Microsoft Entra ID · Identity Governance

Attribute Definition Reader

Reads the definition of custom security attributes but cannot assign values.

Scope: Read-only access to custom security attribute schema

Permissions

  • Read attribute set properties
  • Read custom security attribute definitions

Common use cases

  • Auditing attribute definitions
  • Understanding attribute structure
  • Compliance reporting

Best practices

  • Use for audit scenarios
  • Combine with other attribute roles as needed

Security considerations

  • Can see all attribute definitions
  • Cannot see attribute values on objects

Common questions

When should I assign the Attribute Definition Reader role?

Assign Attribute Definition Reader when you need to: Auditing attribute definitions; Understanding attribute structure; and Compliance reporting. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Attribute Definition Reader role do?

The Attribute Definition Reader role grants permissions including: Read attribute set properties; and Read custom security attribute definitions. See the Permissions section above for the full list.

What are the security risks of the Attribute Definition Reader role?

Key considerations when assigning Attribute Definition Reader: Can see all attribute definitions; and Cannot see attribute values on objects. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →