Permissions in standalone EOP

Standalone Exchange Online Protection (EOP) organization without Exchange Online mailboxes uses the Role Based Access Control (RBAC) permissions model to easily grant permissions to admins. You can use the permission features in standalone EOP to get your new organization up and running quickly.

To grant permissions to users, see Manage admin role groups in EOP.

For more information about permissions across Microsoft 365, see About admin roles.

Role-based permissions

The admin permissions that you grant to users are based on management roles. A management role defines the cmdlets that are available for a set of given tasks. The Exchange admin center (EAC) and standalone EOP PowerShell both use cmdlets. So, granting access to a cmdlet gives users permission to do tasks in the EAC or in standalone EOP PowerShell. For example, the Mail Recipients role defines the cmdlets that are required to modify mail users.

Role groups

To make it easier to assign roles to users, standalone EOP uses role groups. Management roles are assigned to role groups, and the role group members get the permissions that are associated with the roles. In other words, management roles aren't directly assigned to users; they're assigned to role group. This model allows you to assign many roles to many role group members at once. Role group members can be mail users, mail-enabled security groups, users from the Microsoft 365 admin center, and other role groups.

The following figure shows the relationship between users, role groups, and roles.

Role, role group and member relationship.

The available role groups in standalone EOP are described in the following table.

Role group Description Default roles assigned
Communication Compliance Although this role group is available, it does nothing useful in standalone EOP. Communication Compliance Admin

Communication Compliance Investigation
Communication Compliance Administrators Although this role group is available, it does nothing useful in standalone EOP. Communication Compliance Admin
Compliance Administrator Manage settings for device management, data loss prevention, reports, and preservation. Communication Compliance Admin

Insider Risk Management Admin
Compliance Management Configure and manage compliance settings within the organization, including data loss prevention (DLP) if your subscription has DLP capabilities.

Members of the Compliance Administrator role in Microsoft Entra ID automatically get the permissions of this role group.
Audit Logs

Compliance Admin

Data Loss Prevention

Information Rights Management

Journaling

Message Tracking

Retention Management

Transport Rules

View-Only Audit Logs

View-Only Configuration

View-Only Recipients
Discovery Management perform searches of mailboxes in the Exchange organization for data that meets specific criteria. Legal Hold

Mailbox Search
Help Desk View and manage mail users. Reset Password

User Options

View-Only Recipients
Hygiene Management Manage protection features (anti-spam, anti-malware, etc.). Transport Hygiene

View-Only Configuration

View-Only Recipients
Information Protection Full control over all information protection features, including sensitivity labels and their policies, DLP, all classifier types, activity and content explorers, and all related reports. Information Protection Admin

Information Protection Investigator

Information Protection Reader
Information Protection Admins Although this role group is available, it does nothing useful in standalone EOP. Information Protection Admin
Information Protection Analysts Although this role group is available, it does nothing useful in standalone EOP. None
Information Protection Investigators Search the unified audit log Information Protection Investigator
Information Protection Readers Search the unified audit log and view the Mail Traffic and Mail Traffic Summary reports. Information Protection Reader
Insider Risk Management Manage access control for Insider risk management. Insider Risk Management Admin

Insider Risk Management Investigation
Insider Risk Management Admins Although this role group is available, it does nothing useful in standalone EOP. Insider Risk Management Admin
Insider Risk Management Investigators Although this role group is available, it does nothing useful in standalone EOP. Insider Risk Management Investigation
Organization Management Admin access to the entire organization and the ability to perform almost any task.

Members of the Global Administrator role in Microsoft Entra ID automatically get the permissions of this role group.

Important: Because the Organization Management role group is a powerful role, only users that perform organizational-level administrative tasks should be members of this role group.
Audit Logs

Communication Compliance Admin

Communication Compliance Investigation

Compliance Admin

Data Loss Prevention

Distribution Groups

E-Mail Address Policies

Federated Sharing

Information Protection Admin

Information Protection Investigator

Information Protection Reader

Information Rights Management

Insider Risk Management Admin

Insider Risk Management Investigation

Journaling

Legal Hold

Mail Enabled Public Folders

Mail Recipient Creation

Mail Recipients

Mail Tips

Message Tracking

Migration

Move Mailboxes

Org Custom Apps

Org Marketplace Apps

Organization Client Access

Organization Configuration

Organization Transport Settings

Privacy Management Admin

Privacy Management Investigation

Public Folders

Recipient Policies

Remote and Accepted Domains

Reset Password

Retention Management

Role Management

Security Admin

Security Group Creation and Membership

Security Reader

TenantPlacesManagement

Transport Hygiene

Transport Rules

User Options

View-Only Audit Logs

View-Only Configuration

View-Only Recipients
Privacy Management Although this role group is available, it does nothing useful in standalone EOP. Privacy Management Admin

