I have a business requirement to segregate the management and operations of Defender for Cloud for multiple subscriptions in a single tenant structure.
Currently for all subscriptions, Defender for Cloud is managed by users assigned with Security Admin role, and the operations side of it managed by users with Security Reader role in the organization.
Due to an organization restructure, let's say Defender for Cloud for subscription A and B should remain to be managed by the existing team of users described above, but for subscription C and D, Defender for Cloud should be managed by a new team. Both teams should only be allowed to view and edit resources for Defender for Cloud in their respective subscriptions but not the other team's subscriptions.
What is the best approach to implement this segregation? If let's say we move these subscriptions to a new management groups, can we assign Security Admin and Security Reader roles that are only scoped to the subscriptions under the management group?