Ho to grant a user (intern) read only access to all apps

Question

Ho to grant a user (intern) read only access to all apps

Mary 20

Hello,

I need to find a way to give a new intern read only access to all of our applications. I'm finding it challenging to locate any information on this. We want them to be able to see all app content without the ability to make changes. I was hoping I could do this at the group level. Anyone know how to achieve this?

Marcin Policht 46,190 Reputation points MVP Moderator

2025-04-19T21:20:36.68+00:00
Creata a custom Entra ID role based on the "Cloud Application Administrator" role

In Entra Admin Center, browse to Roles & Administrators`

Click "New custom role"

Use Cloud Application Administrator as the base

Remove permissions like:

microsoft.directory/applications/write

microsoft.directory/servicePrincipals/write

Keep only read permissions (*/read)

Assign this custom role directly to the intern.

hth

Marcin
Jyotishree Moharana 1,270 Reputation points Microsoft External Staff Moderator

2025-04-22T09:57:12.9766667+00:00

Hello @Mary,

Following up to see if the provided information was helpful.

If this answers your query, do click **Accept Answer** and Yes for was this answer helpful. And, if you have any further query or questions do let us know.
Jyotishree Moharana 1,270 Reputation points Microsoft External Staff Moderator

2025-04-23T12:03:06.14+00:00

Hello @Mary,

Following up to see if the provided information was helpful.

If this answers your query, do click "Accept Answer" and Yes for was this answer helpful. And, if you have any further query or questions do let us know.

1 answer

Your answer

Marcin Policht 46,190 Reputation points MVP Moderator

2025-04-19T21:20:36.68+00:00

Creata a custom Entra ID role based on the "Cloud Application Administrator" role

In Entra Admin Center, browse to Roles & Administrators`

Click "New custom role"

Use Cloud Application Administrator as the base

Remove permissions like:

microsoft.directory/applications/write

microsoft.directory/servicePrincipals/write

Keep only read permissions (*/read)

Assign this custom role directly to the intern.

hth

Marcin
Jyotishree Moharana 1,270 Reputation points Microsoft External Staff Moderator

2025-04-22T09:57:12.9766667+00:00

Hello @Mary,

Following up to see if the provided information was helpful.

If this answers your query, do click **Accept Answer** and Yes for was this answer helpful. And, if you have any further query or questions do let us know.
Jyotishree Moharana 1,270 Reputation points Microsoft External Staff Moderator

2025-04-23T12:03:06.14+00:00

Hello @Mary,

Following up to see if the provided information was helpful.

If this answers your query, do click "Accept Answer" and Yes for was this answer helpful. And, if you have any further query or questions do let us know.

Answer 1

Hello @Mary,

If the interns accounts are member users of your Entra tenant, then all member users in the organization can read application related information by default. This is one of the default user permissions. They can read all the details except for few like sign-in logs, audit logs or provisioning logs which are security related.

However, if the interns have guest account, they would not have the read permission by default. Then custom roles can be defined by adding the correct permissions.

Please follow below document to know how to create a custom role: Create custom role
To get the list of read permission required for application, please refer the below documents, they list all the permissions that can be assigned, you may choose as per your requirement.
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-available-permissions#read
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-enterprise-app-permissions
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-consent-permissions

Once you've created the custom role, you can assign it to any group or by creating a role assignable group. In role assignable group the custom role can be selected while creating the group or later as well. You can add member users as well as guests to this group.
To create role assignable group please refer document: Role assignable groups

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Share via

Ho to grant a user (intern) read only access to all apps

1 answer

Your answer