Microsoft Entra ID · Remaining Built-in Roles

Directory Readers

Can read basic directory information. Commonly used to grant directory read access to service principals and guest users.

Scope: Read-only access to basic directory objects and properties

Permissions

  • Admin Units - Read administrative unit members
  • Admin Units - Read administrative unit properties
  • Applications - Read application owners
  • Applications - Read application policies
  • Applications - Read standard app properties
  • Contacts - Read contact group memberships
  • Contacts - Read contact properties
  • Contracts - Read contract properties
  • Devices - Read device group memberships
  • Devices - Read device owners
  • Devices - Read device users
  • Devices - Read device properties
  • Roles - Read eligible role members
  • Roles - Read role members
  • Groups - Read group memberships
  • Groups - Read group members
  • Groups - Read group properties
  • Organization - Read organization properties
  • Users - Read user properties

Common use cases

  • Service accounts needing directory lookups
  • Applications integrating with Entra ID
  • Guest users needing directory visibility
  • Reporting applications reading directory data
  • HR systems synchronizing user data
  • Directory synchronization services
  • Address book population for email clients

Best practices

  • Assign to service principals for app integration
  • Minimum role for directory lookups
  • Use for guest user baseline access when needed
  • Prefer managed identities for Azure services
  • Review assignments periodically
  • Document purpose of each assignment
  • Consider application permissions vs delegated for apps

Security considerations

  • Can read user and group information
  • Consider data exposure for sensitive directories
  • Monitor for excessive directory queries
  • Review service principal assignments
  • Consider conditional access for service principals
  • Limit guest user directory visibility if sensitive

Common questions

When should I assign the Directory Readers role?

Assign Directory Readers when you need to: Service accounts needing directory lookups; Applications integrating with Entra ID; Guest users needing directory visibility; Reporting applications reading directory data; and HR systems synchronizing user data. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Directory Readers role do?

The Directory Readers role grants permissions including: Admin Units - Read administrative unit members; Admin Units - Read administrative unit properties; Applications - Read application owners; Applications - Read application policies; Applications - Read standard app properties; and Contacts - Read contact group memberships. See the Permissions section above for the full list.

What are the security risks of the Directory Readers role?

Key considerations when assigning Directory Readers: Can read user and group information; Consider data exposure for sensitive directories; Monitor for excessive directory queries; and Review service principal assignments. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →