Thank you for help on this James, i think this will work perfect on this requirement - https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffc5e4038-4584-4632-8c85-c0448d374b2c

Hi James

Thanks for detailed explanation. I am going to check management group options. The overall goal is -

1. To make engineering team to use all Azure resources lifecyclemanagement llike build, delete, test anything either its infra, devops work.
   

2. But I want to manage firewall and theirs's incoming outgoing traffic should be allowed by firewall which I should only handle. They shouldn't modify routes.
   

3. Limited permissions to AD so they can't create, delete users and groups and that must be managed by me.

As per my understanding, giving permissions to them on a resource group will restric them to use all resources use so was checking to give them new subscription so where they can test/build. at same time want to hold above permissions to me only. I am not sure if this is possible via management groups.

Thanks
Vijay

@LeonLaude - Can you check this please.

This new Microsoft Q&A forums is so tedious, I cant tag or find anything related to SCDPM, Microsoft Data Protection Manager, can someone please move this to relevant forums of DPM ?

Same issue for me for other products as well, all technet forums are redirecting to this QA page.