AFAIK, the approach of removing the group from the IAM permissions on the Redis resource to restrict access to the Redis console is correct.

If you want to restrict a user, service principal or managed identity from executing specific commands in the Redis Cache Console, you can create a custom data access policy that limits allowed commands (e.g., +get, +set, +cluster|info).

To create a custom access policy, open your Redis Cache instance in the Azure portal, go to Data Access Configuration, click on New access policy, and specify the permissions according to your requirements.

I have assigned a read-only custom access policy to the user with the following permissions: +@read +@connection +cluster|info +cluster|nodes +cluster|slots ~*.

After that, I assigned the created custom access policy to the user.

Reference: learn.microsoft.com/en-us/azure/azure-cache-for-redis/…