Exchange Online · Compliance & Security
Records Management
Members can configure compliance features such as retention policy tags, message classifications, and mail flow rules for records purposes.
Scope: Email retention and records management
Permissions
- Audit Logs - Search administrator audit log
- Journaling - Configure journaling rules
- Message Tracking - Track message delivery
- Retention Management - Manage retention policies and tags
- Transport Rules - Create and manage mail flow rules
Common use cases
- Implementing email lifecycle management
- Configuring auto-archive policies
- Managing retention for regulatory compliance
- Setting up message journaling
Best practices
- Align with organizational retention schedules
- Use Microsoft Purview for unified retention across M365
- Document retention policy rationale with legal/compliance
- Test retention policies before broad deployment
Security considerations
- Retention policies can permanently delete content
- Journaling copies messages externally - protect journal recipients
- Audit log access reveals administrative actions
Common questions
When should I assign the Records Management role?
Assign Records Management when you need to: Implementing email lifecycle management; Configuring auto-archive policies; Managing retention for regulatory compliance; and Setting up message journaling. It is part of Exchange Online and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Records Management role do?
The Records Management role grants permissions including: Audit Logs - Search administrator audit log; Journaling - Configure journaling rules; Message Tracking - Track message delivery; Retention Management - Manage retention policies and tags; and Transport Rules - Create and manage mail flow rules. See the Permissions section above for the full list.
What are the security risks of the Records Management role?
Key considerations when assigning Records Management: Retention policies can permanently delete content; Journaling copies messages externally - protect journal recipients; and Audit log access reveals administrative actions. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.