Share via

Feature permissions in Exchange Online

  • Article

The permissions required to perform tasks to manage Microsoft Exchange Online vary depending on the procedure being performed or the cmdlet you want to run.

To find out what permissions you need to perform the procedure or run the cmdlet, do the following:

  1. In the table below, find the feature that is most related to the procedure you want to perform or the cmdlet you want to run.

  2. Next, look at the permissions required for the feature. You must be assigned one of those role groups, an equivalent custom role group, or an equivalent management role. You can also click on a role group to see its management roles. If a feature lists more than one role group, you only need to be assigned one of the role groups to use the feature. For more information about role groups and management roles, see Understanding Role Based Access Control.

  3. Now, run the Get-ManagementRoleAssignment cmdlet to look at the role groups or management roles assigned to you to see if you have the permissions that are necessary to manage the feature.

    Note

    You must be assigned the Role Management management role to run the Get-ManagementRoleAssignment cmdlet. If you don't have permissions to run the Get-ManagementRoleAssignment cmdlet, ask your Exchange administrator to retrieve the role groups or management roles assigned to you.

If you want to delegate the ability to manage a feature to another user, see Delegate role assignments.

Exchange Online permissions

You can use the features in the following table to manage your Exchange Online organization and recipients. Users who are assigned the View-Only Management role group can view the configuration of the features in the following table. For more information about these role groups, see Role groups.

Feature Permissions required
Anti-malware Organization Management

Hygiene Management
Anti-spam Organization Management

Hygiene Management
Arbitration Organization Management
Client Access user settings Organization Management
Data loss prevention (DLP) Organization Management

Compliance Management
Discovery mailboxes - Create Organization Management

Recipient Management
Distribution groups Organization Management

Recipient Management
Domains Organization Management
Microsoft 365 or Office 365 connectors Organization Management
In-Place eDiscovery Discovery Management

Note: By default, the Discovery Management role group doesn't have any members. No users, including admins, have the required permissions to search mailboxes. For more information, see Assign eDiscovery permissions in Exchange.
In-Place Hold Discovery Management

Organization Management

Notes:

  • To create a query-based In-Place Hold, a user requires both the Mailbox Search and Legal Hold roles to be assigned via membership in a role group that has both roles assigned. To create an In-Place Hold without using a query, which places all mailbox items on hold, you must have the Legal Hold role assigned. The Discovery Management role group is assigned both roles.
  • The Organization Management role group is assigned the Legal Hold role. Members of the Organization Management role group can place an In-Place Hold on all items in a mailbox, but can't create a query-based In-Place Hold.
Journal archiving Organization Management

Recipient Management
Journaling Organization Management

Records Management
Linked user Organization Management

Recipient Management
Mail flow Organization Management
Mail flow rules Organization Management
Mailbox settings Organization Management

Recipient Management
Message Encryption Organization Management

Compliance Management

Records Management
Message trace Organization Management

Compliance Management

Help Desk
Messaging records management Compliance Management

Organization Management

Records Management
Mobile devices Organization Management

Recipient Management
Organization configuration Organization Management
Outlook on thew web mailbox policies Organization Management

Recipient Management
Permissions and delegation Organization Management
Public folders Organization Management

Public Folder Management

Mail-enabled public folders require Recipient Management
POP3 and IMAP4 permissions Organization Management
Quarantine Organization Management

Hygiene Management
Recipients Organization Management

Recipient Management
Retention policies Organization Management

Recipient Management

Records Management
Role assignments Organization Management
Supervision Organization Management
Unified Messaging Organization Management

Unified Messaging Management
View-only administrator audit logging Organization Management

Records Management
View reports Organization Management: Users have access to mailbox reports and mail protection reports.

View-Only Organization Management: Users have access to mailbox reports.

View-Only Recipients: Users have access to mail protection reports.

Compliance Management: Users have access to mail protection reports and data loss prevention (DLP) reports (if their subscription has DLP capabilities).

Note

To find the permissions that are required to run any Exchange Online cmdlet, see Find the permissions required to run any Exchange cmdlet.