@jamesH Thanks for reaching out. As you mentioned start by creating a new Azure subscription. This will provide a separate environment where you can manage resources and access control more granely. Then Create a custom role that only has the permissions necessary for developers to view and read functions. This role can be assigned to the developers in the new subscription, ensuring they have the least privilege necessary for their day-to-day work.
For situations where developers need to modify functions, you can use PIM in the new subscription. You can assign a higher privileged role (like contributor) to the developers in PIM, and they can activate this role when necessary. This activation can be time-bound and could require approval, providing an additional layer of control. Conditional Access adds an extra layer of security by requiring certain conditions to be met before access is granted.
These services are designed to work together to provide comprehensive access control. Using them in combination allows you to tailor your access control strategy to meet your specific needs.
let me know incase of further queries, I would be happy to assist you.