Azure Lighthouse — Deployment Error (data actions not allowed)

I’ve been designing some templates for Azure Lighthouse deployments recently to delegate access and allow customer subscriptions to be managed from a central location.

Originally I had the following groups defined in the template to delegate access to Key Vault and Storage Account File Shares and Blobs:

{
"principalId": "a627a78f-c2f2-4b34-b13c-9bbf46a768a8",
"principalIdDisplayName": "KVCertificates",
"roleDefinitionId"…