First step will be understanding the roles, and what role is important for one purpose.
Then reviewing the IAM of the REsources/Management Group/Subscriptions you are trying to manage.
I would create a few AAD groups, for Owner, Contributor, User Access, and any other roles, then assign the role to that group, and remove everyone who is directly assigned to those relevant groups.
That way you can easily control who does and doesn't have access.
You can build custom roles, which can reduce the amount of power people have and the resources they see, if the built-in roles don't work, and do the same thing.
The trick is knowing who needs access to Azure resources, when they need access.
And don't forget to include PIM, Privilaged Identity Management will allow you to approve access to some higher roles like Contributor, but allow users to have access to other roles like Reader, or Resource Group Contributor when they need it.