Least privilege: role + scope
Pick the smallest scope and the most specific role that still works. Start: Reader → then Contributor. Use Owner/User Access Administrator only for access management. Scope matters as much as role. Two levers: role specificity plus scope size.