Microsoft Entra ID · M365 Workloads & Services

Exchange Administrator

Can manage all aspects of Exchange Online including mailboxes, groups, connectors, mail flow rules, and organization-wide settings.

Scope: Full Exchange Online administration including mail flow, policies, and mailbox management

Permissions

  • Manage Azure service health
  • Create and manage support tickets
  • Create Microsoft 365 groups
  • Delete Microsoft 365 groups
  • Update M365 group members
  • Update M365 group owners
  • Restore deleted M365 groups
  • Update M365 group properties
  • Read hidden group members
  • Full Exchange Online management
  • Read network performance
  • Manage service health
  • Create support tickets
  • Read usage reports
  • Read admin center properties
  • Manage mailboxes, distribution groups, and mail contacts
  • Configure transport rules and connectors
  • Manage organization sharing and external collaboration
  • Configure anti-spam and anti-malware policies

Common use cases

  • Exchange Online deployment and migration
  • Mailbox creation and management
  • Mail flow rule configuration
  • Connector setup for hybrid environments
  • Distribution group and shared mailbox management
  • Retention policy configuration
  • Email security policy management
  • Address book and global address list management
  • Public folder administration
  • Email signature and disclaimer policies
  • Journaling and compliance configuration
  • Mobile device mailbox policies

Best practices

  • Use separate accounts for Exchange administration
  • Test mail flow rules in audit mode first
  • Document connector configurations
  • Coordinate with Security Admin for email security
  • Use Exchange RBAC for delegated administration
  • Implement change management for transport rules
  • Monitor mail flow regularly
  • Use sensitivity labels for email classification
  • Configure audit logging for compliance
  • Review mailbox permissions periodically
  • Test disaster recovery procedures
  • Use PIM for elevated access
  • Coordinate with Compliance Admin for retention

Security considerations

  • Can read all mailbox content when necessary
  • Can configure mail flow affecting all users
  • Can manage email security policies
  • Can configure external mail routing
  • Can access audit logs for all mail activity
  • Can configure organization sharing with external tenants
  • Can manage mobile device access policies
  • Alert on connector and transport rule changes
  • Monitor for unauthorized mailbox access grants
  • Review external forwarding configurations

Common questions

When should I assign the Exchange Administrator role?

Assign Exchange Administrator when you need to: Exchange Online deployment and migration; Mailbox creation and management; Mail flow rule configuration; Connector setup for hybrid environments; and Distribution group and shared mailbox management. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Exchange Administrator role do?

The Exchange Administrator role grants permissions including: Manage Azure service health; Create and manage support tickets; Create Microsoft 365 groups; Delete Microsoft 365 groups; Update M365 group members; and Update M365 group owners. See the Permissions section above for the full list.

What are the security risks of the Exchange Administrator role?

Key considerations when assigning Exchange Administrator: Can read all mailbox content when necessary; Can configure mail flow affecting all users; Can manage email security policies; and Can configure external mail routing. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →