Can be applied at the subscription level, resource group level and resource level. Azure has a large number of built-in roles. A role consists of a number of permissions. At all levels we have the roles of owner, contributor and reader. Owner and contributor both have full resource access, but an owner can also give rights to other users. Access rights are inherited.
It’s best practice to give a user mimimal requirements to perform his job. You can give a user elevated (admin) priviliges for a limited time only. It’s more work to give a user limited access, but it’s definitely more secure. For easy management and auditing it’s advised to assign users to groups and groups to roles.
In the AAD Premium P2 edition you can use Privileged Identity Management. Privileged Identity Management gives architects or developers temporary rights to assign themselves elevated permissions to a subscription or resource group. As an example, you can temporarily give developers contributor access to Acceptance resource groups, so that they can deliver test support. Link: https://docs.microsoft.com/nl-nl/azure/active-directory/privileged-identity-management/pim-configure