| title | description | author | manager | ms.service | ms.topic | ms.date | ms.author | ms.custom |
|---|---|---|---|---|---|---|---|---|
include file |
include file |
barclayn |
amycolannino |
entra-id |
include |
01/17/2024 |
barclayn |
include file,licensing |
The required roles and licenses vary based on the report. Separate permissions are required to access monitoring and health data in Microsoft Graph. We recommend using a role with least privilege access to align with the Zero Trust guidance.
| Log / Report | Roles | Licenses |
|---|---|---|
| Audit | Reports Reader Security Reader Security Administrator Global Reader |
All editions of Microsoft Entra ID |
| Sign-ins | Reports Reader Security Reader Security Administrator Global Reader |
All editions of Microsoft Entra ID |
| Provisioning | Reports Reader Security Reader Security Administrator Global Reader Security Operator Application Administrator Cloud App Administrator |
Microsoft Entra ID P1 or P2 |
| Custom security attribute audit logs* | Attribute Log Administrator Attribute Log Reader |
All editions of Microsoft Entra ID |
| Usage and insights | Reports Reader Security Reader Security Administrator |
Microsoft Entra ID P1 or P2 |
| Identity Protection** | Security Administrator Security Operator Security Reader Global Reader |
Microsoft Entra ID Free Microsoft 365 Apps Microsoft Entra ID P1 or P2 |
| Microsoft Graph activity logs | Security Administrator Permissions to access data in the corresponding log destination |
Microsoft Entra ID P1 or P2 |
*Viewing the custom security attributes in the audit logs or creating diagnostic settings for custom security attributes requires one of the Attribute Log roles. You also need the appropriate role to view the standard audit logs.
**The level of access and capabilities for Identity Protection varies with the role and license. For more information, see the license requirements for Identity Protection.