Microsoft Entra ID · Identity Protection
Identity Protection Reader
Can read Identity Protection reports, risk detections, and configurations but cannot remediate risks or modify policies. Requires Microsoft Entra ID P2 license.
Scope: Read-only access to all Identity Protection data and configurations
Permissions
- IDP Data - Read all Identity Protection data
- Risk Reports - View Identity Protection risk reports
- Risk Detections - Read risk detection details and algorithms
- Risky Users - View risky users and sign-ins list
- IDP Policies - Read Identity Protection policies configuration
- Risk Trends - Access risk trend reports
- Workload Identity - View workload identity risks
- Limitation - Cannot modify policies or dismiss risks
- Limitation - Cannot confirm user compromise
Common use cases
- Security monitoring and oversight
- Compliance auditing and reporting
- Risk assessment visibility for leadership
- Executive security dashboards
- Third-party security assessment support
- Risk trend analysis for planning
- Security posture reporting
Best practices
- Use for SOC analysts needing visibility without action
- Assign to compliance officers for risk visibility
- Consider for security leadership dashboards
- Use PIM for just-in-time access
- Document purpose of each assignment
- Review access quarterly
Security considerations
- Can view sensitive risk information
- Access includes details about compromised accounts
- Consider data exposure for external assessors
- Audit access to risk reports
- Cannot take action on risks (feature, not bug)