Microsoft Entra ID · Remaining Built-in Roles
Global Reader
Can read everything that a Global Administrator can read, but cannot update anything. This is a PRIVILEGED role - the information visible can be used to plan attacks.
Scope: Organization-wide read-only access across all Microsoft Entra ID and Microsoft 365 services
Permissions
- Directory Objects - Read all directory objects and properties
- Service Health - Read Azure Service Health
- Billing - Read billing information
- Message Center - Read Message Center
- Network - Read network performance
- Security & Compliance - Read Security & Compliance
- M365 Health - Read M365 Service Health
- Usage Reports - Read usage reports
- Conditional Access - Read all Conditional Access policies and settings
- Identity Protection - Read all Identity Protection configurations
- PIM - Read PIM settings and assignments
- Audit Logs - Read all audit logs and sign-in reports
- Applications - Read all application registrations and enterprise apps
- Users & Groups - Read all user and group properties
- Agents - View insights, organization data, and the agent registry in Microsoft Agent 365 (cannot install, modify, or approve agents)
- Limitation - Cannot make any modifications to any settings
Common use cases
- Security auditing and compliance reviews
- IT managers needing visibility without edit rights
- Consultants and contractors reviewing tenant configuration
- Helpdesk supervisors monitoring settings
- Executive dashboards and reporting access
- Third-party security assessments
- Configuration documentation and review
- Monitoring for unauthorized changes
- Compliance officer access for reviews
- Vendor security questionnaire completion
Best practices
- Use instead of Global Admin for read-only scenarios
- Assign to auditors and compliance officers
- Consider for executives needing visibility
- Use for configuration review and documentation
- Assign to security consultants for assessments
- Consider PIM even for read-only for compliance
- Review assignments periodically for necessity
- Combine with specific admin roles when limited write needed
- Use for monitoring dashboards and reports
Security considerations
- Can read all configuration including security settings
- Can view all user properties and group memberships
- Can see all Conditional Access policies (potential bypass info)
- Has access to audit logs containing sensitive activity
- Can read all application configurations and secrets metadata
- Information gathered could be used for attack planning
- Consider data classification sensitivity before assigning
- Monitor for data exfiltration through export capabilities
- Still requires proper vetting despite read-only status
Common questions
When should I assign the Global Reader role?
Assign Global Reader when you need to: Security auditing and compliance reviews; IT managers needing visibility without edit rights; Consultants and contractors reviewing tenant configuration; Helpdesk supervisors monitoring settings; and Executive dashboards and reporting access. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Global Reader role do?
The Global Reader role grants permissions including: Directory Objects - Read all directory objects and properties; Service Health - Read Azure Service Health; Billing - Read billing information; Message Center - Read Message Center; Network - Read network performance; and Security & Compliance - Read Security & Compliance. See the Permissions section above for the full list.
What are the security risks of the Global Reader role?
Key considerations when assigning Global Reader: Can read all configuration including security settings; Can view all user properties and group memberships; Can see all Conditional Access policies (potential bypass info); and Has access to audit logs containing sensitive activity. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.