Microsoft Entra ID · Identity Governance
Attribute Definition Reader
Reads the definition of custom security attributes but cannot assign values.
Scope: Read-only access to custom security attribute schema
Permissions
- Read attribute set properties
- Read custom security attribute definitions
Common use cases
- Auditing attribute definitions
- Understanding attribute structure
- Compliance reporting
Best practices
- Use for audit scenarios
- Combine with other attribute roles as needed
Security considerations
- Can see all attribute definitions
- Cannot see attribute values on objects
Common questions
When should I assign the Attribute Definition Reader role?
Assign Attribute Definition Reader when you need to: Auditing attribute definitions; Understanding attribute structure; and Compliance reporting. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Attribute Definition Reader role do?
The Attribute Definition Reader role grants permissions including: Read attribute set properties; and Read custom security attribute definitions. See the Permissions section above for the full list.
What are the security risks of the Attribute Definition Reader role?
Key considerations when assigning Attribute Definition Reader: Can see all attribute definitions; and Cannot see attribute values on objects. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.