Define a separate Role Permission for adding VMs to a VNET
Creating a new Virtual Machine requires the “Microsoft.Network/virtualNetworks/write” role operation / provider operation. The reason is that the NIC creation is treated as a write on the virtual network. This makes it impossible to block the ability to create new virtual networks while still allowing someone to create virtual machines (e.g., to achieve segregation of duties). There are a couple of possible solutions:
(1) Require a different new or existing privilege for placing the interface into the VNET/Subnet (e.g., “Microsoft.Network/virtualNetworks/subnets/join/action”).
(2) Define a new set of /read, /write, /delete operations for VM network interfaces as part of either Microsoft.Network or Microsoft.Compute (e.g., "Microsoft.Network/networkInterfaces/write")
(3) Define a "join" operation in lieu of a "write" operation to allow a Network Interface to be joined to a particular VNET.