Microsoft Entra ID · Remaining Built-in Roles
Security Reader
Can read security information and reports across Microsoft Entra ID, Identity Protection, Privileged Identity Management, and Microsoft 365 Defender.
Scope: Organization-wide read-only security access including Identity Protection, Defender, and PIM
Permissions
- Audit - Read audit logs
- Authorization - Read authorization policy
- BitLocker - Read BitLocker recovery keys
- Conditional Access - Read Conditional Access policies
- Cross-Tenant - Read cross-tenant policy
- Device Credentials - Read device local credentials
- Identity Protection - Read Identity Protection data
- Named Locations - Read named locations
- Policies - Read policies
- PIM - Read PIM data
- Provisioning - Read provisioning logs
- Sign-in Reports - Read sign-in reports
- Service Health - Manage Azure service health
- Cloud PC - Read Cloud PC properties
- Protection Center - Read protection center
- Security Center - Read Security & Compliance Center
- M365 Health - Manage M365 service health
- Admin Center - Read admin center
- Defender Portal - Access Microsoft Defender portal (read-only)
Common use cases
- Security analysts monitoring threats
- Compliance officers reviewing security posture
- Helpdesk staff investigating sign-in issues
- SOC analysts reviewing security alerts
- Auditors reviewing security configurations
- Incident response team members
- Security awareness program managers
- Risk assessment analysts
- Third-party security assessors (with caution)
Best practices
- Use for SOC analysts and security monitors
- Assign instead of Security Admin for read-only needs
- Combine with specific reader roles for focused access
- Consider for compliance and audit personnel
- Use PIM for just-in-time access
- Document business justification for access
- Review assignments quarterly
- Train assignees on data sensitivity
Security considerations
- Can read sensitive security information
- Can access BitLocker recovery keys
- Can view Conditional Access policies
- Can see Identity Protection risk detections
- Can view PIM role assignments and history
- Audit access to security reports
- Consider data exposure implications
- Monitor for excessive report generation
Common questions
When should I assign the Security Reader role?
Assign Security Reader when you need to: Security analysts monitoring threats; Compliance officers reviewing security posture; Helpdesk staff investigating sign-in issues; SOC analysts reviewing security alerts; and Auditors reviewing security configurations. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Security Reader role do?
The Security Reader role grants permissions including: Audit - Read audit logs; Authorization - Read authorization policy; BitLocker - Read BitLocker recovery keys; Conditional Access - Read Conditional Access policies; Cross-Tenant - Read cross-tenant policy; and Device Credentials - Read device local credentials. See the Permissions section above for the full list.
What are the security risks of the Security Reader role?
Key considerations when assigning Security Reader: Can read sensitive security information; Can access BitLocker recovery keys; Can view Conditional Access policies; and Can see Identity Protection risk detections. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.