You Azure user must have "Encrypt" and "Decrypt" Access Policy for the key.
KEY_VAULT_NAME="PASTE-YOUR-KEY-VAULT-NAME-HERE"
KEY_NAME="PASTE-YOUR-KEY-NAME-HERE"
KV=$(az keyvault key show --name $KEY_NAME --vault-name $KEY_VAULT_NAME | jq -r ".key.kid")
sops --encrypt --azure-kv $KV file-decrypted > file-encrypted
sops --decrypt file-encrypted