User-PasswordProfile.ReadWrite.All permission plus an Authentication Administrator directory role assigned to this service principal (see the Enterprise Applications Reference). Because application actions execute unattended, operator control is enforced through Gamebook approval gates (only Workspace Owners can approve high-impact actions) and a complete audit trail in the Gamebooks History page.