Microsoft Entra ID · Identity Governance
Tenant Governance Relationship Reader
Can read tenant governance relationships and relevant objects in Microsoft Entra Tenant Governance.
Scope: Read-only access to tenant governance relationships and related objects
Permissions
- Read tenant governance relationships
- View governance relationship configurations
- Access relationship status and details
- View related governance objects
Common use cases
- Auditing governance relationships across tenants
- Monitoring relationship health and status
- Compliance reporting on cross-tenant connections
Best practices
- Assign to auditors reviewing cross-tenant governance
- Use for compliance teams validating relationship integrity
- Prefer over broader governance roles for relationship-only visibility
Security considerations
- Can see which tenants have governance relationships — organizational structure info
- Read-only — no risk of relationship changes
- Safe for assignment to compliance and audit personnel
Common questions
When should I assign the Tenant Governance Relationship Reader role?
Assign Tenant Governance Relationship Reader when you need to: Auditing governance relationships across tenants; Monitoring relationship health and status; and Compliance reporting on cross-tenant connections. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Tenant Governance Relationship Reader role do?
The Tenant Governance Relationship Reader role grants permissions including: Read tenant governance relationships; View governance relationship configurations; Access relationship status and details; and View related governance objects. See the Permissions section above for the full list.
What are the security risks of the Tenant Governance Relationship Reader role?
Key considerations when assigning Tenant Governance Relationship Reader: Can see which tenants have governance relationships — organizational structure info; Read-only — no risk of relationship changes; and Safe for assignment to compliance and audit personnel. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.