Grant yourself the following delegated permissions:
Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, Policy.Read.All, Policy.ReadWrite.ApplicationConfiguration, and User.ReadWrite.All.
Read the doc to create SAML signin custom signing certificate - https://learn.microsoft.com/en-us/graph/application-saml-sso-configure-api?tabs=http%2Cpowershell-script