Microsoft Entra ID · Reporting & Knowledge
Reports Reader
Can read sign-in and audit reports, and view the Microsoft Agent 365 overview and agent registry for the tenant including agent metadata. Ideal for compliance and security monitoring without broader administrative permissions.
Scope: Read-only access to sign-in activity, audit logs, and Microsoft 365 usage reports
Permissions
- Read sign-in reports
- Read audit logs
- Read usage reports
- Read M365 usage analytics
- View Microsoft Agent 365 overview and agent registry with full agent metadata
- Access reporting dashboards
- Export report data
Common use cases
- Security monitoring and alerting
- Compliance reporting
- Usage analytics review
- Audit log analysis
- Sign-in pattern investigation
- License utilization reporting
Best practices
- Use for dedicated monitoring personnel
- Combine with Security Reader for full visibility
- Create scheduled report exports
- Set up log analytics for advanced queries
- Document baseline normal activity
Security considerations
- Read-only role with no modification capability
- Can view sensitive user activity data
- Sign-in data may reveal user behavior patterns
- Audit logs may contain configuration details
Common questions
When should I assign the Reports Reader role?
Assign Reports Reader when you need to: Security monitoring and alerting; Compliance reporting; Usage analytics review; Audit log analysis; and Sign-in pattern investigation. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Reports Reader role do?
The Reports Reader role grants permissions including: Read sign-in reports; Read audit logs; Read usage reports; Read M365 usage analytics; View Microsoft Agent 365 overview and agent registry with full agent metadata; and Access reporting dashboards. See the Permissions section above for the full list.
What are the security risks of the Reports Reader role?
Key considerations when assigning Reports Reader: Read-only role with no modification capability; Can view sensitive user activity data; Sign-in data may reveal user behavior patterns; and Audit logs may contain configuration details. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.