Follow just enough administration (least privilege principle)
Azure role-based access control (Azure RBAC) allows you to manage Azure resource access through role assignments. You can assign these roles to users, group service principals, and managed identities. There are pre-defined built-in roles for certain resources, and these roles can be inventoried or queried through tools such as Azure CLI, Azure PowerShell, and the Azure portal. The privileges you assign to resources through Azure RBAC should always be limited to what's required by the roles. Limited privileges complement the just in time (JIT) approach of Microsoft Entra Privileged Identity Management (PIM), and those privileges should be reviewed periodically.
Use built-in roles to allocate permission and only create custom role when required.
What is Azure role-based access control (Azure RBAC): https://docs.microsoft.com/azure/role-based-access-control/overview
How to configure Azure RBAC: https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal
How to use Microsoft Entra identity and access reviews: https://docs.microsoft.com/azure/active-directory/governance/access-reviews-overview