Sometimes a badrequest error is being thrown when trying to Assign an Enrollment Reader Role to the Service Principal like below

{
"code": "BadRequest",
"message": "The provided principal Tenant Id = <<tenantID>> and principal Object Id <<principal object ID>> are not valid."
}

The error is expected when we get the Object ID from the "App Registration" instead of "Enterprise Application."
To resolve the error, we need to obtain the Application Object ID from the "Enterprise Application" and retry the API call.

https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/assign-roles-azure-service-principals#troubleshoot