Permissions in Exchange Online

Global roles in Microsoft Entra ID allow you to manage permissions and access to capabilities in all of Microsoft 365, which also includes Exchange Online. For more information, see Microsoft Entra permissions.

But, if you need to limit permissions and capabilities to features in Exchange Online, you can assign Exchange Online permissions in the Exchange admin center (EAC) and in Exchange Online PowerShell.

To manage Exchange Online permissions in the EAC, go to Roles > Admin roles or go directly to the Admin roles page at https://admin.exchange.microsoft.com/#/adminRoles.

You need to be member of the Organization Management role group in Exchange Online. Specifically, the Role Management role in Exchange Online allows users to view, create, and modify Exchange Online role groups. By default, that role is assigned only to the Organization Management role group.

Exchange Online includes a large set of predefined permissions, based on the Role Based Access Control (RBAC) permissions model, which you can use right away to easily grant permissions to your admins and users. You can use the permissions features in Exchange Online to get your new organization up and running quickly.

Tip

Managing permissions in Exchange Online gives users access to features in the EAC and Exchange Online PowerShell. To grant permissions to other features, such as compliance features in the Microsoft Purview compliance portal, or security features in the Microsoft Defender portal, see the following articles:

Several advanced RBAC features and concepts aren't discussed in this article. If the functionality described in this article doesn't meet your needs, and you want to further customize your permissions model, see Understanding Role Based Access Control.

Role-based permissions

Exchange Online permissions are based on the role-based access control (RBAC) permissions model. RBAC is the same permissions model that's used by most Microsoft 365 services and Exchange Server, so if you're familiar with the permission structure in these services, granting permissions in Exchange Online should be familiar.

  • A role or management role grants the permissions to do a set of tasks. Exchange Online permissions use the following types of roles:

    • Administrator roles: Defines the set of tasks that an admin can do. When an administrator role is assigned to a role group, and an admin or user is a member of that role group, that person is granted the permissions provided by the role. These roles are listed and described in this article.
    • End-user roles: These roles, which are assigned using role assignment policies, enable users to manage aspects of their own mailbox and distribution groups that they own. End-user roles begin with the prefix My. For more information, see the section later in this article.
    • Application roles: These role names that start or end with 'Application' are part of RBAC for Applications in Exchange Online. For more information, see Role Based Access Control for Applications in Exchange Online.

    Roles give users permissions to perform tasks by making Exchange Online cmdlets available users. Because the EAC and Exchange Online PowerShell use cmdlets to manage Exchange Online, granting access to a cmdlet gives the admin or user permission to do the task in either of the Exchange Online management interfaces.

  • A role group makes it easier to assign roles to admins. When a role is assigned to a role group, the permissions granted by the role are granted to all the members of the role group. Exchange Online permissions include default role groups for the most common tasks and functions that you need to assign. You can also create custom role group. We recommend adding individual users as members to the default role groups or custom role groups instead of assigning roles directly to users. Role group members can be Exchange Online users and other role groups.

    Adding users to Exchange Online role groups grants administrative rights to users in Exchange Online without adding them to Microsoft Entra roles. Users receive the permissions granted by the role group in Exchange Online only without permission to other Microsoft 365 features or workload.

Role, role group and member relationship.

The rest of this article describes the administrator roles and role groups in Exchange Online.

Tip

A role assignment policy is a type of role group that's used to assign end-user roles to users. For more information, see Role assignment policies in Exchange Online.

Role groups in Exchange Online

The table in this section lists the default administrator role groups that are available in Exchange Online, and the roles that are assigned to the role groups by default. To grant permissions to a user to perform tasks in Exchange Online, add them to the appropriate role group.

If you work in a small organization that has only a few admins, you might need to add those admins to the Organization Management role group only, and you might never need to use the other role groups. If you work in a larger organization, you might have admins who perform specific tasks administering Exchange Online, such as recipient configuration. In those cases, you might add one administrator to the Recipient Management role group, and another administrator to the Organization Management role group. Those admins can then manage their specific areas of Exchange Online, but they don't have permissions to manage areas they're not responsible for.

If the built-in role groups in Exchange Online don't match the job function of your admins, you can create role groups and add roles to them. For more information, see Manage role groups in Exchange Online.

Tip

Unless otherwise noted, the same roles group and role assignments are used in standalone Exchange Online Protection.

