Role as Entra Reader - Josh Ogden's Wiki

The **Directory Reader** role is a pre-defined role in Microsoft Azure Active Directory (Azure AD) that provides read-only access to directory information. This role is useful for allowing users to view, but not modify, directory data including user details and external identities without compromising security by granting them write permissions. Below is a detailed breakdown of the specific permissions granted within this role: ### Directory Reader Role Permissions 1. **Audit Logs:** - `microsoft.directory/auditLogs/allProperties/read` - Grants read access to all properties of directory audit logs, enabling visibility into directory-level operations and changes. 2. **Sign-In Reports:** - `microsoft.directory/signInReports/allProperties/read` - Allows reading all properties of sign-in reports, providing insight into user sign-in activities, including successes and failures. 3. **User App Role Assignments:** - `microsoft.directory/users/appRoleAssignments/read` - Enables viewing of app role assignments for users, useful for understanding permissions and access rights assigned via roles. 4. **Direct Reports:** - `microsoft.directory/users/directReports/read` - Permits reading the list of users that report directly to a given user, typically used for organizational structure insights. 5. **User Identities:** - `microsoft.directory/users/identities/read` - Grants access to the identity information of users, which can include federated identities, primary user identifiers, etc. 6. **License Details:** - `microsoft.directory/users/licenseDetails/read` - Enables reading of users' license details, useful for understanding licensing assignments and compliance. 7. **User Manager:** - `microsoft.directory/users/manager/read` - Allows viewing of the manager information for users, helping map out reporting lines within the organization. 8. **Member Of:** - `microsoft.directory/users/memberOf/read` - Grants access to the group memberships of users, showing which groups a user belongs to. 9. **Owned Devices:** - `microsoft.directory/users/ownedDevices/read` - Lets you view devices owned by a user, aiding in asset management and security monitoring. 10. **Registered Devices:** - `microsoft.directory/users/registeredDevices/read` - Grants read access to devices registered by the user, important for tracking device registration status and compliance. 11. **Scoped Role Member Of:** - `microsoft.directory/users/scopedRoleMemberOf/read` - Permission to read the roles assigned to a user within a particular scope, useful for role management. 12. **Sponsors:** - `microsoft.directory/users/sponsors/read` - Allows viewing of any sponsor relationships, typically used in scenarios involving guest users or external collaborators. 13. **Standard User Properties:** - `microsoft.directory/users/standard/read` - Read access to standard user properties like name, email, job title, etc., comprising basic user information. 14. **Tenant Relationships:** - `microsoft.directory/tenantRelationships/standard/read` - Grants visibility into tenant and directory-level relationships, necessary for multi-tenant management.