Create a Read-Only Administrator in Azure Using Azure CLI

In this blog post, we will show you how to assign read-only permission to an Azure subscription using Azure CLI

Managing cloud resources can be a complex task, especially when multiple users and teams are involved. As an Azure administrator, you need to ensure that your colleagues and partners have the right level of access to Azure resources without compromising security or compliance. One common scenario is granting read-only permission to an Azure subscription, which allows users to view but not modify resources

Create a Read-Only Administrator

To get started, log in to Azure using the Azure CLI commands below.

# Login to Azure using device code authentication
az login --use-device-code

To assign permissions, we need the subscription ID of the subscription to which the read-only user will have access. The command below will list all the subscription IDs.

# List all the Azure subscriptions associated with the logged in account in a table format
az account list --output table

Use the command below to first create a user, if the user already exists, you can skip this step.

# Create a new user in Azure Active Directory with display az ad user create --display-name "User (Read Only)" --password "setpassword" --user-principal-name "name@mytenant.onmicrosoft.com"

Assign Reader permissions to the user using the command below.

# Assign the "Reader" role to the user 
az role assignment create --assignee "name@mytenant.onmicrosoft.com" --role "Reader" --scope /subscriptions/subscription-id