Microsoft Entra ID · Remaining Built-in Roles

Global Reader

Can read everything that a Global Administrator can read, but cannot update anything. This is a PRIVILEGED role - the information visible can be used to plan attacks.

Scope: Organization-wide read-only access across all Microsoft Entra ID and Microsoft 365 services

Permissions

  • Directory Objects - Read all directory objects and properties
  • Service Health - Read Azure Service Health
  • Billing - Read billing information
  • Message Center - Read Message Center
  • Network - Read network performance
  • Security & Compliance - Read Security & Compliance
  • M365 Health - Read M365 Service Health
  • Usage Reports - Read usage reports
  • Conditional Access - Read all Conditional Access policies and settings
  • Identity Protection - Read all Identity Protection configurations
  • PIM - Read PIM settings and assignments
  • Audit Logs - Read all audit logs and sign-in reports
  • Applications - Read all application registrations and enterprise apps
  • Users & Groups - Read all user and group properties
  • Agents - View insights, organization data, and the agent registry in Microsoft Agent 365 (cannot install, modify, or approve agents)
  • Limitation - Cannot make any modifications to any settings

Common use cases

  • Security auditing and compliance reviews
  • IT managers needing visibility without edit rights
  • Consultants and contractors reviewing tenant configuration
  • Helpdesk supervisors monitoring settings
  • Executive dashboards and reporting access
  • Third-party security assessments
  • Configuration documentation and review
  • Monitoring for unauthorized changes
  • Compliance officer access for reviews
  • Vendor security questionnaire completion

Best practices

  • Use instead of Global Admin for read-only scenarios
  • Assign to auditors and compliance officers
  • Consider for executives needing visibility
  • Use for configuration review and documentation
  • Assign to security consultants for assessments
  • Consider PIM even for read-only for compliance
  • Review assignments periodically for necessity
  • Combine with specific admin roles when limited write needed
  • Use for monitoring dashboards and reports

Security considerations

  • Can read all configuration including security settings
  • Can view all user properties and group memberships
  • Can see all Conditional Access policies (potential bypass info)
  • Has access to audit logs containing sensitive activity
  • Can read all application configurations and secrets metadata
  • Information gathered could be used for attack planning
  • Consider data classification sensitivity before assigning
  • Monitor for data exfiltration through export capabilities
  • Still requires proper vetting despite read-only status

Official Microsoft Learn documentation →

Open the interactive RBACMap →