Create a custom role definition with the desired permissions. Use the Azure portal, Azure CLI, or Azure PowerShell to create the custom role. Specify the necessary permissions for the "Reader" role assignment within the resource group. For example, you can grant the Microsoft.Authorization/roleAssignments/write
permission for the "Reader" role within the resource group.
Assign the custom role to the members who should have the permission to assign the "Reader" role. This can be done through the Azure portal, Azure CLI, or Azure PowerShell. Make sure you assign the custom role at the resource group level.
Create an Azure Policy that denies role assignments for all roles except the "Reader" role within the resource group. Use the "NotEquals" condition in the policy rule to specify that only the "Reader" role assignment is allowed. Assign this policy at the resource group level.
By following these steps, the resource group owners will still have the ability to assign any role to any user, including the custom role. However, members assigned to the custom role will only be able to assign the "Reader" role within the resource group. The Azure Policy will ensure that no other role assignments are allowed within the resource group.
Note: It's important to thoroughly test and validate the custom role and Azure Policy configurations to ensure they meet your specific requirements and don't inadvertently affect other roles or permissions in your environment.