Azure RBAC Custom Role Best Practices or Common Build Patterns

managing this type of custom permission is always a challenge at  specially in future when MS is going to add new features or more granular controls. it better to do the segmentation at RG level. Make one RG like APP RG and give Contributor Role ( no clone, built-in) there. Make another RG for keeping your crictical network resources like VNets, Route Tables, Firewalls, DNS Zones, ExpressRoute and assign no role to this RG. Then Create a third RG and keep your app related networking resoruces like Private Endpoints, Network Interfaces, and Application Gateways and here you can use your Custom role with ONLY allowed network writes like Microsoft.Network/networkInterfaces/, Microsoft.Network/networkSecurityGroups/, Microsoft.Network/applicationGateways/write, etc.