Hello Joe Chen,
Thanks for your question.
Depending on the full set of operations you want to perform, you can assign different roles based on least privilege.
The ‘db_ddladmin’ role is only required if the managed identity needs to perform operations that modify the schema of the database, such as CREATE, ALTER, or DROP. It is the least privileged if you need necessarily to perform ALL DDL operations.
These are documented here:
Per the managed Identity, SQL database access control is managed through database users and their assigned roles. the managed Identity Object ID will change but the SQL user will retain its database level roles.
Please let me know if you have further questions**
You can mark it 'Accept Answer' if this helped.