Additional "/read" permission to allow call to Network Watcher queryFlowLogStatus api
Today default Build-In Reader role not allow to execute Query Flow Log Status, because Reader role allows all operations of "*/read".
But query flow log status operation have "/action" in the end:
This makes complicated to use different applications and services which want to query flow log status. To be able to do it they ask customers to create custom role in each and each subscription with that permission and then assign that role to the application (In addition to Reader role which they ask to assign for other features).
If will be additional permission with "/read" operation to query flow logs status - then all that complication of custom role will be not needed and will need just assign Build-In Reader Role to application and automatically Reader role will permit to use it.
A very high number of Azure Customers have issue with that permission and a required custom role.
Sayantan Ghosh commented
This is an older API and soon to be deprecated. User can move to use the new API: https://docs.microsoft.com/en-us/rest/api/network-watcher/flowlogs/get
The new API works just with a "Microsoft.Network/networkWatchers/flowLogs/read" permission added at suitable scope.
The same is available in Azure portal as a custom role to be selected (Image attached)