Role group Description Default roles assigned
Communication Compliance The role assignments in this role group give access to the Test-TextExtraction cmdlet in Exchange Online. Communication Compliance Admin

Communication Compliance Investigation
Communication Compliance Administrators The role assignments in this role group give access to the Test-TextExtraction cmdlet in Exchange Online. Communication Compliance Admin
Compliance Administrator Manage settings for device management, data loss prevention, reports, and preservation. Communication Compliance Admin

Insider Risk Management Admin
Compliance Management Members can configure and manage compliance settings within Exchange in accordance with their policies. Audit Logs

Compliance Admin

Data Loss Prevention

Information Rights Management

Journaling

Message Tracking

Retention Management

Transport Rules

View-Only Audit Logs

View-Only Configuration

View-Only Recipients
Discovery Management Members can perform searches of mailboxes in the Exchange Online organization for data that meets specific criteria and can also configure legal holds on mailboxes. Legal Hold

Mailbox Search
ExchangeServiceAdmins_-<unique value>¹ Membership in this role group is synchronized across services and is managed centrally. You can't manage this role group in Exchange Online.

This role group doesn't have any roles assigned to it. However, it's a member of the Organization Management role group (as Exchange Service Administrator) and inherits the permissions provided by that role group.

You can add members to this role group by adding users to the Microsoft Entra ID Exchange admin role in the Microsoft 365 admin center.
n/a
Help Desk Members can view and manage the configuration for individual recipients and view recipients in an Exchange organization. Members of this role group can only manage the configuration each user can manage on their own mailbox. Reset Password

User Options

View-Only Recipients
Hygiene Management Members can manage Exchange anti-spam features, grant permissions for antivirus products to integrate with Exchange, and manage mail flow rules. Transport Hygiene

View-Only Configuration

View-Only Recipients
Information Protection Full control over all information protection features, including sensitivity labels and their policies, DLP, all classifier types, activity and content explorers, and all related reports. Information Protection Admin

Information Protection Analyst²

Information Protection Investigator

Information Protection Reader
Information Protection Admins The role assignments in this role group give access to the Test-TextExtraction cmdlet in Exchange Online. Information Protection Admin
Information Protection Analysts The role assignments in this role group give access to the Search-UnifiedAuditLog cmdlet in Exchange Online. Information Protection Analyst²
Information Protection Investigators Search the unified audit log Information Protection Investigator
Information Protection Readers Search the unified audit log and view the Mail Traffic and Mail Traffic Summary reports. Information Protection Reader
Insider Risk Management Manage access control for Insider risk management. Insider Risk Management Admin

Insider Risk Management Investigation
Insider Risk Management Admins The role assignments in this role group give access to the Test-TextExtraction cmdlet in Exchange Online. Insider Risk Management Admin
Insider Risk Management Investigators The role assignments in this role group give access to the Test-TextExtraction cmdlet in Exchange Online. Insider Risk Management Investigation
Organization Management Members have administrative access to the entire Exchange Online organization and can perform almost any task in Exchange Online.

Important: Because the Organization Management role group is a powerful role, only users that perform organizational-level administrative tasks that can potentially impact the entire Exchange Online organization should be members of this role group.
Audit Logs

Communication Compliance Admin

Communication Compliance Investigation

Compliance Admin

Data Loss Prevention

Distribution Groups

E-Mail Address Policies

Federated Sharing

Information Protection Admin

Information Protection Analyst²

Information Protection Investigator

Information Protection Reader

Information Rights Management

Insider Risk Management Admin

Insider Risk Management Investigation

Journaling

Legal Hold

Mail Enabled Public Folders

Mail Recipient Creation

Mail Recipients

Mail Tips

Message Tracking

Migration

Move Mailboxes

Org Custom Apps

Org Marketplace Apps

Organization Client Access

Organization Configuration

Organization Transport Settings

Privacy Management Admin

Privacy Management Investigation

Public Folders

Recipient Policies

Remote and Accepted Domains

Reset Password

Retention Management

Role Management

Security Admin

Security Group Creation and Membership

Security Reader

TenantPlacesManagement

Transport Hygiene

Transport Rules

User Options

View-Only Audit Logs

View-Only Configuration

View-Only Recipients
Privacy Management The role assignments in this role group give access to the Test-TextExtraction cmdlet in Exchange Online. Privacy Management Admin

Privacy Management Investigation
Privacy Management Administrators The role assignments in this role group give access to the Test-TextExtraction cmdlet in Exchange Online. Privacy Management Admin
Privacy Management Investigators The role assignments in this role group give access to the Test-TextExtraction cmdlet in Exchange Online. Privacy Management Investigation
Recipient Management Members have administrative access to create or modify Exchange Online recipients within the Exchange Online organization. Distribution Groups

Mail Recipient Creation

Mail Recipients

Message Tracking

Migration

Move Mailboxes

Recipient Policies

Reset Password
Records Management Members can configure compliance features, such as retention policy tags, message classifications, and mail flow rules (also known as transport rules). Audit Logs

Journaling

Message Tracking

Retention Management

Transport Rules
RIM-MailboxAdmins<GUID> Not used ApplicationImpersonation
Security Administrator Membership in this role group is synchronized across services and is managed centrally. You can't manage this role group in Exchange Online.

