New-MgDomainFederationConfiguration - Insufficient privileges to complete the operation.

Getting 403 but I have Global Admin & passing Connect-MgGraph -Scopes "Domain.ReadWrite.All","Directory.ReadWrite.All"

New-MgDomainFederationConfiguration_CreateExpanded: Insufficient privileges to complete the operation.

# ============================
#  Entra ID Federation Setup
#  IdP: Okta (SAML Federation)
# ============================

# --- Variables (sanitize and customize) ---
$domain        = "<your-verified-domain>"                  # e.g., corp.example.com
$issuer        = "http://www.okta.com/<okta-app-id>"       # From Okta SAML metadata (EntityID)
$signInUrl     = "https://<okta-tenant>.okta.com/app/<okta-app-name>/<okta-app-id>/sso/saml"
$metadataUrl   = "https://<okta-tenant>.okta.com/app/<okta-app-id>/sso/saml/metadata"
$signOutUrl    = "https://<okta-tenant>.okta.com"
$certBase64    = "<base64-signing-certificate-from-okta>"   # Extracted from Okta metadata

# --- Create Federation Configuration in Entra ID ---
New-MgDomainFederationConfiguration `
  -DomainId $domain `
  -DisplayName "Okta_IDP" `
  -IssuerUri $issuer `
  -ActiveSignInUri $signInUrl `
  -MetadataExchangeUri $metadataUrl `
  -SignOutUri $signOutUrl `
  -SigningCertificate $certBase64 `
  -FederatedIdpMfaBehavior "acceptIfMfaDoneByFederatedIdp" |
  Format-List