Azure RBAC models in Enterprises do not need not be complex. Microsoft recommends having fewer subscriptions and creating granular permissions within a single Subscription. Personally I do not like this approach, the administrative overhead on it is prohibitive. In my professional life, we have a very simple RBAC model. Each DevOps team gets two subscriptions, a Development and a Production subscription. This model works great in software development.
Development Subscription
DevOps teams have near unrestricted access, the only things they cannot do are change role assignments. I have created a custom role 'Jubson Resource Lock Administrator' (see links) to allow setting and deleting of Azure Resource Locks, as that is something that is only available to the Owner RBAC role by default.
The DevOps use this subscription as the 'Wild West (@DG)', allowing for experimentation. They also use this environment for there ACC environments. The DevOps teams can deploy via the portal here, but also via Azure DevOps.
Production Subscription
Production is completely locked down. The only way to deploy to Production is by using Azure DevOps and Pipelines. Even the Platform team has only the Reader to Production.
If there is a production issue the DevOps team needs to fix it in Dev and release with Azure DevOps into production. High Privilege Account access is available for 'emergency' situations.
But they can change RBAC via Azure DevOps!
Yes, they can.
At times DevOps teams need to set RBAC to improve security. For example, A WebApp has an MSI, and that MSI is granted the 'Storage Blob Data Contributor' role to the MSI for a particular Storage Account. No keys need to be shared and security it improved.
Using Activity Logs and Alerting we know when any changes to RBAC are made and can query the DevOps teams as to why it was required.
KISS
The RBAC model follows my favourite principle KISS (Keep It Simple Stupid) and creates a flexible development environment and a controlled process of deploying services to production with Azure and Azure DevOps.
Micah Jardine