Exchange Online · Organization Management

Organization Management

Members have administrative access to the entire Exchange Online organization and can perform almost any task. This is the most powerful Exchange role group.

Scope: Organization-wide administrative access to entire Exchange Online organization

Permissions

  • Audit Logs - Search and view audit logs
  • Compliance Admin - Configure compliance settings
  • Data Loss Prevention - Manage DLP policies
  • Distribution Groups - Full group management
  • E-Mail Address Policies - Manage email address policies
  • Federated Sharing - Configure cross-org sharing
  • Information Rights Management - IRM configuration
  • Journaling - Configure message journaling
  • Legal Hold - Place mailboxes on hold
  • Mail Recipients - Create/modify all recipients
  • Message Tracking - Track message delivery
  • Migration - Mailbox migration operations
  • Move Mailboxes - Move mailbox operations
  • Public Folders - Manage mail-enabled public folders
  • Remote and Accepted Domains - Domain management
  • Retention Management - Configure retention policies
  • Role Management - Manage role groups and assignments
  • Security Admin - Security configuration and reports
  • Transport Hygiene - Anti-spam/anti-malware settings
  • Transport Rules - Create/manage mail flow rules

Common use cases

  • Primary Exchange Online administrators
  • Organizational-level administrative tasks
  • Managing organization-wide email policies
  • Configuring mail flow and security settings
  • Small organizations with few admins

Best practices

  • Only users performing organizational-level tasks should be members
  • Use delegated role groups for specific functions instead
  • Enable audit logging for all administrative actions
  • Consider using Privileged Identity Management (PIM)
  • Add to specific role groups rather than Organization Management when possible

Security considerations

  • Can perform almost any task in Exchange Online
  • Can access any mailbox through eDiscovery
  • Can modify transport rules affecting all mail flow
  • Can assign Exchange roles to any user
  • Can configure organization-wide security settings

Official Microsoft Learn documentation →

Open the interactive RBACMap →