Hello @David Downing and thanks for reaching out. User.ManageIdenties.All
is a MS Graph permission. Although it sounds related to Managed Identities it is not. The required Azure AD permission/scope is https://management.core.windows.net/.default
. Also, the calling principal (user or application) must belong to an Azure RBAC role that contains the Microsoft.ManagedIdentity/userAssignedIdentities/write
permission such as the Managed Identity Contributor.
**Additional, and as found by @David Downing himself, you will also need add a contributor role at the subscription level for the App Registration (Service Principal). ** Thanks a lot for this one @David Downing !
For information on how to assign an Azure RBAC role please take a look to Steps to assign an Azure role.
Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.