Microsoft Entra ID · Identity Governance
Attribute Provisioning Reader
Reads the provisioning configuration of custom security attributes for applications.
Scope: Read-only access to custom security attribute provisioning configuration
Permissions
- Read custom security attributes in sync schema
- Read provisioning logs for attributes
Common use cases
- Reviewing attribute provisioning setup
- Auditing attribute flows
- Troubleshooting (read-only)
Best practices
- Use for audit scenarios
- Combine with higher roles for troubleshooting
Security considerations
- Can see attribute configuration details
Common questions
When should I assign the Attribute Provisioning Reader role?
Assign Attribute Provisioning Reader when you need to: Reviewing attribute provisioning setup; Auditing attribute flows; and Troubleshooting (read-only). It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Attribute Provisioning Reader role do?
The Attribute Provisioning Reader role grants permissions including: Read custom security attributes in sync schema; and Read provisioning logs for attributes. See the Permissions section above for the full list.
What are the security risks of the Attribute Provisioning Reader role?
Key considerations when assigning Attribute Provisioning Reader: Can see attribute configuration details. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.