Exchange Online · Compliance & Security

Hygiene Management

Members can manage Exchange anti-spam features, grant permissions for antivirus products to integrate with Exchange, and manage mail flow rules for hygiene purposes.

Scope: Exchange Online Protection (EOP) settings

Permissions

  • Transport Hygiene - Manage anti-malware, anti-spam, and anti-spoofing features
  • View-Only Configuration - View organization and mail flow settings
  • View-Only Recipients - View recipient properties

Common use cases

  • Managing email security policies
  • Configuring anti-spam and anti-malware settings
  • Reviewing and releasing quarantined messages
  • Third-party antivirus integration

Best practices

  • Coordinate with Defender for Office 365 administrators
  • Review quarantine regularly
  • Use preset security policies as baseline
  • Third-party products can use service accounts in this group

Security considerations

  • Can modify protection settings affecting all mail flow
  • Incorrect anti-spam settings can block legitimate mail
  • Service accounts for third-party products may need this access

Common questions

When should I assign the Hygiene Management role?

Assign Hygiene Management when you need to: Managing email security policies; Configuring anti-spam and anti-malware settings; Reviewing and releasing quarantined messages; and Third-party antivirus integration. It is part of Exchange Online and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Hygiene Management role do?

The Hygiene Management role grants permissions including: Transport Hygiene - Manage anti-malware, anti-spam, and anti-spoofing features; View-Only Configuration - View organization and mail flow settings; and View-Only Recipients - View recipient properties. See the Permissions section above for the full list.

What are the security risks of the Hygiene Management role?

Key considerations when assigning Hygiene Management: Can modify protection settings affecting all mail flow; Incorrect anti-spam settings can block legitimate mail; and Service accounts for third-party products may need this access. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →