Exchange Online · Compliance & Security

Compliance Management

Members can configure and manage compliance settings within Exchange in accordance with organizational policies. Covers DLP, retention, journaling, and IRM.

Scope: Exchange Online compliance features

Permissions

  • Audit Logs - Search administrator audit log and view results
  • Compliance Admin - View and edit compliance feature settings
  • Data Loss Prevention - Manage DLP policies for mail flow rules
  • Information Rights Management - Configure IRM features
  • Journaling - Configure journaling rules
  • Message Tracking - Track messages in the organization
  • Retention Management - Manage retention policies
  • Transport Rules - Create and manage mail flow rules
  • View-Only Audit Logs - Search and view audit logs
  • View-Only Configuration - View organization settings
  • View-Only Recipients - View recipient properties

Common use cases

  • Implementing email retention policies
  • Configuring DLP for Exchange mail flow
  • Setting up journaling for compliance
  • Managing Information Rights Management

Best practices

  • Coordinate with Microsoft Purview administrators
  • Document retention requirements with legal team
  • Test policies before organization-wide deployment
  • Use Purview for unified compliance management

Security considerations

  • Can view audit logs and message tracking data
  • Can configure journaling which copies emails externally
  • DLP policies can block or redirect sensitive content

Common questions

When should I assign the Compliance Management role?

Assign Compliance Management when you need to: Implementing email retention policies; Configuring DLP for Exchange mail flow; Setting up journaling for compliance; and Managing Information Rights Management. It is part of Exchange Online and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Compliance Management role do?

The Compliance Management role grants permissions including: Audit Logs - Search administrator audit log and view results; Compliance Admin - View and edit compliance feature settings; Data Loss Prevention - Manage DLP policies for mail flow rules; Information Rights Management - Configure IRM features; Journaling - Configure journaling rules; and Message Tracking - Track messages in the organization. See the Permissions section above for the full list.

What are the security risks of the Compliance Management role?

Key considerations when assigning Compliance Management: Can view audit logs and message tracking data; Can configure journaling which copies emails externally; and DLP policies can block or redirect sensitive content. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →