diff --git a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/implementation/KeyVaultClient.java b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/implementation/KeyVaultClient.java
index c73b3b6f79c92..0e4ceb71e1176 100644
--- a/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/implementation/KeyVaultClient.java
+++ b/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/implementation/KeyVaultClient.java
@@ -491,6 +491,10 @@ public byte[] getSignedWithPrivateKey(String digestName, String digestValue, Str
             } catch (IOException e) {
                 LOGGER.log(WARNING, "Failed to parse sign result response.", e);
             }
+        } else {
+            LOGGER.log(WARNING,
+                "Can not get signature. It can be caused by missing 'sign' permission. To know how to add 'sign' permission, "
+                    + "see https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/keyvault/azure-security-keyvault-jca#key-less-certificates.");
         }
 
         byte[] signature;