Error on azure devops (azdo) pipeline using msi

I am trying to run terraform apply using a managed account.

I have set the account as contributor on sub, but I get an error on the apply.

Error: Unable to list provider registration status, it is possible that this is due to invalid credentials or the service principal does not have permission to use the Resource Manager API, Azure error: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to***/providers?api-version=2016-02-01: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_request","error_description":"Identity not found"} Endpoint***&

I see the bit about the endpoint which I don’t think I set, so might be getting blocked by some rules on our corporate tenant?

do I need to add some permissions or create a custom app with some get user permissions?

I have tried localhost, but that just hangs too.