Microsoft Purview · Audit
Audit Reader
Search and export audit logs with read-only access, without ability to configure settings.
Scope: Organization-wide read-only audit log access
Permissions
- Audit Search - Search unified audit logs
- Export - Export audit log search results
- Event Details - View audit log details and events
- Reports - Run predefined audit reports
Common use cases
- Compliance analysts reviewing user activities
- Help desk investigating user-reported issues
- External auditors conducting compliance reviews
- Management reviewing access and activity reports
Best practices
- Use targeted date ranges to improve search performance
- Document audit searches for compliance purposes
- Export critical findings for reporting
- Coordinate with Audit Manager for retention needs
Security considerations
- Cannot modify audit settings - lower risk than Audit Manager
- Can still access sensitive activity information
- Export activities should be monitored
- Ensure proper justification for audit log access
Common questions
When should I assign the Audit Reader role?
Assign Audit Reader when you need to: Compliance analysts reviewing user activities; Help desk investigating user-reported issues; External auditors conducting compliance reviews; and Management reviewing access and activity reports. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Audit Reader role do?
The Audit Reader role grants permissions including: Audit Search - Search unified audit logs; Export - Export audit log search results; Event Details - View audit log details and events; and Reports - Run predefined audit reports. See the Permissions section above for the full list.
What are the security risks of the Audit Reader role?
Key considerations when assigning Audit Reader: Cannot modify audit settings - lower risk than Audit Manager; Can still access sensitive activity information; Export activities should be monitored; and Ensure proper justification for audit log access. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.