We considered doing the same thing but decided against it for sake of User-convenience (Endusers use SSO to logon and Restore).
Instead we created stripped down Roles for the AD-Users/Groups, including Backup-Admins. Users can only see (CV_RestrictedVisibility) and restore their own Machines/DBs but not change Configs, Schedules or delete anything. Same with AD-Account of Backup-Admins, can do most of what master-role does, but explicit denies on everything nasty like delete data or libraries or changing groups and roles prevents bad-admin behavior.
master-role/group is assigned to Commserve local Accounts only and that Group additionally secured with 2FA (https://documentation.commvault.com/commvault/v11/article?p=107052_1.htm). Ensure to edit the E-Mail Templates to prevent spoofing the OTP from E-Mail. Unfortunately no FIDO2 Support yet.
Another Option to prevent the worst actions within Commvault are BusinessLogic Workflows, Store has some prepared samples, search for GetAndProcessAuthorization or check the last Section in Security Assessment Healthcard in CloudDashboard to download and install them directly.
Hope that Helps