Microsoft Entra ID · Identity Governance
Tenant Governance Reader
Read-only access to all tenant governance data in the Microsoft Entra Tenant Governance service.
Scope: Read-only visibility into all tenant governance data and configurations
Permissions
- Read all tenant governance data
- View governance policies and configurations
- View governance relationship details
- Access governance reports and status
Common use cases
- Auditing multi-tenant governance compliance
- Monitoring governance relationship health
- Executive reporting on cross-tenant governance
- Compliance reviews of multi-tenant configurations
Best practices
- Assign to compliance auditors and governance reviewers
- Use for executives needing visibility into multi-tenant governance
- Prefer this over Administrator role for read-only needs
Security considerations
- Can view governance configurations across tenants — may reveal organizational structure
- Read-only — no risk of configuration changes
- Safe for broad assignment to governance stakeholders
Common questions
When should I assign the Tenant Governance Reader role?
Assign Tenant Governance Reader when you need to: Auditing multi-tenant governance compliance; Monitoring governance relationship health; Executive reporting on cross-tenant governance; and Compliance reviews of multi-tenant configurations. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Tenant Governance Reader role do?
The Tenant Governance Reader role grants permissions including: Read all tenant governance data; View governance policies and configurations; View governance relationship details; and Access governance reports and status. See the Permissions section above for the full list.
What are the security risks of the Tenant Governance Reader role?
Key considerations when assigning Tenant Governance Reader: Can view governance configurations across tenants — may reveal organizational structure; Read-only — no risk of configuration changes; and Safe for broad assignment to governance stakeholders. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.