Microsoft Entra ID · Identity Governance

Attribute Log Reader

Read audit logs for custom security attribute value changes, definition changes, and assignments. Cannot configure diagnostic settings or read other audit log types.

Scope: Read-only access to audit logs related to custom security attributes

Permissions

  • Read custom security attribute audit logs
  • Read attribute value change logs
  • Read attribute definition change logs
  • Read attribute assignment change logs

Common use cases

  • Attribute change monitoring
  • Compliance auditing for attribute assignments
  • Security investigation support
  • Reviewing attribute definition changes
  • Attribute governance oversight

Best practices

  • Use instead of Attribute Log Administrator when diagnostic settings are not needed
  • Pair with Attribute Assignment Reader for full attribute visibility
  • Integrate audit log review into regular governance cycles
  • Document which teams hold this role

Security considerations

  • Read-only role — cannot configure diagnostic settings
  • Audit logs may reveal sensitive attribute classifications
  • Cannot read audit logs for non-attribute events
  • By default Global Admin cannot read custom security attribute audit logs

Common questions

When should I assign the Attribute Log Reader role?

Assign Attribute Log Reader when you need to: Attribute change monitoring; Compliance auditing for attribute assignments; Security investigation support; Reviewing attribute definition changes; and Attribute governance oversight. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Attribute Log Reader role do?

The Attribute Log Reader role grants permissions including: Read custom security attribute audit logs; Read attribute value change logs; Read attribute definition change logs; and Read attribute assignment change logs. See the Permissions section above for the full list.

What are the security risks of the Attribute Log Reader role?

Key considerations when assigning Attribute Log Reader: Read-only role — cannot configure diagnostic settings; Audit logs may reveal sensitive attribute classifications; Cannot read audit logs for non-attribute events; and By default Global Admin cannot read custom security attribute audit logs. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →