Currently, we set up custom Azure RBAC Roles for Azure landing zones. In order to prevent privilege escalation, the Microsoft.Authorization/roleAssignments/write permission is prohibited. However, in an Azure eco-system, this permission is often needed so that we provided an Azure RBAC OSB marketplace service which checks the roles and principal Ids in order to prevent privilege escalation. In the same time, we collect feedback from our users and they complain that many Azure Out-of-the-box Biceps/ARM templates do not work anymore. That is why we reconsider our intitial approach and want to allow RBAC to our project admins - under certain conditions (privilege escalation). What we would need herefore is the ABAC support for Azure Role-Mappings for Azure landing zones. The following article describes the concept: https://learn.microsoft.com/en-us/azure/role-based-access-control/delegate-role-assignments-overview?tabs=template#a-more-secure-method-delegate-role-assignments-with-conditions-preview