I want to be able to apply the DenyWriteAndDelete assignment to an entire resource group so that users cannot create or modify existing resources in the resource group, and excluding subnet operations from the assignment. Users/Groups not excluded from the assignment should still have normal access to unmanaged resource groups in the subscription.

Microsoft documentation says that the deny assignments apply only to managed resources that are defined in the deployment template and that the stack should live in parent scope. Should I create the deployment stack at subscription scope? And can I adopt an existing resource group by the stack to have the deny assignment apply to it and every resource in the resource group?