Microsoft Entra ID · Identity Governance
Attribute Assignment Reader
Read custom security attribute keys and values for supported Microsoft Entra objects.
Scope: Read-only access to custom security attribute definitions and assignments
Permissions
- Read attribute sets
- Read custom security attribute definitions
- Read attribute values on users
- Read attribute values on service principals
- Read attribute values on devices
Common use cases
- Attribute value verification
- Reporting on attribute assignments
- Application attribute lookup
- Compliance reporting
- Access decision support
Best practices
- Use for read-only scenarios
- Combine with other reader roles as needed
- Document access requirements
Security considerations
- Read-only role
- Attribute values may be sensitive
- Consider scope of visibility needed
Common questions
When should I assign the Attribute Assignment Reader role?
Assign Attribute Assignment Reader when you need to: Attribute value verification; Reporting on attribute assignments; Application attribute lookup; Compliance reporting; and Access decision support. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Attribute Assignment Reader role do?
The Attribute Assignment Reader role grants permissions including: Read attribute sets; Read custom security attribute definitions; Read attribute values on users; Read attribute values on service principals; and Read attribute values on devices. See the Permissions section above for the full list.
What are the security risks of the Attribute Assignment Reader role?
Key considerations when assigning Attribute Assignment Reader: Read-only role; Attribute values may be sensitive; and Consider scope of visibility needed. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.