Exchange Online · Compliance & Security
Hygiene Management
Members can manage Exchange anti-spam features, grant permissions for antivirus products to integrate with Exchange, and manage mail flow rules for hygiene purposes.
Scope: Exchange Online Protection (EOP) settings
Permissions
- Transport Hygiene - Manage anti-malware, anti-spam, and anti-spoofing features
- View-Only Configuration - View organization and mail flow settings
- View-Only Recipients - View recipient properties
Common use cases
- Managing email security policies
- Configuring anti-spam and anti-malware settings
- Reviewing and releasing quarantined messages
- Third-party antivirus integration
Best practices
- Coordinate with Defender for Office 365 administrators
- Review quarantine regularly
- Use preset security policies as baseline
- Third-party products can use service accounts in this group
Security considerations
- Can modify protection settings affecting all mail flow
- Incorrect anti-spam settings can block legitimate mail
- Service accounts for third-party products may need this access
Common questions
When should I assign the Hygiene Management role?
Assign Hygiene Management when you need to: Managing email security policies; Configuring anti-spam and anti-malware settings; Reviewing and releasing quarantined messages; and Third-party antivirus integration. It is part of Exchange Online and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Hygiene Management role do?
The Hygiene Management role grants permissions including: Transport Hygiene - Manage anti-malware, anti-spam, and anti-spoofing features; View-Only Configuration - View organization and mail flow settings; and View-Only Recipients - View recipient properties. See the Permissions section above for the full list.
What are the security risks of the Hygiene Management role?
Key considerations when assigning Hygiene Management: Can modify protection settings affecting all mail flow; Incorrect anti-spam settings can block legitimate mail; and Service accounts for third-party products may need this access. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.