Forum Discussion

mitewarrior's avatar
mitewarrior
Copper Contributor
Jun 06, 2025

Global Reader role - Not working to access Sharepoint Admin Portal

Needed to grant a access for reading/viewing policies on Sharepoint(SPO) admin portal and tried to have that in place with the Global Reader role but unfortunately that does not seem to be working and I don't want to provide excessive permissions by giving Sharepoint admin role to the user.
When checked on the Global Reader role and its permissions in this link https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#global-reader Microsoft Learn, seems like the role can access the SPO admin center but still it doesn't seem to be working so not sure if am missing on something.

Thanks

SharePoint Online

2 Replies

  • mitewarrior's avatar
    mitewarrior
    Copper Contributor
    Aug 14, 2025

    Thank you grant_jenkins​ for responding to the question, had got a similar responses from other sources as well. Seems like with the Global Reader role, certain privileges are available through Powershell to the Sharepoint Online. One of the responses that I had received also added "This is a tool using PowerShell to execute command, and Global Reader can only access to specific API that specify as "Read" (Get-) like get list of sites, get list of design, ..., not modify command."

  • grant_jenkins's avatar
    grant_jenkins
    Iron Contributor
    Jun 29, 2025

    This is what I got back from ChatGPT. Note that even though Global Reader seems like it has read access across Microsoft 365, there is a lot it still doesn't have visibility on.

    Also note that even SharePoint Administrator alone won't give you access to view the policies as they are part of the Compliance Portal within Purview.

     

    The Global Reader role in Azure AD is a directory-level read-only role—it lets you view Azure AD settings and administrative information across Microsoft 365, but it does not grant any Azure Resource Manager (ARM) permissions on your Purview account. In practice:

    • Global Reader cannot view or enumerate your Purview data policies. Purview’s policy UI is guarded by ARM-level actions under Microsoft.Purview/policies/*, which Global Reader simply doesn’t include. (welkasworld.com)
    • At a minimum you need an ARM scope-level role (like the built-in Policy Author on a collection) to see policy definitions in the Purview portal—and even that role allows editing and deletion. (learn.microsoft.com)

    If you want strictly view-only access to policies, you’ll need to:

    1. Assign the Azure built-in Reader role at the Purview account or resource-group scope (this gives you ARM-level read on all Purview resources), and
    2. Create a custom role that grants only the Microsoft.Purview/policies/read permission so that users can see policy configurations in the governance UI without any edit rights.

    That combination ensures pure read-only visibility of Purview policies without over-privileging.

Resources