Grant Read access to service principal to get ONLY subscription ids on Azure

Question

I have over 50 Azure subscriptions under same tenant. I have created a service-principal under Azure active directory and provided the service principal 'reader' role to each subscriptions. When I make an API call from Postman I get all subscription ids but my concern is I am giving 'READ' access to all my resources on different subscriptions. I want to limit this service-principal will ONLY be able to list the subscription ids and nothing else.

Answer 1

I want to limit this service-principal will ONLY be able to list the subscription ids and nothing else.

With "Reader" role, a user would be able to read all resources inside a subscription and not just subscription id.

I believe the solution to your problem is to create a custom role (let's call it SubscriptionPropertiesReader) and then give only the permission to perform read operation just at the subscription level. Based on the information provided here, I believe the permission you would want to include in this role is Microsoft.Resources/subscriptions/read.

The challenge obviously will be to create this custom role in each and every subscription and then assigning this role to your Service Principal in each subscription.