Microsoft Entra ID · Identity Governance

Tenant Governance Relationship Reader

Can read tenant governance relationships and relevant objects in Microsoft Entra Tenant Governance.

Scope: Read-only access to tenant governance relationships and related objects

Permissions

  • Read tenant governance relationships
  • View governance relationship configurations
  • Access relationship status and details
  • View related governance objects

Common use cases

  • Auditing governance relationships across tenants
  • Monitoring relationship health and status
  • Compliance reporting on cross-tenant connections

Best practices

  • Assign to auditors reviewing cross-tenant governance
  • Use for compliance teams validating relationship integrity
  • Prefer over broader governance roles for relationship-only visibility

Security considerations

  • Can see which tenants have governance relationships — organizational structure info
  • Read-only — no risk of relationship changes
  • Safe for assignment to compliance and audit personnel

Common questions

When should I assign the Tenant Governance Relationship Reader role?

Assign Tenant Governance Relationship Reader when you need to: Auditing governance relationships across tenants; Monitoring relationship health and status; and Compliance reporting on cross-tenant connections. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Tenant Governance Relationship Reader role do?

The Tenant Governance Relationship Reader role grants permissions including: Read tenant governance relationships; View governance relationship configurations; Access relationship status and details; and View related governance objects. See the Permissions section above for the full list.

What are the security risks of the Tenant Governance Relationship Reader role?

Key considerations when assigning Tenant Governance Relationship Reader: Can see which tenants have governance relationships — organizational structure info; Read-only — no risk of relationship changes; and Safe for assignment to compliance and audit personnel. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →