How-To: Adding a Reader Role in Azure

Last updated: June 3, 2026

Introduction

Assigning the Reader role allows Astra to securely access your Azure subscription for non-intrusive assessment and monitoring purposes. This ensures that Astra's security team or automated scanners can identify potential vulnerabilities within your cloud infrastructure while maintaining read-only permission levels.

Prerequisites

  • Access to Azure Portal: You must have the Role Based Access Control Administrator or User Access Administrator role on the subscription to assign roles to others.

  • Security Review Cases: For manual pentests or cloud reviews, you must grant access to Astra's security team lead. This step is not mandatory for automated cloud scan plans.

Instructions

Create an Azure AD Service Principal

To streamline the review process, you may want to create a Service Principal and provide its credentials to Astra. You can create one using the Azure CLI:

az ad sp create-for-rbac --name "<name>" --scopes /subscriptions/<subscription-id>

For more details, refer to the official Azure Service Principal documentation.

Once created, copy the following values and add them to your Astra dashboard:

  • Application (Client) ID — Unique ID of the service principal

  • Tenant (Directory) ID — Azure AD tenant where the service principal is created

  • Client Secret — A generated secret in Azure AD

  • Subscription ID — Unique ID of the subscription in which the service principal is created

Step by steps to add the reader role

  1. Access Subscriptions: Sign in to the Azure Portal and use the top search bar to find and open Subscriptions.

  2. Select Target: Choose the specific subscription to which you wish to grant access.

  3. Open IAM: Select Access control (IAM) from the left-hand navigation menu.

  4. View Existing Assignments (Optional): Click the Role assignments tab to review current role assignments at this scope before proceeding.

  5. Initiate Role Assignment: Click Add > Add role assignment. If you don't have permissions to assign roles, this option will be greyed out.

  6. Define Role: In the Role tab, search for and select Reader. You may also be required to assign the Global Reader or Security Reader roles depending on your specific assessment needs. Click Next.

  7. Select Principal: In the Members tab, under Assign access to, select User, group, or service principal. Click + Select members.

  8. Identify the User: Search for and select the correct service principal or user account.

    For Pentest or manual cloud review: Search for and add saatvik.dhiman@getastra.com. Saatvik Dhiman is Astra's designated security team lead who conducts the hands-on review of your Azure environment. Granting read-only access ensures the review is completed securely without any ability to modify your resources. This step is not required for automated cloud scan plans.

  9. Review and Finalize: Click Review + assign, review the role and member details on the confirmation tab, then click Review + assign again to confirm.

  10. Verification: Confirm that the role is correctly listed under the Role assignments tab.

Expected Outcome

Once confirmed, the selected user or service principal will have read-only access to the subscription, allowing for secure security auditing without the ability to modify any resources.

Azure API Reference

For teams managing access programmatically or at scale, Microsoft provides two relevant REST API references:

  • Assign a role via REST API: Use the Role Assignments - Create REST API, specifying the security principal, role definition, and scope. You must have Microsoft.Authorization/roleAssignments/write permissions, such as the Role Based Access Control Administrator role, to call this API. Full reference: Assign Azure roles using the REST API

  • List existing role assignments via REST API: Use the Role Assignments - Get or List REST APIs, specifying a scope and optional filter to retrieve current assignments. Full reference: List Azure role assignments using the REST API

  • Assign roles via Azure portal (step-by-step): Assign Azure roles using the Azure portal

Related Tasks

  • Create Service Principal: To further streamline the review process, create an Azure AD Service Principal using the Azure CLI as described above.

  • Cloud Target Setup: After assigning the role, finish your Cloud Target Setup in the Astra dashboard by providing your subscription and service principal details.

  • Restrict Access: If certain resources are highly sensitive, you can use Deny rules to block access even if the Reader role is assigned.