Microsoft Azure Architect Design (AZ-304) Practice Test

Assigning a custom role with specific permissions is the most effective way to prevent an Azure AD group from changing role assignments while still allowing them to create resources. By creating a custom role, you can tailor the permissions to include resource creation capabilities while explicitly excluding permissions related to role modification or assignment. This flexibility allows for fine-grained control over what actions the group can perform within Azure. In contrast, simply creating a new Azure subscription does not inherently manage role assignments; it might isolate the group’s resources but does not provide the necessary permissions without broader implications. Utilizing Azure Policy could help enforce compliance and restrictions, but it does not offer the specificity required to selectively restrict role modification while allowing resource creation. Lastly, relying on existing subscription roles might not provide the necessary control or could lead to unintended permissions being granted, which would not meet the stated requirement effectively.