Azure Active Directory Global Reader role

Occasional Contributor
Microsoft introduced a new Azure AD built-in role called Global Reader. Global reader is the read-only counterpart to Global admin. Users in this role can read all settings and administrative information across Microsoft 365 services, but cannot edit anything. Please note that Global Reader is not supported in SharePoint Admin Center, Privileged Access Management (PAM), customer lockbox requests in M365 Admin Center and sensitivity labels in Security & Compliance Center
I found this role more suitable for someone who wants to audit your tenant and generate a quick report or some wants to review the logs or policies....... Except the sharepoint stufff...
Here is a quick sneak peak of what we can do in reality with this role.
 1-Global Reader ROle.JPG2-dashboard.JPG3-AzureAD.JPG4-AzureAD.JPG5-Teamse.JPGComplianceDashboard.JPGComplianceScore.JPGDeviceManagement.JPGDeviceManagement2.JPG


2 Replies

@Safeer khan I agree, its a great role! 

It can be very useful to set up with PIM/PAM and let your IT department for example troubleshoot authentication, ConditionalAccess, logs etc in Azure and then send their results and recommended action to a Global Admin that can then implement the changes 


I think this role will make it possible to lower the number of Global Administrators in many customers tenants. And make those users Global Readers instead and just let a handfull of people keep using the Global Admin role 



@oliwer_sundgren   Exactly, I have reduced so many access levels on tenants where there is no PIM-PAM to reader role.     Its great feature to be honest.