You have an Azure subscription that contains a resource group named RG1.
You create an Azure Active Directory (Azure AD) group named ResearchUsers that contains the user accounts of all researchers.
You need to recommend a solution that meets the following requirements:
The researchers must be allowed to create Azure virtual machines.
The researchers must only be able to create Azure virtual machines by using specific Azure Resource Manager templates.
Solution: On RG1, assign a custom role-based access control (RBAC) role to the ResearchUsers group.
Does this meet the goal?
Instead: On RG1, assign the Contributor role to the ResearchUsers group. Create a custom Azure Policy definition and assign the policy to RG1.