Microsoft Entra ID · Identity Protection

Identity Protection Read Access

Responsibility profile, not a standalone Microsoft Entra role. Security Reader is the least-privileged role for Identity Protection configuration, risk detections, and risky-user reports.

Scope: Identity Protection read responsibilities provided by Security Reader or broader reader roles

Permissions

  • IDP Data - Read all Identity Protection data
  • Risk Reports - View Identity Protection risk reports
  • Risk Detections - Read risk detection details and algorithms
  • Risky Users - View risky users and sign-ins list
  • IDP Policies - Read Identity Protection policies configuration
  • Risk Trends - Access risk trend reports
  • Workload Identity - View workload identity risks
  • Limitation - Cannot modify policies or dismiss risks
  • Limitation - Cannot confirm user compromise

Common use cases

  • Security monitoring and oversight
  • Compliance auditing and reporting
  • Risk assessment visibility for leadership
  • Executive security dashboards
  • Third-party security assessment support
  • Risk trend analysis for planning
  • Security posture reporting

Best practices

  • Use for SOC analysts needing visibility without action
  • Assign to compliance officers for risk visibility
  • Consider for security leadership dashboards
  • Use PIM for just-in-time access
  • Document purpose of each assignment
  • Review access quarterly

Security considerations

  • Can view sensitive risk information
  • Access includes details about compromised accounts
  • Consider data exposure for external assessors
  • Audit access to risk reports
  • Cannot take action on risks (feature, not bug)

Common questions

When should I assign the Identity Protection Read Access role?

Assign Identity Protection Read Access when you need to: Security monitoring and oversight; Compliance auditing and reporting; Risk assessment visibility for leadership; Executive security dashboards; and Third-party security assessment support. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Identity Protection Read Access role do?

The Identity Protection Read Access role grants permissions including: IDP Data - Read all Identity Protection data; Risk Reports - View Identity Protection risk reports; Risk Detections - Read risk detection details and algorithms; Risky Users - View risky users and sign-ins list; IDP Policies - Read Identity Protection policies configuration; and Risk Trends - Access risk trend reports. See the Permissions section above for the full list.

What are the security risks of the Identity Protection Read Access role?

Key considerations when assigning Identity Protection Read Access: Can view sensitive risk information; Access includes details about compromised accounts; Consider data exposure for external assessors; and Audit access to risk reports. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →