Microsoft Entra ID · Identity Protection
Identity Protection Read Access
Responsibility profile, not a standalone Microsoft Entra role. Security Reader is the least-privileged role for Identity Protection configuration, risk detections, and risky-user reports.
Scope: Identity Protection read responsibilities provided by Security Reader or broader reader roles
Permissions
- IDP Data - Read all Identity Protection data
- Risk Reports - View Identity Protection risk reports
- Risk Detections - Read risk detection details and algorithms
- Risky Users - View risky users and sign-ins list
- IDP Policies - Read Identity Protection policies configuration
- Risk Trends - Access risk trend reports
- Workload Identity - View workload identity risks
- Limitation - Cannot modify policies or dismiss risks
- Limitation - Cannot confirm user compromise
Common use cases
- Security monitoring and oversight
- Compliance auditing and reporting
- Risk assessment visibility for leadership
- Executive security dashboards
- Third-party security assessment support
- Risk trend analysis for planning
- Security posture reporting
Best practices
- Use for SOC analysts needing visibility without action
- Assign to compliance officers for risk visibility
- Consider for security leadership dashboards
- Use PIM for just-in-time access
- Document purpose of each assignment
- Review access quarterly
Security considerations
- Can view sensitive risk information
- Access includes details about compromised accounts
- Consider data exposure for external assessors
- Audit access to risk reports
- Cannot take action on risks (feature, not bug)
Common questions
When should I assign the Identity Protection Read Access role?
Assign Identity Protection Read Access when you need to: Security monitoring and oversight; Compliance auditing and reporting; Risk assessment visibility for leadership; Executive security dashboards; and Third-party security assessment support. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Identity Protection Read Access role do?
The Identity Protection Read Access role grants permissions including: IDP Data - Read all Identity Protection data; Risk Reports - View Identity Protection risk reports; Risk Detections - Read risk detection details and algorithms; Risky Users - View risky users and sign-ins list; IDP Policies - Read Identity Protection policies configuration; and Risk Trends - Access risk trend reports. See the Permissions section above for the full list.
What are the security risks of the Identity Protection Read Access role?
Key considerations when assigning Identity Protection Read Access: Can view sensitive risk information; Access includes details about compromised accounts; Consider data exposure for external assessors; and Audit access to risk reports. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.