I forgot that when we go through the API we need to give the Blueprint 1st party app (which is an SPN in all tenants) owner permissions on the subscription. This is specifically for the system-assigned managed identity path. We use the first party app to create the system-assigned identity with owner permissions. When an assignment completes, we remove the 1st party app from the subscription so we don’t have standing access.
I forgot that when we go through the API we need to give the Blueprint 1st party app (which is an SPN in all tenants) owner permissions on the subscription. This is specifically for the system-assigned managed identity path. We use the first party app to create the system-assigned identity with owner permissions. When an assignment completes, we remove the 1st party app from the subscription so we don’t have standing access.
Here is some more info: https://docs.microsoft.com/en-us/azure/governance/blueprints/create-blueprint-rest-api#assign-a-blueprint