Privacy Management Investigation
Privacy Management Administrators Although this role group is available, it does nothing useful in standalone EOP. Privacy Management Admin
Privacy Management Investigators Although this role group is available, it does nothing useful in standalone EOP. Privacy Management Investigation
Recipient Management Create, manage, and remove recipient objects in the organization. Distribution Groups

Mail Recipient Creation

Mail Recipients

Message Tracking

Migration

Move Mailboxes

Recipient Policies

Reset Password
Records Management Configure compliance features, such as retention policy tags, message classifications, and mail flow rules (also known as transport rules). Audit Logs

Journaling

Message Tracking

Retention Management

Transport Rules
RIM-MailboxAdmins<GUID> Not used ApplicationImpersonation
Security Administrator Configure all aspects of protection in the organization (anti-spam, anti-malware, anti-spoofing, quarantine, etc.).

Members of the Security Administrator role in Microsoft Entra ID automatically get the permissions of this role group.
Security Admin

SensitivityLabelAdministrator
Security Operator Manage security alerts, and also view reports and settings of security features.

Members of the Security Operator role in Microsoft Entra ID automatically get the permissions of this role group.
Tenant AllowBlockList Manager
SecurityReader View-only access to all aspects of protection in the organization (anti-spam, anti-malware, anti-spoofing, quarantine, etc.).

Members of the Security Reader role in Microsoft Entra ID automatically get the permissions of this role group.
Security Reader
TenantAdmins_<Number> Membership in this role group is synchronized across services and managed centrally. This role group isn't assigned any roles, but it's a member of the Organization Management role group and inherits those permissions. None
View-Only Organization Management View recipient, protection, and configuration objects and their properties in the organization. View-Only Configuration

View-Only Recipients

If you work in a small organization, you might only use the Organization Management role group. In larger organizations with admins who are responsible for specific tasks (for example, recipient configuration only), you might also use the Recipient Management role group. Admins can then manage their specific areas without permissions in areas that they're not responsible for.

If the built-in role groups in Exchange Online don't match the job function of your admins, you can create role groups and add roles to them. For more information, see Manage role groups in standalone EOP.

Roles

The built-in roles that are available in standalone EOP are described in the following table.

Role Description Default role group assignments
Address Lists Enables admins to manage address lists, global address lists, and offline address lists in an organization. None
Audit Logs Search the administrator audit log and view the results. Compliance Management

Organization Management

Records Management
Communication Compliance Admin Although this role is available, it does nothing useful in standalone EOP. Communication Compliance

Communication Compliance Administrators

Compliance Administrator

Organization Management
Communication Compliance Investigation Although this role is available, it does nothing useful in standalone EOP. Organization Management
Compliance Admin Lets people view and edit settings and reports for compliance features. Compliance Management

Organization Management
Data Loss Prevention Enables admins to manage Data Loss Prevention (DLP) settings in the organization. Compliance Management

Organization Management
Distribution Groups Create and manage all distribution groups, mail-enabled security groups, and members. Organization Management

Recipient Management
E-Mail Address Policies Enables admins to manage email address policies in an organization. Organization Management
Federated Sharing Enables admins to manage cross-forest and cross-organization sharing in an organization. Organization Management
Information Protection Admin Although this role is available, it does nothing useful in standalone EOP. Information Protection

Information Protection Admins

Organization Management
Information Protection Investigator Search the unified audit log. Information Protection

Information Protection Investigators

Organization Management
Information Protection Reader Search the unified audit log and view the Mail Traffic and Mail Traffic Summary reports. Information Protection

Information Protection Readers

Organization Management
Information Rights Management Manage the Information Rights Management (IRM) features of Exchange in an organization. Compliance Management

Organization Management
Insider Risk Management Admin Although this role is available, it does nothing useful in standalone EOP. Compliance Administrator

Insider Risk Management

Insider Risk Management Admins

Organization Management
Insider Risk Management Investigation Although this role is available, it does nothing useful in standalone EOP. Insider Risk Management

Insider Risk Management Investigators

Organization Management
Journaling Enables admins to manage journaling configuration in an organization. Compliance Management

Organization Management

Records Management
Legal Hold Enables admins to configure whether data within a mailbox should be retained for litigation purposes in an organization. Discovery Management

Organization Management
Mail Enabled Public Folders Enables admins to configure whether individual public folders are mail-enabled or mail-disabled in an organization. Organization Management
Mail Recipient Creation Create and remove mail users and mail contacts. Organization Management

Recipient Management
Mail Recipients Modify existing mail users and mail contacts. Organization Management

