Microsoft Entra ID · Remaining Built-in Roles
Directory Readers
Can read basic directory information. Commonly used to grant directory read access to service principals and guest users.
Scope: Read-only access to basic directory objects and properties
Permissions
- Admin Units - Read administrative unit members
- Admin Units - Read administrative unit properties
- Applications - Read application owners
- Applications - Read application policies
- Applications - Read standard app properties
- Contacts - Read contact group memberships
- Contacts - Read contact properties
- Contracts - Read contract properties
- Devices - Read device group memberships
- Devices - Read device owners
- Devices - Read device users
- Devices - Read device properties
- Roles - Read eligible role members
- Roles - Read role members
- Groups - Read group memberships
- Groups - Read group members
- Groups - Read group properties
- Organization - Read organization properties
- Users - Read user properties
Common use cases
- Service accounts needing directory lookups
- Applications integrating with Entra ID
- Guest users needing directory visibility
- Reporting applications reading directory data
- HR systems synchronizing user data
- Directory synchronization services
- Address book population for email clients
Best practices
- Assign to service principals for app integration
- Minimum role for directory lookups
- Use for guest user baseline access when needed
- Prefer managed identities for Azure services
- Review assignments periodically
- Document purpose of each assignment
- Consider application permissions vs delegated for apps
Security considerations
- Can read user and group information
- Consider data exposure for sensitive directories
- Monitor for excessive directory queries
- Review service principal assignments
- Consider conditional access for service principals
- Limit guest user directory visibility if sensitive