Microsoft Entra ID · Remaining Built-in Roles

Security Reader

Can read security information and reports across Microsoft Entra ID, Identity Protection, Privileged Identity Management, and Microsoft 365 Defender.

Scope: Organization-wide read-only security access including Identity Protection, Defender, and PIM

Permissions

  • Audit - Read audit logs
  • Authorization - Read authorization policy
  • BitLocker - Read BitLocker recovery keys
  • Conditional Access - Read Conditional Access policies
  • Cross-Tenant - Read cross-tenant policy
  • Device Credentials - Read device local credentials
  • Identity Protection - Read Identity Protection data
  • Named Locations - Read named locations
  • Policies - Read policies
  • PIM - Read PIM data
  • Provisioning - Read provisioning logs
  • Sign-in Reports - Read sign-in reports
  • Service Health - Manage Azure service health
  • Cloud PC - Read Cloud PC properties
  • Protection Center - Read protection center
  • Security Center - Read Security & Compliance Center
  • M365 Health - Manage M365 service health
  • Admin Center - Read admin center
  • Defender Portal - Access Microsoft Defender portal (read-only)

Common use cases

  • Security analysts monitoring threats
  • Compliance officers reviewing security posture
  • Helpdesk staff investigating sign-in issues
  • SOC analysts reviewing security alerts
  • Auditors reviewing security configurations
  • Incident response team members
  • Security awareness program managers
  • Risk assessment analysts
  • Third-party security assessors (with caution)

Best practices

  • Use for SOC analysts and security monitors
  • Assign instead of Security Admin for read-only needs
  • Combine with specific reader roles for focused access
  • Consider for compliance and audit personnel
  • Use PIM for just-in-time access
  • Document business justification for access
  • Review assignments quarterly
  • Train assignees on data sensitivity

Security considerations

  • Can read sensitive security information
  • Can access BitLocker recovery keys
  • Can view Conditional Access policies
  • Can see Identity Protection risk detections
  • Can view PIM role assignments and history
  • Audit access to security reports
  • Consider data exposure implications
  • Monitor for excessive report generation

Official Microsoft Learn documentation →

Open the interactive RBACMap →