try {Set-AzContext -Subscription $env:SUBSCRIPTION
}
catch {}
$Subscription = (Get-AzSubscription | Where-Object Name -eq $env:SUBSCRIPTION).Id
$KV = Get-AzKeyVault | Where-Object {($_.VaultName -notlike "*EXO*" -and $_.VaultName -notlike "*M365*" -and $_.VaultName -notlike "*SPO*") -and $_.VaultName -like "*01"}
$KV = Get-AzKeyVault -VaultName $KV.VaultName
$SAs = Get-AzStorageAccount | Where-Object {$_.Encryption.KeySource -eq 'Microsoft.Storage'}
foreach ($SA in $SAs) {
$Key = Add-AzKeyVaultKey -VaultName $KV.VaultName `
-Name ($SA.StorageAccountName.ToUpper() + '-encryption') `
-Destination 'Software'
$SA = Set-AzStorageAccount -ResourceGroupName $SA.ResourceGroupName `
-Name $SA.StorageAccountName `
-AssignIdentity
$principalId = $SA.Identity.PrincipalId
Set-AzKeyVaultAccessPolicy `
-VaultName $KV.VaultName `
-ObjectId $principalId `
-PermissionsToKeys wrapkey,unwrapkey,get `
-BypassObjectIdValidation
Set-AzStorageAccount `
-ResourceGroupName $SA.ResourceGroupName `
-Name $SA.StorageAccountName `
-KeyvaultEncryption `
-KeyName $Key.Name `
-KeyVaultUri $KV.VaultUri
}
