AuthorizationFailed with User-assigned Managed Identity accessing ADF

Question

What I'm trying to do

Create and query ADF pipelines from a consumption-tier Logic App by using a User-assigned managed identity

What I've done

• Created logic app
• Created User-assigned managed identity

For the identity, I have assigned/verify these roles:

• Assigned Reader to the Subscription

The above was insufficient, so then I:

• Added the Identity to the ADF explicitly
• Assigned Owner to the Data Factory explicitly
• Assigned Contributor to the Data Factory explicitly

I continue to receive:

{
  "error": {
    "code": "AuthorizationFailed",
    "message": "The client '<my-managedidentity-objectid-guid>' with object id '<my-managedidentity-objectid-guid>' does not have authorization to perform action 'Microsoft.DataFactory/factories/pipelines/CreateRun/action' over scope '/subscriptions/<my-subscription-guid>/resourcegroups/<my-resourcegroup>/providers/Microsoft.DataFactory/factories/<my-adf>/pipelines/<my-pipeline>' or the scope is invalid. If access was recently granted, please refresh your credentials."
  }
}

Any advice is appreciated.

Answer 1

After some more research:
https://learn.microsoft.com/en-us/azure/data-factory/concepts-roles-permissions

Specifically:

Set up permissions
After you create a Data Factory, you may want to let other users work with the data factory. To give this access to other users, you have to add them to the built-in Data Factory Contributor role on the Resource Group that contains the Data Factory.

This was not intuitive to me, but it resolved the issue.

The following are NOT sufficient to access ADF resources for a User-assigned Managed Identity

• Owner of the Data Factory
• Contributor of the Data Factory