Exchange Online · Organization Management
Exchange Administrator
Entra ID role that provides full administrative access to Exchange Online. Members are synchronized to the ExchangeServiceAdmins role group which inherits Organization Management permissions.
Scope: Organization-wide Exchange Online administration via Entra ID
Permissions
- Inherits all Organization Management role group permissions
- Manage all aspects of Exchange Online
- Create and manage mailboxes and groups
- Configure mail flow policies
- Manage Exchange Online protection settings
- View and manage Exchange reports
- Configure compliance and retention settings
Common use cases
- Dedicated Exchange Online management
- Hybrid Exchange environment administration
- Email policy and compliance management
- Preferred over Global Admin for Exchange-only tasks
Best practices
- Use instead of Global Admin for Exchange-specific tasks
- Enable PIM for just-in-time access
- Assign in Microsoft 365 admin center or Entra ID
- Cannot be managed directly in Exchange admin center
Security considerations
- Can access all mailbox content through eDiscovery
- Can impersonate any mailbox
- Can modify all mail flow rules
- Membership synchronized automatically - cannot edit in Exchange
Common questions
When should I assign the Exchange Administrator role?
Assign Exchange Administrator when you need to: Dedicated Exchange Online management; Hybrid Exchange environment administration; Email policy and compliance management; and Preferred over Global Admin for Exchange-only tasks. It is part of Exchange Online and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Exchange Administrator role do?
The Exchange Administrator role grants permissions including: Inherits all Organization Management role group permissions; Manage all aspects of Exchange Online; Create and manage mailboxes and groups; Configure mail flow policies; Manage Exchange Online protection settings; and View and manage Exchange reports. See the Permissions section above for the full list.
What are the security risks of the Exchange Administrator role?
Key considerations when assigning Exchange Administrator: Can access all mailbox content through eDiscovery; Can impersonate any mailbox; Can modify all mail flow rules; and Membership synchronized automatically - cannot edit in Exchange. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.