Thanks Lain for the insights,

It does the job for him, but the drawback is he is able to see all configurations like Users, or all resources across Azure portal - so it is not just limited to Groups there.

Is there anyway to limit his access just to "Groups" or just the places he needs to use as part of his daily job?

@Ali Fadavinia 

 

Hey, Ali.

 

There's nothing as granular as what you're looking for out-of-the-box, unfortunately.

 

It's important to note that I'm basing this and the previous statement on the following quote from your original post which implies read-only access:

 

"... so he can look up only ..."

 

It's worth noting that from a security perspective, every user can read group memberships (excluding what I said before about groups marked as having hidden memberships). Similarly, every user can read basic properties of other user accounts ("basic properties" still accounts for a fair number of attributes, but this has always been true even with Active Directory on-premise.)

 

• Default user permissions - Azure Active Directory - Microsoft Entra | Microsoft Docs

 

I'd wager this is why there's no "Groups Reader" role, since it's something everyone (talking about normal users, not guests) has the rights to do by default.

 

Therefore, the requirement you're really trying to solve is how to provide an easy-to-use way of browsing such things, and it's in this context you're looking to grant access to the Azure portal.

 

If we re-frame your requirement to just this one aspect (granting access to the Azure portal), then you might consider a left-field solution which is to add them to the Message Center Reader role, which is - as far as I can see - the least-privileged out-of-the-box Azure AD role you can add someone to that also allows them to sign into the Azure portal.

 

• Azure AD built-in roles - Azure Active Directory - Microsoft Entra | Microsoft Docs

 

There's no harm in being able to read the Message Centre announcements, and in being a read-only role, there's no risk of them submitting support tickets, etc.

 

But as I said initially, the Azure AD roles are broad by nature and will encompass more than just the one specific requirement you're looking to fulfil.

 

You could look at whether creating and publishing a dashboard based on the Users and Groups tile from the Tile Gallery meets your needs. Otherwise, if you're adamant the person should not see anything from users - even the public properties that all users technically have the by-default rights to see, you're stuck with having to create something bespoke like a Power Apps solution.

 

• Create a dashboard in the Azure portal - Azure portal | Microsoft Docs
• Share Azure portal dashboards by using Azure role-based access control - Azure portal | Microsoft Do...

 

While I won't discuss it here, I will at least acknowledge the topic of administrative units, which may or may not help you. That functionality costs you extra and isn't a silver bullet either, which is why I won't get into those here.

 

Cheers,

Lain