Microsoft Entra ID · Remaining Built-in Roles
Directory Readers
Can read basic directory information. Commonly used to grant directory read access to service principals and guest users.
Scope: Read-only access to basic directory objects and properties
Permissions
- Admin Units - Read administrative unit members
- Admin Units - Read administrative unit properties
- Applications - Read application owners
- Applications - Read application policies
- Applications - Read standard app properties
- Contacts - Read contact group memberships
- Contacts - Read contact properties
- Contracts - Read contract properties
- Devices - Read device group memberships
- Devices - Read device owners
- Devices - Read device users
- Devices - Read device properties
- Roles - Read eligible role members
- Roles - Read role members
- Groups - Read group memberships
- Groups - Read group members
- Groups - Read group properties
- Organization - Read organization properties
- Users - Read user properties
Common use cases
- Service accounts needing directory lookups
- Applications integrating with Entra ID
- Guest users needing directory visibility
- Reporting applications reading directory data
- HR systems synchronizing user data
- Directory synchronization services
- Address book population for email clients
Best practices
- Assign to service principals for app integration
- Minimum role for directory lookups
- Use for guest user baseline access when needed
- Prefer managed identities for Azure services
- Review assignments periodically
- Document purpose of each assignment
- Consider application permissions vs delegated for apps
Security considerations
- Can read user and group information
- Consider data exposure for sensitive directories
- Monitor for excessive directory queries
- Review service principal assignments
- Consider conditional access for service principals
- Limit guest user directory visibility if sensitive
Common questions
When should I assign the Directory Readers role?
Assign Directory Readers when you need to: Service accounts needing directory lookups; Applications integrating with Entra ID; Guest users needing directory visibility; Reporting applications reading directory data; and HR systems synchronizing user data. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Directory Readers role do?
The Directory Readers role grants permissions including: Admin Units - Read administrative unit members; Admin Units - Read administrative unit properties; Applications - Read application owners; Applications - Read application policies; Applications - Read standard app properties; and Contacts - Read contact group memberships. See the Permissions section above for the full list.
What are the security risks of the Directory Readers role?
Key considerations when assigning Directory Readers: Can read user and group information; Consider data exposure for sensitive directories; Monitor for excessive directory queries; and Review service principal assignments. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.