You can add members to this role group by adding users to the Microsoft Entra Security admin role in the Microsoft 365 admin center.
Security Admin

SensitivityLabelAdministrator
Security Operator Manage security alerts, and also view reports and settings of security features. Tenant AllowBlockList Manager
Security Reader Membership in this role group is synchronized across services and is managed centrally. You can't manage this role group in Exchange Online.

You can add members to this role group by adding users to the Microsoft Entra Security reader role in the Microsoft 365 admin center.
Security Reader
TenantAdmins_-<unique value> Membership in this role group is synchronized across services and is managed centrally. You can't manage this role group in Exchange Online.

This role group doesn't have any roles assigned to it. However, it's a member of the Organization Management role group (as Company Administrator) and inherits the permissions provided by that role group.

You can add members to this role group by adding users to the Microsoft Entra ID Global Administrator role in the Microsoft 365 admin center.

Important: Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
n/a
View-Only Organization Management Members can view the properties of any object in the Exchange Online organization. View-Only Configuration

View-Only Recipients

¹ This role group isn't available in standalone Exchange Online Protection.

² By default, this role isn't assigned any role group in standalone Exchange Online Protection.

Roles in Exchange Online

The table in this section lists the available administrator roles and the role groups that they're assigned to by default.

Roles that aren't assigned to the Organization Management role group by default are marked with *

Tip

  • Role names that start with the prefix 'My' (for example, MyContactInformation) are end-user roles. End-user roles are assigned to users in role assignment policies, which allow users to operate on object they own (for example, their own account or distribution groups they created). For more information, see Role assignment policies in Exchange Online.
  • Role names that start or end with 'Application' are part of RBAC for Applications in Exchange Online. For more information, see Role Based Access Control for Applications in Exchange Online.
  • Many of the compliance-related roles that are also available in Microsoft Purview compliance and Microsoft Entra don't offer much capability in Exchange Online by themselves.
  • Unless otherwise noted, the same roles and role group assignments are used in standalone Exchange Online Protection.
Role Description Default role group assignments
Address Lists* Enables admins to manage address lists, global address lists, and offline address lists in an organization. None
Audit Logs Search the administrator audit log and view the results. Compliance Management

Organization Management

Records Management
Communication Compliance Admin This role gives access to the Test-TextExtraction cmdlet in Exchange Online. Communication Compliance

Communication Compliance Administrators

Compliance Administrator

Organization Management
Communication Compliance Investigation This role gives access to the Test-TextExtraction cmdlet in Exchange Online. Communication Compliance

Organization Management
Compliance Admin Lets people view and edit settings and reports for compliance features. Compliance Management

Organization Management
Data Loss Prevention This role was related to the older mail flow rule (transport rule) related Data Loss Prevention (DLP) settings in the organization. This role gives access to report and mail flow rule management in Exchange Online. Compliance Management

Organization Management
Distribution Groups Create and manage all distribution groups, mail-enabled security groups, and members. Organization Management

Recipient Management
E-Mail Address Policies Enables admins to manage email address policies in an organization. Organization Management
Federated Sharing Enables admins to manage cross-forest and cross-organization sharing in an organization. Organization Management
Information Protection Admin This role gives access to the Test-TextExtraction cmdlet in Exchange Online. Information Protection

Information Protection Admins

Organization Management
Information Protection Analyst This role gives access to the Search-UnifiedAuditLog cmdlet in Exchange Online. Information Protection

Information Protection Analysts¹

Organization Management
Information Protection Investigator Search the unified audit log. Information Protection

Information Protection Investigators

Organization Management
Information Protection Reader Search the unified audit log and view the Mail Traffic and Mail Traffic Summary reports. Information Protection

Information Protection Readers

Organization Management
Information Rights Management Manage the Information Rights Management (IRM) features of Exchange in an organization. Compliance Management

Organization Management
Insider Risk Management Admin This role gives access to the Test-TextExtraction cmdlet in Exchange Online. Compliance Administrator

Insider Risk Management

Insider Risk Management Admins

Organization Management
Insider Risk Management Investigation This role gives access to the Test-TextExtraction cmdlet in Exchange Online. Insider Risk Management

Insider Risk Management Investigators

Organization Management
Journaling Enables admins to manage journaling configuration in an organization. Compliance Management

Organization Management

Records Management
Legal Hold Enables admins to configure whether data within a mailbox should be retained for litigation purposes in an organization. Discovery Management

Organization Management
Mail Enabled Public Folders Enables admins to configure whether individual public folders are mail-enabled or mail-disabled in an organization. Organization Management
Mail Recipient Creation Create and remove mail users and mail contacts. Organization Management

