Hi LR,

This is the sanitized version of the error response using the AD token and the secrets api: 

"ERROR: Response status code does not indicate success: 401 (Unauthorized).

{
"error_code": "CUSTOMER_UNAUTHORIZED",
"message": "Unable to grant read/list permission to Databricks service principal to KeyVault 'https://<VAULT_NAME>.vault.azure.net/': Status code 403, '{\"error\": {\"code\": \"RequestDisallowedByPolicy\", \"target\": \"<VAULT_NAME>\", \"message\": \"Resource '<VAULT_NAME>' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"Private endpoint must be configured for Key Vault\",\"id\":\"<POLICY_ASSIGNMENT_ID>\"},\"policyDefinition\":{\"name\":\"Key Vault - Private endpoint must be configured\",\"id\":\"<POLICY_DEFINITION_ID>\",\"version\":\"1.0.0\"}}]'\"}, \"additionalInfo\": [{\"type\": \"PolicyViolation\", \"info\": {\"evaluationDetails\": {\"evaluatedExpressions\": [{\"result\": \"True\", \"expressionKind\": \"Field\", \"expression\": \"type\", \"path\": \"type\", \"expressionValue\": \"Microsoft.KeyVault/vaults\", \"targetValue\": \"Microsoft.KeyVault/vaults\", \"operator\": \"Equals\"}, {\"result\": \"True\", \"expressionKind\": \"Field\", \"expression\": \"Microsoft.KeyVault/vaults/privateEndpointConnections\", \"path\": \"properties.privateEndpointConnections\", \"targetValue\": \"false\", \"operator\": \"Exists\"}]}, \"policyDefinitionId\": \"<POLICY_DEFINITION_ID>\", \"policyDefinitionName\": \"<POLICY_DEFINITION_ID>\", \"policyDefinitionDisplayName\": \"Key Vault - Private endpoint must be configured\", \"policyDefinitionVersion\": \"1.0.0\", \"policyDefinitionEffect\": \"deny\", \"policyAssignmentId\": \"<POLICY_ASSIGNMENT_ID>\", \"policyAssignmentName\": \"<POLICY_ASSIGNMENT_ID>\", \"policyAssignmentDisplayName\": \"Private endpoint must be configured for Key Vault\", \"policyAssignmentScope\": \"<POLICY_SCOPE>\", \"policyAssignmentParameters\": {}, \"policyExemptionIds\": [], \"policyEnrollmentIds\": []}}]}'",
"details": [
{
"@type": "type.googleapis.com/google.rpc.RequestInfo",
"request_id": "<REQUEST_ID>",
"serving_data": ""
}]
}"

Thanks,