SQLPackage requires a server login to deploy permissions?

Question

• Using sqlpackage.exe to deploy to an Azure SQL database
• using Azure Active Directory Universal / Interactive authententication
• With a user set up directly in the database (i.e., not a login at the sever level) - a contained user set up "for external provider".
• User is a member of db_owner

sqlpackage.exe /action:script will not manage permissions. There are GRANT permissions set up in the sqlproject and in the dacpac file (I checked by unzipping it), but sqlpackage.exe simply won't include any grant or drop permission statements. I ran it with the /Diagnostics:True option and there was output like:

Microsoft.Data.Tools.Diagnostics.Tracer Error: 1 : 2022-06-08T18:07:03 : Problem with sql connection: Login failed for user '<token-identified principal>'.  
Microsoft.Data.Tools.Diagnostics.Tracer Warning: 0 : 2022-06-08T18:07:03 : Permission is not supported in target server: Select  

Clearly 'select' permission is supported by the server! And the login issue made me wonder if it was trying to use a server-level login.

If I re-ran and authenticated as an sql login at the server level that's a member of sysadmin (the sql admin one sets as part of azure setup), it does work correctly. Still, in production, we would much rather use contained users and azure-ad authentication wherever possible! At the very least, it needs to give an error message as I didn't know permissions were out of sync from the ssdt project. Of course, I would much rather that it worked.