Read-Only Access to Policy Definition and Compliance Reports – fast manual

Create a Custom Role definition file e.g.:

notepad $env:TMP\PolicyReader.json

content:

{
“Name”: “Policy Reader”,
“Id”: “0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8”,
“IsCustom”: true,
“Description”: “Policy Reader.”,
“Actions”: [
“Microsoft.Authorization/policySetDefinitions/read”,
“Microsoft.Authorization/policyDefinitions/read”,
“Microsoft.Authorization/policyAssignments/read”
],
“NotActions”: [

],
“DataActions”: [

],
“NotDataActions”: [

],
“AssignableScopes”: [
“/subscriptions/28c890b5-46e8-44a2-8f59-30e51cadd7f9”
]
}

Using PowerShell:

Connect-AzAccount
Get-AzSubscription
Select-AzSubscription -SubscriptionId x-x-x-x-xxx
New-AzRoleDefinition -InputFile $env:TMP\PolicyReader.json
Get-AzRoleDefinition | ? {$_.IsCustom -eq $true} | FT Name, IsCustom

Unfortunately, you must do it for each subscription.

You can also use Security Reader role that allows you to access to workspaces and support – https://docs.microsoft.com/pl-pl/azure/role-based-access-control/built-in-roles#security-reader.

This is fast outline – to understand what you are doing please visit: https://docs.microsoft.com/en-us/azure/role-based-access-control/tutorial-custom-role-powershell.