Recipient Management
Mail Tips Enables admins to manage MailTip settings in an organization. Organization Management
Mailbox Import Export Enables admins to import and export mailbox content. Organization Management
Mailbox Search Enables admins to search the content of one or more mailboxes in an organization. Discovery Management
Message Tracking Enables admins to track messages in an organization. Compliance Management

Organization Management

Recipient Management

Records Management
Migration Enables admins to migrate mailboxes and mailbox content into or out of an organization. Organization Management

Recipient Management
Move Mailboxes Enables admins to move mailboxes. Organization Management

Recipient Management
Organization Client Access Enables admins to manage Client Access settings in an organization. Organization Management
Organization Configuration Enables admins to manage organization-wide settings. Organization Management
Organization Transport Settings Enables admins to manage hybrid and organization-wide mail transport settings. Organization Management
Privacy Management Admin Although this role is available, it does nothing useful in standalone EOP. Organization Management

Privacy Management

Privacy Management Administrators
Privacy Management Investigation Although this role is available, it does nothing useful in standalone EOP. Organization Management

Privacy Management

Privacy Management Investigators
Public Folders Enables admins to manage public folders in an organization. Organization Management
Recipient Policies Enables admins to manage recipient policies (authentication policies, data encryption policies mobile device mailbox policies, and Outlook on the web mailbox policies) in an organization. Organization Management

Recipient Management
Remote and Accepted Domains Manage remote domains, accepted domains, and connectors. Organization Management
Reset Password Enables admins to set room mailbox passwords. Help Desk

Organization Management

Recipient Management
Retention Management Lets people manage retention policies. Compliance Management

Organization Management

Records Management
Role Management Enables admins to manage management role groups, role assignment policies, management roles, role entries, assignments, and scopes in an organization. Organization Management
Security Admin Manage the configuration and reports for all security and protection features. Organization Management

Security Administrator
Security Group Creation and Membership Create and manage mail-enabled security groups. Organization Management
Security Reader View the configuration and reports for security and protection features. Organization Management

Security Reader
SensitivityLabelAdministrator Lets people edit sensitivity label properties. Organization Management

Security Administrator
Tenant AllowBlockList Manager Lets people manage the Tenant Allow/Block List. Organization Management

Security Operator
TenantPlacesManagement Although this role is available, it does nothing useful in standalone EOP. Organization Management
Transport Hygiene Manage anti-malware, anti-spam features, and anti-spoofing features. Hygiene Management

Organization Management
Transport Rules Create and manage mail flow rules (also known as transport rules). Compliance Management

Organization Management

Records Management
User Options Enables admins to view the Outlook on the web options of users in the organization. Help Desk

Organization Management
View-Only Audit Logs Search the administrator audit log and view the results. Compliance Management

Organization Management
View-Only Configuration View all of the organization and mail flow (non-recipient) settings in the organization. Compliance Management

Hygiene Management

Organization Management

View-Only Organization Management
View-Only Recipients View recipient properties and run message trace. Compliance Management

Help Desk

Hygiene Management

Organization Management

View-Only Organization Management

Note

  • Role names that start with the prefix 'My' (for example, MyContactInformation) are end-user roles. End-user roles are assigned to users in role assignment policies, which allow users to operate on object they own (for example, their own account or distribution groups they created). For more information, see Role assignment policies in Exchange Online.
  • Role names that start or end with 'Application' are part of RBAC for Applications in Exchange Online. For more information, see Role Based Access Control for Applications in Exchange Online.

Microsoft 365 permissions in standalone EOP

When you create a user in the Microsoft 365 admin center, you can choose whether to assign various Microsoft Entra roles (for example, Global Administrator, Exchange Administrator, and Global Reader), to the user. Most of the Microsoft Entra roles grant administrative permissions in EOP to the user.

Note

The account you used to create your standalone EOP organization is automatically assigned to the Global Administrator role.

The following table lists the Microsoft Entra roles and the standalone EOP role groups that they correspond to. For more information about these roles, see About admin roles.

Microsoft Entra role EOP role group
Global Administrator Organization Management

Note: The Global Administrator role and the Organization Management role group are tied together using a special Company Administrator role group. The Company Administrator role group is managed internally and can't be modified directly.
Exchange Administrator Organization Management
Global Reader ViewOnlyOrganization Management
Helpdesk Administrator Help Desk
Service Support Administrator None
SharePoint Administrator None
Teams Administrator None
User Administrator Recipient Management
User Experience Success Manager None

Users can be granted administrative rights in EOP without adding them to Microsoft Entra roles by adding the user as a member of an EOP role group. The user gets permissions in EOP, but they don't get permissions in other Microsoft 365 workloads. For instructions, see Use the EAC to manage role groups.