Hi All, Let’s discuss Global Reader Message Center Reader Roles Permissions Best and Easiest options | Azure AD | M365. If you are facing any permission issues when you are login into admin.microsoft.com or when you try to access some alert messages from Microsoft, have you seen any error messages like your account doesn’t have permission to view or manage this page in the Microsoft 365 admin center?
In this post, we will cover the best practices for having global admin accounts, Appropriate permissions for message sender reader and global reader, how to provide appropriate permissions for particular users, etc.
Providing least privileged or read-only access for some admins who want to have message center access so that they can check the alerts coming from Microsoft and communicate with other teams, or you can automate that process.
Microsoft 365 admin account or Azure admin account, or Global admin account, you should not provide Global admin access to a lot of admins. It should be 4 or 5 admins at a minimum. You should give access to global admin, and there are a lot of recommendations that Microsoft provided for Global admin roles. Another important recommendation that Microsoft offers is to enable MFA for Global admins.
What is Global Reader? and the Accesses Global Reader Role?
The global reader provides read-only access to all the admin features and settings in the admin center. The global reader cannot change anything but can view all the things, all the settings, all the admin features, etc. The global reader admin can’t edit any settings.
What are the Differences between Global Admin and Global Reader?
The global reader has read permissions on M365 groups, security groups, distribution groups, and mail-enabled security groups. The Global admin will have permission to create, read, update, and delete the M365 groups, security groups, distribution groups, and mail-enabled security groups.
What Can the User Do When He Gets the Message Center Reader Role?
Assign the Message center reader role to users who need to do the following.
1. Monitor message center notifications
2. Get weekly email digests of message center posts and updates
3. Share Message Center posts
4. Have read-only access to Azure AD services, such as users and groups
Video – Global Reader Message Center Reader Roles Permissions
In this video, let’s discuss Global Reader Message Center Reader Roles Permissions—the different options to provide a Global reader role or message sender reader role.
Global Reader Message Center Reader Roles Permissions
Different options exist to assign global reader and message center reader roles permissions. There are 2 options to provide a Global reader role or a message sender reader role.
- One is to provide a Global reader role from the Azure portal; go to the Azure active directory, and you can offer more control.
- The 2nd one is Microsoft 365 admin center; go to Microsoft 365 admin center and provide access.
- Microsoft 365 admin center is the easiest option because it is just a checkmark.
- The Azure portal includes more processes than the Microsoft 365 admin center.
|Admin Role||M365 Groups||Security Groups||Distribution Groups||Mail-Enabled Security Groups|
|Global admin||Create, Read, Update, Delete||Create, Read, Update, Delete||Create, Read, Update, Delete||Mail-Enabled Security Groups|
Global Reader Role from the Azure Portal
Log into the Azure portal with a read-only account shows different things. Go to the Azure active directory and search for the Read-only account. Open the Read-only account, and on the left side, select Assigned roles. The Eligible Assignment section shows that the Global Reader permission is already given and is permanent.
|Role||Principal Name||Scope||Membership||Start Time||End Time||Action|
|Global Reader||Enter name of the Principal||Directory||Direct||Enter the start time||Enter the end time||Enter the name of the Principal|
We need to activate the Global reader; users don’t have permission to activate it. Admin should activate it. Log in from the Admin account, and for the Read-only user, the eligible assignment is Global Reader, and there are no Active assignments.
- Go to the Action section on the right side of Azure and
- Select the Update hyperlink from the below window to activate the Global reader.
After clicking the Update option and changing the Assignment type is Active. Enter the justification part; proper justification is recommended. Click on the Save button. After activating the Global reader role, a notification about the successful activation will appear.
The Read-only account Active assignments part shows the Global Reader option. This means that the user got access as a global reader now, you can check all the settings in the Active Directory and check whatever you want, but the user only has read-only access. There is no permission to edit it.
Global Reader Role from Microsoft 365 Admin Center
Refresh and check admin.Microsoft.com. Here you can see all the details, and all the access or permissions is here, but read-only permissions. You can easily access everything, but there is no permission to edit it.
How to Remove the Global Reader Role from Azure Portal
You can easily remove the assignment from active assignments by clicking the Remove hyperlink from Action. The minimum time required to remove the active assignments is 5 minutes. After clicking the Remove button, a confirmation message will appear: “Are you sure you want to remove the name assignment from the role Global Reader?”.
- Click Yes to confirm the Removal process.
- A Notification will show that the “Role assignment was removed successfully.”
Message Center Reader Role from Azure Portal
Open the Azure portal with an admin account and select the Assigned roles on the left side. Select Add Assignments.
Select the role in the read-only account assigned roles by clicking the drop-down arrow or searching Message Center Reader. Select the scope type as Directory. Click on the Settings tab and select the assignment type as Active.
- You need to provide the justification. Once the status is Active, only the actual permission will be given to this read-only account.
- This is a permanent assignment. If you want, you can set a time limit.
- Click the Assign button from the below window.
- Now the Message sender role has been assigned to this read-only account user.
- After assigning the role, a notification will appear and show that “Member read only successfully assigned to role message center reader in Directory.“
Message Center Reader Role from Microsoft 365 Admin Center
Go to a read-only user account, log out, and log in with your username and password. There are few options for message center reader here Compared to Global reader permission. The Health section only shows the Message center, Directory sync status, and software updates.
How to Assign a Role to the User from Admin.Microsoft.com
Open Admin.Microsoft.com and search for the same user and click the user name. Go to Roles and click the manage roles hyperlink. It will open the Manage admin roles and show the permissions we assigned from Azure Active Directory.
Here you uncheck the Message Center Reader and check the Global Reader. There is no granularity, as we have seen in the Azure portal. There is no option to have a time limit option. This is the simplest method to provide access to Global Reader or Message Center, or any other access quickly to users.
- If you want more control or best practices, use the Azure portal rather than microsoft 365 admin center.
- If you click Save, the read-only user has Global reader access.
Microsoft Learn Link – Azure AD built-in roles – Microsoft Entra | Microsoft Learn
About Author – Vidya is a computer enthusiast. She is here to share quick tips and tricks with Windows 11 or Windows 10 users. She loves writing on Windows 11 and related technologies. She is also keen to find solutions and write about day-to-day tech problems.