Linked authorization failed error in Deploy-PolicyPlan.ps1

[SkiLikeTheFootwear]

I'm in the process of onboarding a production environment to EPAC (version 1.5.0), however I'm running into an unexpected error. As recommended, my Azure DevOps pipeline has three stages, one for plan, deploy, and one for roles, each with its own SPN and permissions as outlined in the documentation (least privilege). The deploy stage (with Resource Policy Contributor) seems to be attempting something involving a role assignment that it understandably doesn't have the access to do, causing the entire stage to fail. I've added the error from the Azure Pipelines run and redacted the actual scope with for privacy. I've verified that the resource within the scope (a managed identity) does exist, so it is not invalid. I wonder if it is related to the issue #708

@techlake @anwather et al. - Any suggestions as to what's wrong and how I could fix it? Thank you sincerely in advance for your time

Write-Error: /home/vsts/.local/share/powershell/Modules/EnterprisePolicyAsCode/10.5.0/functions/Deploy-PolicyPlan.ps1:190 Line | 190 | Set-AzPolicyAssignmentRestMethod -Assignment $entry -ApiV … | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Assignment error 403 -- { "error": { "code": | "LinkedAuthorizationFailed", "message": "The client | '8a4434a4-91a3-497b-8d67-7765b2010cbf' with object id | '8a4434a4-91a3-497b-8d67-7765b2010cbf' has permission to perform action | 'Microsoft.Authorization/policyAssignments/write' on scope | '<scope>'; however, it does not have permission to perform action(s) 'Microsoft.ManagedIdentity/userAssignedIdentities/assign/action' on the linked scope(s) '<scope>' (respectively) or the linked scope(s) are invalid." } } ##[error]PowerShell exited with code '1'.