Cannot delegate User Access Administrator using Azure Lighthouse

In Azure, we have a setup where we need to deal with multiple Azure Tenants/Directories:

• Tenant A: Our company's main tenant
• Tenant B: A new tenant created specifically for our project

Now, our goal was to:

• Deploy Azure resources into Tenant B
• Use Azure Lighthouse to delegate the necessary roles to Tenant A users to manage Tenant B (as a service provider)

We have set up Lighthouse assignments and delegations to delegate the following roles of a Tenant B subscription to a security group in Tenant A:

• Contributor
• User Access Administrator, delegated roles: AcrPull

I understand the limitation of Azure Lighthouse when it comes to the User Access Administrator role. According to the documentation, in this setup it should be possible to assign the AcrPull role to a managed identity in Tenant B.

However, when we try to deploy the following role assignment (using Terraform, authenticating to Azure using Azure CLI):

resource "azurerm_role_assignment" "kubelet_identity_cluster_acr_pull" {
  principal_id         = azurerm_kubernetes_cluster.mycluster.kubelet_identity[0].object_id
  role_definition_name = "AcrPull"
  scope                = azurerm_container_registry.myacr.id
}

We get the following error:

│ Error: unexpected status 403 (403 Forbidden) with error: AuthorizationFailed: The client '<redacted>' with object id '<redacted>' has an authorization with ABAC condition that is not fulfilled to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.ContainerRegistry/registries/<redacted>/providers/Microsoft.Authorization/roleAssignments/<redacted>' or the scope is invalid. If access was recently granted, please refresh your credentials.
│ 
│   with azurerm_role_assignment.kubelet_identity_cluster_acr_pull,
│   on aks.tf line 40, in resource "azurerm_role_assignment" "kubelet_identity_cluster_acr_pull":
│   40: resource "azurerm_role_assignment" "kubelet_identity_cluster_acr_pull" {

The error message suggests that the user in fact does not have the permission to delegate the AcrPull role to a managed identity. (The Lighthouse assignment was created more then a month ago, so recent assignment cannot be the issue)

If I check the User Access Administrator role assignment in Tenant A, I see that it has a condition. Viewing the condition, I am greeted with the following error message:

The condition itself is this string:

@Action[Id] StringNotEqualsAnyOfIgnoreCase {'Microsoft.Authorization/roleAssignments/write', 'Microsoft.Authorization/roleAssignments/delete'} || (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] StringEqualsAnyOfIgnoreCase { '7f951dda-4ed3-4680-a7ca-43fe172d538d' } && EXISTS @Resource[Microsoft.Authorization/roleAssignments:DelegatedManagedIdentityResourceId] && @Resource[Microsoft.Authorization/roleAssignments:DelegatedManagedIdentityResourceId] StringNotEqualsIgnoreCase '')

According to the Azure portal and the Azure RBAC documentation, this condition is incorrect, which I suspect caused the authorization error above. Since the condition is generated by Lighthouse, I cannot edit it (read-only).

Question: Is there a platform bug in Azure Lighthouse, which completely prevents the (limited) delegation of the User Access Administrator role?

(I also found the following thread that reported the same issue 2.5 years ago: https://learn.microsoft.com/en-us/answers/questions/1286160/azure-ligthouse-user-access-admin-group-not-workin)