Microsoft Entra ID · Identity Governance

Attribute Log Reader

Read audit logs for custom security attribute value changes, definition changes, and assignments. Cannot configure diagnostic settings or read other audit log types.

Scope: Read-only access to audit logs related to custom security attributes

Permissions

Read custom security attribute audit logs
Read attribute value change logs
Read attribute definition change logs
Read attribute assignment change logs

Common use cases

Attribute change monitoring
Compliance auditing for attribute assignments
Security investigation support
Reviewing attribute definition changes
Attribute governance oversight

Best practices

Use instead of Attribute Log Administrator when diagnostic settings are not needed
Pair with Attribute Assignment Reader for full attribute visibility
Integrate audit log review into regular governance cycles
Document which teams hold this role

Security considerations

Read-only role — cannot configure diagnostic settings
Audit logs may reveal sensitive attribute classifications
Cannot read audit logs for non-attribute events
By default Global Admin cannot read custom security attribute audit logs

Official Microsoft Learn documentation →

Open the interactive RBACMap →