As a Workspace Manager for critical projects or productive environments, I want that developers must use PIM to access the critical Azure Subscription so that the access to the ressources is more secure and audited.

One idea would be, that as effect of a setting on project level, the team members (except project readers) are not automatically replicated as member to the Entra ID group but replicated as "eligible assignment", see screenshot.