Azure Virtual Desktop(AVD) - Enable Cloud Kerberos for storage accounts question

I need to enable Cloud Kerberos for storage accounts used for AVD host pool. I am thinking of following the following instruction. Is that correct steps and is that all that is required?:-

After enabling AADKERB on the storage account :-

1a. Find the AADKERB Service Principal

Use Azure CLI to log into correct tenant

az login –tenant <tenantName>

 

1b. Find the AADKERB Service Principal

Look up by display name pattern

az ad sp list --filter "startswith(displayName,'[Storage Account]')" --query "[?contains(displayName,'<storageAccountName>')].{id:id,appId:appId,name:displayName}" -o table

 

1c. Grant Admin Consent

The AADKERB SP requires the following delegated permissions on Microsoft Graph:

openid

profile

User.Read ← This is often overlooked but required

Get the Microsoft Graph SP ID

$graphSpId=$(az ad sp list --filter "appId eq '00000003-0000-0000-c000-000000000000'" --query "[0].id" -o tsv)

Get the AADKERB SP ID

$aadkerbSpId=<from step 1a>

Check existing grants

az rest --method GET --url "https://graph.microsoft.com/v1.0/oauth2PermissionGrants?$filter=clientId eq '$aadkerbSpId' and resourceId eq '$graphSpId'"

Create or update the grant

az rest --method POST --url "https://graph.microsoft.com/v1.0/oauth2PermissionGrants" --body "{

"clientId": "$aadkerbSpId",

"consentType": "AllPrincipals",

"resourceId": "$graphSpId",

"scope": "openid profile User.Read"

}"