u/Few_One7045

Hi everyone,

we’re running a pretty small Azure setup. We have one subscription per team. Teams don’t have any permissions at subscription level, but they do have resource provider permissions there. At resource group level they’re Contributor on pre-defined RGs, without any networking permissions.

We’re currently running into the issue that developers keep reaching out to us whenever they need roles assigned — whether that’s for a service principal, a managed identity, or sometimes even access within their own team.

I’m curious how you handle this in your setups:

• Do you let teams manage role assignments themselves (maybe with broader RBAC scopes)?
• Do you centralize all identity and access management in a platform/security team?
• Or are you using something like PIM / just-in-time access for this?

Would be really interested to hear how others are solving this without creating too much overhead or bottlenecks.

Thanks!