Hello @Andy Lau Pik Hui
Yes, is possible.
You need create a custon role.
This can be achieved by creating a custom role with the following permissions:
- Microsoft.Compute/virtualMachines/*
- Microsoft.Network/networkInterfaces/*
- Microsoft.Network/networkSecurityGroups/*
- Microsoft.Network/publicIPAddresses/*
- Microsoft.Network/virtualNetworks/*
- Microsoft.Resources/subscriptions/resourceGroups/read
- Microsoft.Storage/storageAccounts/*
You can then deny the user access to view Sentinel cost and billing by adding the following deny permissions:
- Microsoft.Insights/alertRules/*
- Microsoft.Insights/components/*
- Microsoft.Insights/diagnosticSettings/*
- Microsoft.Insights/logs/*
You can create this custom role by script or graphic view.
I hope this help you, and if yes, don't forget to upvote and accept the answer
Regards