Microsoft 365

Global Reader

Read-only access across all Microsoft 365 services without the ability to make changes.

Scope: Organization-wide read-only access to all Microsoft 365 services

Permissions

  • View all Microsoft 365 and Entra ID settings
  • Read all compliance and security configurations
  • Access reports and analytics across all services
  • Read audit logs and activity reports

Common use cases

  • Auditors needing visibility without change capability
  • Executives requiring dashboard access
  • Compliance monitoring

Best practices

  • Use instead of Global Admin for read-only needs
  • Combine with service-specific reader roles as needed

Common questions

When should I assign the Global Reader role?

Assign Global Reader when you need to: Auditors needing visibility without change capability; Executives requiring dashboard access; and Compliance monitoring. It is part of Microsoft 365 and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Global Reader role do?

The Global Reader role grants permissions including: View all Microsoft 365 and Entra ID settings; Read all compliance and security configurations; Access reports and analytics across all services; and Read audit logs and activity reports. See the Permissions section above for the full list.

Official Microsoft Learn documentation →

Open the interactive RBACMap →