Security, Compliance, and Governance are core to building trust for your users, customers, and anyone whom you do business with. There are times when you need to comply with audit and compliance rules and need to provide individuals the ability to review your Microsoft 365 settings without allowing them to make configuration changes.
By using the Global reader role, you can improve your security posture by reducing the number of Global admins in your organization. Global readers can view all settings and administrative information across Microsoft 365, but they can’t make any changes. Global reader is especially useful for planning, audit, and investigation activities, and it can be used in combination with other roles, such as Exchange admin, to make it easier to get work done without requiring Global admin permissions.
Users in this role can read settings and administrative information across Microsoft 365 services but can’t take management actions. Global reader is the read-only counterpart to Global administrator. Assign Global reader instead of Global administrator for planning, audits, or investigations. Use Global reader in combination with other limited admin roles like Exchange Administrator to make it easier to get work done without the assigning the Global Administrator role. Global reader works with Microsoft 365 admin center, Exchange admin center, Teams admin center, Security center, Compliance center, Azure AD admin center, and Device Management admin center.
As of 11/1/2019 Global reader role has a few limitations right now, see the details below as well the following link for the latest updates.
- SharePoint admin center – SharePoint admin center does not support the Global reader role. You won’t see ‘SharePoint’ in left pane under Admin Centers in Microsoft 365 admin center.
- OneDrive admin center – OneDrive admin center does not support the Global reader role.
- Azure AD portal – Global reader can’t read the provisioning mode of an enterprise app.
- M365 admin center – Global reader can’t read customer lockbox requests. You won’t find the Customer lockbox requests tab under Support in the left pane of M365 Admin Center.
- M365 Security center – Global reader can’t read sensitivity and retention labels. You won’t find Sensitivity labels, Retention labels, and Label analytics tabs in the left pane of the M365 Security center.
- Teams admin center – Global reader cannot read Teams lifecycle, Analytics & reports, IP phone device management and App catalog.
- Privileged Access Management (PAM) doesn’t support the Global reader role.
- Azure Information Protection – Global reader is supported for central reporting only, and when your tenant isn’t on the unified labeling platform.