Usage function running with managed identity can't query billing account scope

[Iain-S]

We currently deploy our usage function app so that it has an Azure-managed identity. It seems as though managed identities can't query usage data using the billing_account_id setting (only the mgmt_group setting):

    MGMT_GROUP: Optional[str] = None  # Either, the usage function mgmt group...
    BILLING_ACCOUNT_ID: Optional[str] = (
        None  # ...or the usage function billing account ID
    )

We get an error if we try to query with the billing account in a deployed system. However, using billing account id works fine if running locally.

Being restricted to mgmt_group means that we don't get any data for the 00000000-0000-0000-0000-000000000000 pseudo-subscription.

We should

1. Document the current compromise (data for 00000000-0000-0000-0000-000000000000 needs to be uploaded manually).
2. Re-create the issue in a dev deployment to log the error we receive.
3. Find out if there's a way to elevate the managed identity's permissions so that it can query with billing account.
4. If not, find out whether using a service principal (as we do for the controller function) would be an acceptable workaround.

---

Note: This may require changes to https://github.com/alan-turing-institute/rctab-infrastructure.