We have multiple teams within our organisation. Each team have their own Azure subscription under the same AAD tenancy.
Our requirement is to
1. Create User managed Identity and permissions assigned.
2. Limit the usage of the User managed identity to be allowed only in a specific subscription.
The above are once of activity done by the infra team who have rights write access to AAD.
Once user managed identity is created we want to use it to assign to the worker nodes spun up by Jenkins to perform automation tasks. This action will be done by application teams who don't have write access to AAD.
We do not want to use system identity as its created every time and application teams don't have rights to assign permissions to identity.