Microsoft Entra ID · Viva & Employee Experience
AI Reader
Read all aspects of Microsoft 365 Copilot and AI-related enterprise services in Microsoft 365. Recommended least-privilege role for viewing the complete agent inventory in Microsoft Agent 365 and the Microsoft Entra Agent Registry.
Scope: Tenant-wide read-only visibility across Microsoft 365 Copilot, Microsoft Agent 365, and the Microsoft Entra Agent Registry
Permissions
- Read all Microsoft 365 Copilot settings
- Read AI-related enterprise service configurations
- View the complete agent inventory in Microsoft Agent 365
- View agents with Microsoft Entra Agent IDs in the Agent Registry
- Read Copilot usage reports and adoption insights
- Read service health and message center entries for AI services
Common use cases
- Microsoft Agent 365 inventory monitoring without governance authority
- Auditing AI agent sprawl across Copilot Studio, SharePoint, Agent Builder, AI Foundry, and connected platforms
- Reporting on Copilot adoption and AI usage trends
- Compliance reviewers validating agent metadata and ownership
- Security analysts triaging agent-related signals before escalation
Best practices
- Use as the default least-privilege role for analysts who only need agent visibility
- Pair with Reports Reader for richer adoption analytics
- Prefer over AI Administrator for monitoring and reporting personas
- Combine with Security Reader for cross-domain agent risk reviews
Security considerations
- Marked as PRIVILEGED in Microsoft Entra — protect with PIM and Conditional Access
- Exposes the full inventory of AI agents and their metadata across the tenant
- Read-only, but agent metadata can reveal sensitive business processes and data sources
- Does not grant access to underlying Copilot/agent data — only configuration and inventory
Common questions
When should I assign the AI Reader role?
Assign AI Reader when you need to: Microsoft Agent 365 inventory monitoring without governance authority; Auditing AI agent sprawl across Copilot Studio, SharePoint, Agent Builder, AI Foundry, and connected platforms; Reporting on Copilot adoption and AI usage trends; Compliance reviewers validating agent metadata and ownership; and Security analysts triaging agent-related signals before escalation. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the AI Reader role do?
The AI Reader role grants permissions including: Read all Microsoft 365 Copilot settings; Read AI-related enterprise service configurations; View the complete agent inventory in Microsoft Agent 365; View agents with Microsoft Entra Agent IDs in the Agent Registry; Read Copilot usage reports and adoption insights; and Read service health and message center entries for AI services. See the Permissions section above for the full list.
What are the security risks of the AI Reader role?
Key considerations when assigning AI Reader: Marked as PRIVILEGED in Microsoft Entra — protect with PIM and Conditional Access; Exposes the full inventory of AI agents and their metadata across the tenant; Read-only, but agent metadata can reveal sensitive business processes and data sources; and Does not grant access to underlying Copilot/agent data — only configuration and inventory. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.