Microsoft Purview · Audit

Audit Reader

Search and export audit logs with read-only access, without ability to configure settings.

Scope: Organization-wide read-only audit log access

Permissions

  • Audit Search - Search unified audit logs
  • Export - Export audit log search results
  • Event Details - View audit log details and events
  • Reports - Run predefined audit reports

Common use cases

  • Compliance analysts reviewing user activities
  • Help desk investigating user-reported issues
  • External auditors conducting compliance reviews
  • Management reviewing access and activity reports

Best practices

  • Use targeted date ranges to improve search performance
  • Document audit searches for compliance purposes
  • Export critical findings for reporting
  • Coordinate with Audit Manager for retention needs

Security considerations

  • Cannot modify audit settings - lower risk than Audit Manager
  • Can still access sensitive activity information
  • Export activities should be monitored
  • Ensure proper justification for audit log access

Common questions

When should I assign the Audit Reader role?

Assign Audit Reader when you need to: Compliance analysts reviewing user activities; Help desk investigating user-reported issues; External auditors conducting compliance reviews; and Management reviewing access and activity reports. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Audit Reader role do?

The Audit Reader role grants permissions including: Audit Search - Search unified audit logs; Export - Export audit log search results; Event Details - View audit log details and events; and Reports - Run predefined audit reports. See the Permissions section above for the full list.

What are the security risks of the Audit Reader role?

Key considerations when assigning Audit Reader: Cannot modify audit settings - lower risk than Audit Manager; Can still access sensitive activity information; Export activities should be monitored; and Ensure proper justification for audit log access. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →