Microsoft Purview · Information Protection
Sensitivity Label Reader
View sensitivity labels and configurations with read-only access for auditing and compliance.
Scope: Read-only access to sensitivity label features
Permissions
- View sensitivity label configuration
- Access label policies and scoping settings
- Review label usage reports
- View auto-labeling rules
- Export label configuration for documentation
Common use cases
- External auditors reviewing classification program
- Compliance reporting on label deployment
- Management oversight of information protection
- Consultants assessing label effectiveness
Best practices
- Use for audit and compliance assessment purposes
- Generate regular label coverage reports
- Monitor label adoption trends
- Identify gaps in classification coverage
Security considerations
- Cannot make changes - lowest risk label role
- Safe for external auditors and consultants
- Export capabilities should be monitored
Common questions
When should I assign the Sensitivity Label Reader role?
Assign Sensitivity Label Reader when you need to: External auditors reviewing classification program; Compliance reporting on label deployment; Management oversight of information protection; and Consultants assessing label effectiveness. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Sensitivity Label Reader role do?
The Sensitivity Label Reader role grants permissions including: View sensitivity label configuration; Access label policies and scoping settings; Review label usage reports; View auto-labeling rules; and Export label configuration for documentation. See the Permissions section above for the full list.
What are the security risks of the Sensitivity Label Reader role?
Key considerations when assigning Sensitivity Label Reader: Cannot make changes - lowest risk label role; Safe for external auditors and consultants; and Export capabilities should be monitored. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.