Currently, I'm using these permissions, but I don't feel comfortable granting • Directory.ReadWrite.All • Application.ReadWrite.All. Is there something more specific?

export CIL_AZURE_SUBSCRIPTION_ID="ABC"
export CIL_AZURE_SP_NAME="devsecops-iac-rbac"

az ad sp create-for-rbac --sdk-auth \
--role Owner \
--scopes="/subscriptions/${CIL_AZURE_SUBSCRIPTION_ID}" -n ${CIL_AZURE_SP_NAME} > "creds.json"

if which jq > /dev/null 2>&1; then
AZURE_CLIENT_ID=$(jq -r ".clientId" < "./creds.json")
else
AZURE_CLIENT_ID=$(cat creds.json | grep clientId | cut -c 16-51)
fi

RW_ALL_APPS=1cda74f2-2616-4834-b122-5cb1b07f8a59
RW_DIR_DATA=78c8a3c8-a07e-4b9e-af1b-b5ccab50a175
AAD_GRAPH_API=00000002-0000-0000-c000-000000000000

az ad app permission add --id "${AZURE_CLIENT_ID}" --api ${AAD_GRAPH_API} --api-permissions ${RW_ALL_APPS}=Role ${RW_DIR_DATA}=Role