Exchange Online · Mail Flow
Connector Management
Responsibility profile, not a standalone Exchange RBAC role. Connector cmdlets require an appropriate Exchange role group or equivalent custom management-role assignment.
Scope: Mail flow connectors for Office 365
Permissions
- Create inbound and outbound connectors
- Configure partner organization connectors
- Set up hybrid Exchange connectors
- Configure TLS and certificate settings
- Manage smart host routing
- Configure Enhanced Filtering for Connectors
Common use cases
- Hybrid Exchange configuration with on-premises
- Partner organization secure mail flow
- Third-party email security gateway integration
- Conditional mail routing scenarios
- Smart host configuration
Best practices
- Enforce TLS for sensitive communications
- Document connector configurations and purpose
- Test connectors before production use
- Use Enhanced Filtering if mail routes through a service first
- Validate certificates for TLS connectors
Security considerations
- Misconfigured connectors can expose mail flow to interception
- Can bypass security filtering if improperly configured
- Connectors without TLS send email in clear text
- Partner connectors require mutual trust verification
Common questions
When should I assign the Connector Management role?
Assign Connector Management when you need to: Hybrid Exchange configuration with on-premises; Partner organization secure mail flow; Third-party email security gateway integration; Conditional mail routing scenarios; and Smart host configuration. It is part of Exchange Online and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Connector Management role do?
The Connector Management role grants permissions including: Create inbound and outbound connectors; Configure partner organization connectors; Set up hybrid Exchange connectors; Configure TLS and certificate settings; Manage smart host routing; and Configure Enhanced Filtering for Connectors. See the Permissions section above for the full list.
What are the security risks of the Connector Management role?
Key considerations when assigning Connector Management: Misconfigured connectors can expose mail flow to interception; Can bypass security filtering if improperly configured; Connectors without TLS send email in clear text; and Partner connectors require mutual trust verification. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.