Exchange Online · Mail Flow

Connector Management

Responsibility profile, not a standalone Exchange RBAC role. Connector cmdlets require an appropriate Exchange role group or equivalent custom management-role assignment.

Scope: Mail flow connectors for Office 365

Permissions

  • Create inbound and outbound connectors
  • Configure partner organization connectors
  • Set up hybrid Exchange connectors
  • Configure TLS and certificate settings
  • Manage smart host routing
  • Configure Enhanced Filtering for Connectors

Common use cases

  • Hybrid Exchange configuration with on-premises
  • Partner organization secure mail flow
  • Third-party email security gateway integration
  • Conditional mail routing scenarios
  • Smart host configuration

Best practices

  • Enforce TLS for sensitive communications
  • Document connector configurations and purpose
  • Test connectors before production use
  • Use Enhanced Filtering if mail routes through a service first
  • Validate certificates for TLS connectors

Security considerations

  • Misconfigured connectors can expose mail flow to interception
  • Can bypass security filtering if improperly configured
  • Connectors without TLS send email in clear text
  • Partner connectors require mutual trust verification

Common questions

When should I assign the Connector Management role?

Assign Connector Management when you need to: Hybrid Exchange configuration with on-premises; Partner organization secure mail flow; Third-party email security gateway integration; Conditional mail routing scenarios; and Smart host configuration. It is part of Exchange Online and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Connector Management role do?

The Connector Management role grants permissions including: Create inbound and outbound connectors; Configure partner organization connectors; Set up hybrid Exchange connectors; Configure TLS and certificate settings; Manage smart host routing; and Configure Enhanced Filtering for Connectors. See the Permissions section above for the full list.

What are the security risks of the Connector Management role?

Key considerations when assigning Connector Management: Misconfigured connectors can expose mail flow to interception; Can bypass security filtering if improperly configured; Connectors without TLS send email in clear text; and Partner connectors require mutual trust verification. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →