diff --git a/examples/bootstrap-azure/README.md b/examples/bootstrap-azure/README.md
index 1bfb3fb..8cecd4b 100644
--- a/examples/bootstrap-azure/README.md
+++ b/examples/bootstrap-azure/README.md
@@ -11,6 +11,7 @@ The only required inputs are a object-id and tenant-id to give access to the key
 |------|-------------|:----:|:-----:|:-----:|
 | key\_vault\_object\_id | The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. | string | n/a | yes |
 | key\_vault\_tenant\_id | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | string | n/a | yes |
+| application\_id | The application ID of the service principal for the vault. | string | n/a | yes |
 | additional\_tags | A map of additional tags to attach to all resources created. | map | `{}` | no |
 | address\_space | CIDR block range to use for the network. | string | `"10.0.0.0/16"` | no |
 | address\_space\_allowlist | CIDR block range to use to allow traffic from | string | `"*"` | no |
diff --git a/examples/bootstrap-azure/key_vault.tf b/examples/bootstrap-azure/key_vault.tf
index 593e2a6..26001a0 100644
--- a/examples/bootstrap-azure/key_vault.tf
+++ b/examples/bootstrap-azure/key_vault.tf
@@ -1,34 +1,115 @@
+# read in current AzureRM client config so we can give it some permissions wrt the Keyvault.
+data "azurerm_client_config" "current" {}
+
 resource "azurerm_key_vault" "new" {
-  name                            = "${local.prefix}"
+  name                            = "${local.prefix}-kv"
   resource_group_name             = "${azurerm_resource_group.new.name}"
   location                        = "${var.location}"
   sku_name                        = "standard"
-  tenant_id                       = "${var.key_vault_tenant_id}"
+  tenant_id                       = "${var.key_vault_tenant_id}" # The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
   tags                            = "${local.tags}"
   enabled_for_deployment          = true
   enabled_for_template_deployment = true
 
-  access_policy {
+  access_policy {                             # access policy for the current signed in user building the vault.
+    tenant_id = "${data.azurerm_client_config.current.tenant_id}"
+    object_id = "${data.azurerm_client_config.current.service_principal_object_id}"
+    key_permissions = [
+    "backup",
+    "create",
+    "decrypt",
+    "delete",
+    "encrypt",
+    "get",
+    "import",
+    "list",
+    "purge",
+    "recover",
+    "restore",
+    "sign",
+    "unwrapKey",
+    "update",
+    "verify",
+    "wrapKey",
+    ]
+    secret_permissions = [
+    "backup",
+    "delete",
+    "get",
+    "list",
+    "purge",
+    "recover",
+    "restore",
+    "set",
+    ]
+    certificate_permissions = [
+    "create",
+    "delete",
+    "deleteissuers",
+    "get",
+    "getissuers",
+    "import",
+    "list",
+    "listissuers",
+    "managecontacts",
+    "manageissuers",
+    "setissuers",
+    "update",
+    ]
+  }
+  
+  access_policy {                             # access policy for the required/created/dedicated/selected keyvault SP user
     tenant_id = "${var.key_vault_tenant_id}"
     object_id = "${var.key_vault_object_id}"
-
-    certificate_permissions = [
+    key_permissions = [
       "get",
       "list",
+      "update",
       "create",
+      "import",
+      "delete",
+    ]
+    secret_permissions = [
+      "get",
+      "list",
+      "set",
       "delete",
     ]
+    certificate_permissions = [
+      "get",
+      "list",
+      "update",
+      "create",
+      "import",
+      "delete",
+    ]  
+  }
 
+  access_policy {                             # access policy for the required/created/dedicated/selected keyvault SP user
+    tenant_id = "${var.key_vault_tenant_id}"
+    object_id = "${var.key_vault_object_id}"
+    application_id = "${var.application_id}"
     key_permissions = [
       "get",
       "list",
+      "update",
       "create",
+      "import",
+      "delete",
     ]
-
     secret_permissions = [
       "get",
       "list",
       "set",
+      "delete",
+    ]
+    certificate_permissions = [
+      "get",
+      "list",
+      "update",
+      "create",
+      "import",
+      "delete",
     ]
   }
 }
diff --git a/examples/bootstrap-azure/variables.tf b/examples/bootstrap-azure/variables.tf
index 47bde30..9bd8814 100644
--- a/examples/bootstrap-azure/variables.tf
+++ b/examples/bootstrap-azure/variables.tf
@@ -34,7 +34,11 @@ variable "key_vault_tenant_id" {
 }
 
 variable "key_vault_object_id" {
-  description = "The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault."
+  description = "The object ID of the service principal for the vault."
+}
+
+variable "application_id" {
+  description = "The application ID of the service principal for the vault."
 }
 
 locals {