This is one that I forget regulary, meaning I know that this has to be done to ensure my Service Connection in an Azure DevOps Pipeline (classic or yaml) can for example execute a Dataverse backup.
So, first create the App Registration on Azure Entra ID.
Add the App Registration as Application User onto the Dataverse environment
In PowerShell, register the Application user as a “Management Application”:
New-PowerAppManagementApp -ApplicationId $ApplicationId
Once this is done, the SPN/Application User, Management Application, Application Registration (what’s in a name….) can execute these more administrative actions.