Microsoft Entra ID · M365 Workloads & Services

Exchange Administrator

Can manage all aspects of Exchange Online including mailboxes, groups, connectors, mail flow rules, and organization-wide settings.

Scope: Full Exchange Online administration including mail flow, policies, and mailbox management

Permissions

  • Manage Azure service health
  • Create and manage support tickets
  • Create Microsoft 365 groups
  • Delete Microsoft 365 groups
  • Update M365 group members
  • Update M365 group owners
  • Restore deleted M365 groups
  • Update M365 group properties
  • Read hidden group members
  • Full Exchange Online management
  • Read network performance
  • Manage service health
  • Create support tickets
  • Read usage reports
  • Read admin center properties
  • Manage mailboxes, distribution groups, and mail contacts
  • Configure transport rules and connectors
  • Manage organization sharing and external collaboration
  • Configure anti-spam and anti-malware policies

Common use cases

  • Exchange Online deployment and migration
  • Mailbox creation and management
  • Mail flow rule configuration
  • Connector setup for hybrid environments
  • Distribution group and shared mailbox management
  • Retention policy configuration
  • Email security policy management
  • Address book and global address list management
  • Public folder administration
  • Email signature and disclaimer policies
  • Journaling and compliance configuration
  • Mobile device mailbox policies

Best practices

  • Use separate accounts for Exchange administration
  • Test mail flow rules in audit mode first
  • Document connector configurations
  • Coordinate with Security Admin for email security
  • Use Exchange RBAC for delegated administration
  • Implement change management for transport rules
  • Monitor mail flow regularly
  • Use sensitivity labels for email classification
  • Configure audit logging for compliance
  • Review mailbox permissions periodically
  • Test disaster recovery procedures
  • Use PIM for elevated access
  • Coordinate with Compliance Admin for retention

Security considerations

  • Can read all mailbox content when necessary
  • Can configure mail flow affecting all users
  • Can manage email security policies
  • Can configure external mail routing
  • Can access audit logs for all mail activity
  • Can configure organization sharing with external tenants
  • Can manage mobile device access policies
  • Alert on connector and transport rule changes
  • Monitor for unauthorized mailbox access grants
  • Review external forwarding configurations

Official Microsoft Learn documentation →

Open the interactive RBACMap →