Update-MgUser To Disable Users with Roles Assigned

Hi,

I am trying to disable cloud users not synced from on-premises that have not logged in for 30 days or more. I have configured an Enterprise App with certificate for connecting to graph and applied the appropriate permissions to the app which has worked without issue for the cloud accounts which were Guest accounts. However, this did not work for the accounts which have admin roles assigned to them. I am aware this is a limitation of using the app permissions to perform such tasks so my question is, how do I automate the disabling of these users without using an embedded account in a script? Is there any way possible to use the app? Want to move away from giving an account Global Admin rights to perform these operations if possible. Security over convenience is really the goal here.

Let me know if you need more info!