No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

I have a feeling I’ve seen this before and that you must be a global admin to create new SPs even with good permissions otherwise

(In fact, <@UB3BGTV63> had to make my service account a global admin last week to enable testing this so that’s very likely to be the problem here!)

i had to grant the "Azure AD Graph" permissions and make my pulumi CI SP an "Owner"

azure-ad-graph permissions let me create another SP, but until it was Owner (not Contributor) i couldn't grant it any roles

<@UEU2M37GX> Do you have more details of where/how you did this? I am running into the same issues.