VNet Integration break down Write Virtual Network Subnet
Currently, we have a number of Azure DevOps Pipeline Service Principles (SP) belongs to different Squad Team to manage different workloads and avoid any SP can modify the virtual network by default.
All the App Service connects to a subnet through VNet integration required a permission from the Virtual Network of Write: Create or Update Virtual Network Subnet.
By just looking at the permission name, this permission can create or update the virtual network subnet. Please create an individual permission to just perform connect to a subnet from App Service/App Service Plan with the least privilege.