If you are looking for a specific reader role, Directory Reader is prob preferred versus Global Reader. however the ability to read the directory wont prevent seeing account details. There is no permission that will allow you to just read an account's UPN.
Restrict roles and administrators right just for Microsoft Entra ID
Raymond Wong (ITSD)
20
Reputation points
We have a automation account which is for read the user UPN for removing Entra ID users from application group, or to restrict them to use AVD.
We have assigned the Global Reader role for the account but it seems can read our administrators details and we do not want that happen. May I ask is there any fine tuning to adjust the role's right of the automation account such that it can only read the specified Entra ID user?