Exchange Online · Organization Management
Organization Management
Members have administrative access to the entire Exchange Online organization and can perform almost any task. This is the most powerful Exchange role group.
Scope: Organization-wide administrative access to entire Exchange Online organization
Permissions
- Audit Logs - Search and view audit logs
- Compliance Admin - Configure compliance settings
- Data Loss Prevention - Manage DLP policies
- Distribution Groups - Full group management
- E-Mail Address Policies - Manage email address policies
- Federated Sharing - Configure cross-org sharing
- Information Rights Management - IRM configuration
- Journaling - Configure message journaling
- Legal Hold - Place mailboxes on hold
- Mail Recipients - Create/modify all recipients
- Message Tracking - Track message delivery
- Migration - Mailbox migration operations
- Move Mailboxes - Move mailbox operations
- Public Folders - Manage mail-enabled public folders
- Remote and Accepted Domains - Domain management
- Retention Management - Configure retention policies
- Role Management - Manage role groups and assignments
- Security Admin - Security configuration and reports
- Transport Hygiene - Anti-spam/anti-malware settings
- Transport Rules - Create/manage mail flow rules
Common use cases
- Primary Exchange Online administrators
- Organizational-level administrative tasks
- Managing organization-wide email policies
- Configuring mail flow and security settings
- Small organizations with few admins
Best practices
- Only users performing organizational-level tasks should be members
- Use delegated role groups for specific functions instead
- Enable audit logging for all administrative actions
- Consider using Privileged Identity Management (PIM)
- Add to specific role groups rather than Organization Management when possible
Security considerations
- Can perform almost any task in Exchange Online
- Can access any mailbox through eDiscovery
- Can modify transport rules affecting all mail flow
- Can assign Exchange roles to any user
- Can configure organization-wide security settings
Common questions
When should I assign the Organization Management role?
Assign Organization Management when you need to: Primary Exchange Online administrators; Organizational-level administrative tasks; Managing organization-wide email policies; Configuring mail flow and security settings; and Small organizations with few admins. It is part of Exchange Online and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Organization Management role do?
The Organization Management role grants permissions including: Audit Logs - Search and view audit logs; Compliance Admin - Configure compliance settings; Data Loss Prevention - Manage DLP policies; Distribution Groups - Full group management; E-Mail Address Policies - Manage email address policies; and Federated Sharing - Configure cross-org sharing. See the Permissions section above for the full list.
What are the security risks of the Organization Management role?
Key considerations when assigning Organization Management: Can perform almost any task in Exchange Online; Can access any mailbox through eDiscovery; Can modify transport rules affecting all mail flow; and Can assign Exchange roles to any user. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.