Your organization needs to implement role-based access control (RBAC) across multiple Azure subscriptions with minimal administrative overhead. What is the best approach to manage permissions across these subscriptions?

Correct answer: Use management groups to apply Azure Policy and assign roles at the management group level

Option C is correct because management groups provide a hierarchy above subscriptions, allowing administrators to assign Azure Policy definitions and role assignments at a single level that automatically inherit down to all subscriptions, resource groups, and resources within the group, dramatically reducing the administrative overhead of managing RBAC across many subscriptions. Option A is incorrect because assigning individual users to each subscription with custom permissions is an unscalable, error-prone approach that multiplies administrative work with every new subscription or user and provides no centralized governance. Option B is incorrect because creating custom roles independently per subscription prevents role reuse, creates inconsistency, and requires administrators to maintain duplicate role definitions, increasing both effort and risk of misconfiguration. Option D is incorrect because service principals with subscription-level assignments are appropriate for application access, not for managing human user RBAC across an enterprise; they also do not reduce administrative overhead because each subscription still requires individual assignments.