What permissions are needed for an Azure Runbook to execute the SQL command CREATE USER FROM EXTERNAL PROVIDER

Question

I have an automation account that creates an Azure SQL database and attempts to provision a user from Microsoft Entra Id with access to the database

My automation account is configured with a system assigned managed entity and a user assigned Managed Identity

Both of these accounts have Directory Reader permissions on Microsoft Entra

Below is an excerpt of my PoowerShell 5.1 script in my runbook

# Ensures you do not inherit an AzContext in your runbook
$null = Disable-AzContextAutosave -Scope Process
# Connect using a Managed Service Identity
try {
    $AzureConnection = (Connect-AzAccount -Identity).context
}
catch {
    Write-Output "There is no system-assigned user identity. Aborting." 
    exit
}
# set and store context
$AzureContext = Set-AzContext -SubscriptionId $SubscriptionId -DefaultProfile $AzureConnection
Write-Output "Using user-assigned managed identity: $UAMI"
# Connects using the Managed Service Identity of the named user-assigned managed identity
$identity = Get-AzUserAssignedIdentity -ResourceGroupName $ResourceGroup -Name $UAMI -SubscriptionId $SubscriptionId #-DefaultProfile $AzureContext
Write-Output "Identity: " $identity.name
# validates assignment only, not perms
$AzAutomationAccount = Get-AzAutomationAccount -ResourceGroupName $ResourceGroup -Name $automationAccount -DefaultProfile $AzureContext
if ($AzAutomationAccount.Identity.UserAssignedIdentities.Values.PrincipalId.Contains($identity.PrincipalId)) 
{
    $AzureConnection = (Connect-AzAccount -Identity -AccountId $identity.ClientId).context
    # set and store context
    $AzureContext = Set-AzContext -SubscriptionName $AzureConnection.Subscription -DefaultProfile $AzureConnection
}
else 
{
    Write-Output "Invalid or unassigned user-assigned managed identity"
    exit
}
Write-Output "Account ID of current context: " $AzureContext.Account.Id
Write-Output "Get the access token for Azure SQL"
$access_token = (Get-AzAccessToken -ResourceUrl https://database.windows.net).Token 
$query = 'CREATE USER [mike.w-------@-----.com] FROM EXTERNAL PROVIDER'
Invoke-Sqlcmd -ServerInstance $TargetServerName -AccessToken $access_token -Database $DatabaseName -Query $query

When I execute the runbook, it generates the following

Using user-assigned managed identity: sql-prod-db-id
Identity: 
sql-prod-db-id
Account ID of current context: 
cd3c9e26-5b01-493b-b0d2-1eb8e29d5407
Get the access token for Azure SQL
Principal 'mike.w-------@-----.com' could not be resolved. Error message: 'AADSTS700016: Application with identifier 'c55cf4e8-b97f-452f-a445-daebb9dfcaf8' was not found in the directory '-----'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant. Trace ID: f54e3f93-6d54-4ff9-9697-78e585be7500 Correlation ID: d52c406d-303b-421b-83bc-00e81438fc48 Timestamp: 2024-05-10 21:51:31Z' 
 Msg 33134, Level 16, State 1, Procedure , Line 1.

sql-prod-db-id is the user assigned managed identity. On the database it has the role db_owner. In Microsoft Entra Id it has the directory reader role.

I do get an access token for SQL Server and if I run some other command like SELECT * FROM <schema>.<table>. It runs without issue. I can even create SQL users without issue. It is the FROM EXTERNAL PROVIDER clause that generates the error.

So it makes me think that it is a permissions issue somewhere.

The error makes reference to "Error message: 'AADSTS700016: Application with identifier 'c55cf4e8-b97f-452f-a445-daebb9dfcaf8' was not found in the directory '-----'."

I have no idea what application this is referring to. Nor do I know how to look up the application by the listed GUID.

I tried

and

So I don't know where to look or what I have missed