Currently, Business Central Admin Center APIs only support high-privilege permissions such as ReadWrite.All, which introduces significant security concerns when delegating access to external teams such as Power BI, reporting, or analytics teams.

In our organization, we manage over 100 Business Central tenants across different regions. We want to enable our Power BI team to access administrative metadata such as:

- Environment details

- Update version information

- Country/region codes

- Environment status (sandbox/production, active/inactive)

- Upgrade schedules

These are read-only scenarios used purely for reporting and dashboarding purposes.

However, the lack of a Read.All (or equivalent read-only) permission forces us to either:

1. Grant ReadWrite.All permissions, which is overly permissive and introduces risk (e.g., ability to delete or modify environments), or

2. Completely block access, preventing automation and centralized reporting.

This creates a security vs productivity conflict.

We strongly request Microsoft to introduce granular, least-privilege API permissions for Business Central Admin APIs, such as:

- AdminCenter.Read.All (read-only access)

- Environment.Read.All

- Tenant.Read.All

This would align with Azure AD/Microsoft Graph best practices, where read-only permissions are available alongside read/write permissions.

Benefits:

- Improves security posture by enforcing least-privilege access

- Enables safe delegation to reporting/analytics teams

- Supports scalable tenant management for partners managing multiple customers

- Reduces operational overhead and manual reporting

This feature is especially critical for partners and enterprises managing large multi-tenant environments.

Request: Please introduce read-only API permissions for Business Central Admin Center APIs to enable secure and scalable reporting scenarios.