Recipient Management
Mail Recipients Modify existing mail users and mail contacts. Organization Management

Recipient Management
Mail Tips Enables admins to manage MailTip settings in an organization. Organization Management
Mailbox Import Export* Enables admins to import and export mailbox content. None
Mailbox Search* Enables admins to search the content of one or more mailboxes in an organization. Discovery Management
Message Tracking Enables admins to track messages in an organization. Compliance Management

Organization Management

Recipient Management

Records Management
Migration Enables admins to migrate mailboxes and mailbox content into or out of an organization. Organization Management

Recipient Management
Move Mailboxes Enables admins to move mailboxes. Organization Management

Recipient Management
O365SupportViewConfig* Not used None
Org Custom Apps Enables users to view and modify their org custom apps. Organization Management
Org Marketplace Apps Enables users to view and modify their org marketplace apps. Organization Management
Organization Client Access Enables admins to manage Client Access settings in an organization. Organization Management
Organization Configuration Enables admins to manage organization-wide settings. Organization Management
Organization Transport Settings Enables admins to manage hybrid and organization-wide mail transport settings. Organization Management
Privacy Management Admin This role gives access to the Test-TextExtraction cmdlet in Exchange Online. Organization Management

Privacy Management

Privacy Management Administrators
Privacy Management Investigation This role gives access to the Test-TextExtraction cmdlet in Exchange Online. Organization Management

Privacy Management

Privacy Management Investigators
Public Folders Enables admins to manage public folders in an organization. Organization Management
Recipient Policies Enables admins to manage recipient policies (authentication policies, data encryption policies mobile device mailbox policies, and Outlook on the web mailbox policies) in an organization. Organization Management

Recipient Management
Remote and Accepted Domains Manage remote domains, accepted domains, and connectors. Organization Management
Reset Password Enables admins to set room mailbox passwords. Help Desk

Organization Management

Recipient Management
Retention Management Lets people manage retention policies. Compliance Management

Organization Management

Records Management
Role Management Enables admins to manage management role groups, role assignment policies, management roles, role entries, assignments, and scopes in an organization. Organization Management
Security Admin Manage the configuration and reports for all security and protection features. Organization Management

Security Administrator
Security Group Creation and Membership Create and manage mail-enabled security groups. Organization Management
Security Reader View the configuration and reports for security and protection features. Organization Management

Security Reader
SensitivityLabelAdministrator* Lets people edit sensitivity label properties. Security Administrator
Tenant AllowBlockList Manager* Lets people manage the Tenant Allow/Block List. Security Operator
TenantPlacesManagement Lets people manage settings for Microsoft Places. Organization Management
Transport Hygiene Manage anti-malware, anti-spam features, and anti-spoofing features. Hygiene Management

Organization Management
Transport Rules Create and manage mail flow rules (also known as transport rules). Compliance Management

Organization Management

Records Management
User Options Enables admins to view the Outlook on the web options of users in the organization. Help Desk

Organization Management
View-Only Audit Logs Search the administrator audit log and view the results. Compliance Management

Organization Management
View-Only Configuration View all of the organization and mail flow (non-recipient) settings in the organization. Compliance Management

Hygiene Management

Organization Management

View-Only Organization Management
View-Only Recipients View recipient properties and run message trace. Compliance Management

Help Desk

Hygiene Management

Organization Management

View-Only Organization Management

¹ By default, this role isn't assigned to any role groups in standalone Exchange Online Protection.

Microsoft 365 permissions in Exchange Online

When you create a user in the Microsoft 365 admin center, you can choose whether to assign various Microsoft Entra roles (for example, Exchange Administrator or Global Reader), to the user. Most of the Microsoft Entra roles grant administrative permissions to the user in Exchange Online.

Note

The account you used to create your Exchange Online organization is automatically assigned to the Global Administrator role.

The following table lists the Microsoft Entra roles and the Exchange Online role groups that they correspond to. For more information about these roles, see Microsoft Entra permissions.

Microsoft Entra role Exchange Online role group
Global Administrator Organization Management

Note: The Global Administrator role and the Organization Management role group are tied together using a special Company Administrator role group. The Company Administrator role group is managed internally and can't be modified directly.
Exchange Administrator Organization Management
Global Reader View-Only Organization Management
Helpdesk Administrator Help Desk
Service Support Administrator None
SharePoint Administrator None
Teams Administrator None
Exchange Recipient Administrator Recipient Management
User Experience Success Manager None

Users can be granted administrative rights in Exchange Online without adding them to Microsoft Entra roles by adding the user as a member of an Exchange Online role group. The user gets permissions in Exchange Online, but they don't get permissions in other Microsoft 365 workloads.

Important

Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

See also