Exchange Online · Compliance & Security
Compliance Management
Members can configure and manage compliance settings within Exchange in accordance with organizational policies. Covers DLP, retention, journaling, and IRM.
Scope: Exchange Online compliance features
Permissions
- Audit Logs - Search administrator audit log and view results
- Compliance Admin - View and edit compliance feature settings
- Data Loss Prevention - Manage DLP policies for mail flow rules
- Information Rights Management - Configure IRM features
- Journaling - Configure journaling rules
- Message Tracking - Track messages in the organization
- Retention Management - Manage retention policies
- Transport Rules - Create and manage mail flow rules
- View-Only Audit Logs - Search and view audit logs
- View-Only Configuration - View organization settings
- View-Only Recipients - View recipient properties
Common use cases
- Implementing email retention policies
- Configuring DLP for Exchange mail flow
- Setting up journaling for compliance
- Managing Information Rights Management
Best practices
- Coordinate with Microsoft Purview administrators
- Document retention requirements with legal team
- Test policies before organization-wide deployment
- Use Purview for unified compliance management
Security considerations
- Can view audit logs and message tracking data
- Can configure journaling which copies emails externally
- DLP policies can block or redirect sensitive content
Common questions
When should I assign the Compliance Management role?
Assign Compliance Management when you need to: Implementing email retention policies; Configuring DLP for Exchange mail flow; Setting up journaling for compliance; and Managing Information Rights Management. It is part of Exchange Online and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Compliance Management role do?
The Compliance Management role grants permissions including: Audit Logs - Search administrator audit log and view results; Compliance Admin - View and edit compliance feature settings; Data Loss Prevention - Manage DLP policies for mail flow rules; Information Rights Management - Configure IRM features; Journaling - Configure journaling rules; and Message Tracking - Track messages in the organization. See the Permissions section above for the full list.
What are the security risks of the Compliance Management role?
Key considerations when assigning Compliance Management: Can view audit logs and message tracking data; Can configure journaling which copies emails externally; and DLP policies can block or redirect sensitive content. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.