591060/image2021-6-24_0-41-2.png?version=1&modificationDate=1624491662000&api=v2)
Click "Overview"
![](/download/attachments/37591060/image2021-6-24_0-43-2.png?version=1&modificationDate=1624491782000&api=v2)
Finally, make a note of "Vault URI"