I'm trying to figure out the exact privileges to ask for when a customer needs to create an account on their Azure AD tenant during a security audit.
I have identified the roles:
"Security Reader" which allows access to the CSA ;
"Global Reader" which allows to read the administration information.
But this doesn't seem to be enough, if I want to access the user password policies is a less privileged role than the "Authentication Policy Administrator" role usable?
Concerning the access to the keys, secrets and certificates definitions of the Vault in order to see for example if expiration is in place, I have identified the roles "Key Vault Reader" and "Key Vault Secrets User".
Finally for the storage accounts, which role allows to read everything without being able to modify or assign roles?