Yes, it is possible to set up roles this way.

While enabling "Actions" for Azure Service Principals, users are provided with a "Custom Role" and "Assignment" Powershell script by CloudHealth.  The provided script makes use of the "AzureRm" module, but not the "Az" module, of which was released by Microsoft in December 2018 (and is "now the intended Powershell module for interacting with Azure").

Below are custom scripts that can be utilized:

"CHTActions" Custom Role Script with Az Commands

$role = Get-AzRoleDefinition -Name Contributor
$role.Id = $null
$role.Name = "CHTActions"
$role.Description = "Grants access to Actions"
$role.AssignableScopes.Clear()
$role.Actions.Clear()
$role.NotActions.Clear()
$role.Actions.Add("Microsoft.Compute/*/write")
$role.Actions.Add("Microsoft.Compute/*/action")
$role.Actions.Add("Microsoft.ClassicCompute/*/write")
$role.Actions.Add("Microsoft.ClassicCompute/*/action")
$role.Actions.Add("Microsoft.Sql/*/write")
$role.Actions.Add("Microsoft.Sql/*/action")
$role.Actions.Add("Microsoft.Storage/*/write")
$role.Actions.Add("Microsoft.Storage/*/action")
$role.Actions.Add("Microsoft.ClassicStorage/*/write")
$role.Actions.Add("Microsoft.ClassicStorage/*/action")
$role.NotActions.Add("*/Delete")
$role.NotActions.Add("Microsoft.Authorization/*")
$subs = Get-AzSubscription
foreach ($sub in $subs) {
	$sub_scope = '/subscriptions/' + $sub.Id
	$role.AssignableScopes.Add("$sub_scope")
}
New-AzRoleDefinition -Role $role

"CHTActions" Assignment Script with Az Commands

#Customer to manually enter $client_id value

$subs = Get-AzSubscription
$client_id = '<MANUALLY_ENTER_APPLICATION_CLIENT_ID>'
$sp = Get-AzADServicePrincipal -SPN $client_id
foreach ($sub in $subs) {
	$sub_scope = '/subscriptions/' + $sub.Id
	New-AzRoleAssignment -ObjectId $sp.Id -RoleDefinitionName CHTActions -Scope $sub_scope
}