Microsoft Entra ID · Viva & Employee Experience
AI Reader
Read all aspects of Microsoft 365 Copilot and AI-related enterprise services in Microsoft 365. Recommended least-privilege role for viewing the complete agent inventory in Microsoft Agent 365 and the Microsoft Entra Agent Registry.
Scope: Tenant-wide read-only visibility across Microsoft 365 Copilot, Microsoft Agent 365, and the Microsoft Entra Agent Registry
Permissions
- Read all Microsoft 365 Copilot settings
- Read AI-related enterprise service configurations
- View the complete agent inventory in Microsoft Agent 365
- View agents with Microsoft Entra Agent IDs in the Agent Registry
- Read Copilot usage reports and adoption insights
- Read service health and message center entries for AI services
Common use cases
- Microsoft Agent 365 inventory monitoring without governance authority
- Auditing AI agent sprawl across Copilot Studio, SharePoint, Agent Builder, AI Foundry, and connected platforms
- Reporting on Copilot adoption and AI usage trends
- Compliance reviewers validating agent metadata and ownership
- Security analysts triaging agent-related signals before escalation
Best practices
- Use as the default least-privilege role for analysts who only need agent visibility
- Pair with Reports Reader for richer adoption analytics
- Prefer over AI Administrator for monitoring and reporting personas
- Combine with Security Reader for cross-domain agent risk reviews
Security considerations
- Marked as PRIVILEGED in Microsoft Entra — protect with PIM and Conditional Access
- Exposes the full inventory of AI agents and their metadata across the tenant
- Read-only, but agent metadata can reveal sensitive business processes and data sources
- Does not grant access to underlying Copilot/agent data — only configuration and inventory