Thank you for posting this in Microsoft Q&A.
I understand that your concerned about restricting a third-party vendor with Global Administrator (GA) access from self-elevating their permissions to "User Access Administrator" role, which would grant them access to Azure subscription and its resources.
Unfortunately, there is no way to restrict global administrator account from being able to self-elevate his permissions to "User Access Administrator" role and get access to Azure subscription and its resources.
Hope this helps. Do let us know if you any further queries.
Thanks,
Navya.
If this answers your query, do click Accept Answer
and Yes
for was this answer helpful. And, if you have any further query do let us know.