Under Containers, create a container which we will use to store the data files exported from MS Graph. I've called mine intune-powerbi. Set the Public access level to private.
Create a custom role
Here we will create a custom role at the storage account level which has just the permissions we need to upload data to the container. We will assign this role to the managed identity or run as account.
In the storage account, top-level, open the Access Control (IAM) pane
On the Roles tab, locate the role Storage Blob Data Contributor
Click the 3 dots on the right of the role and choose Clone
Give the role a name. I've used Storage Account Reader and Blob Contributor
On the Permissions tab, add or remove the cloned permissions as required. I've added two permissions that are required by this solution and removed a couple that aren't. All permissions are found under Microsoft.Storage.