Exchange Online · Compliance & Security

Records Management

Members can configure compliance features such as retention policy tags, message classifications, and mail flow rules for records purposes.

Scope: Email retention and records management

Permissions

  • Audit Logs - Search administrator audit log
  • Journaling - Configure journaling rules
  • Message Tracking - Track message delivery
  • Retention Management - Manage retention policies and tags
  • Transport Rules - Create and manage mail flow rules

Common use cases

  • Implementing email lifecycle management
  • Configuring auto-archive policies
  • Managing retention for regulatory compliance
  • Setting up message journaling

Best practices

  • Align with organizational retention schedules
  • Use Microsoft Purview for unified retention across M365
  • Document retention policy rationale with legal/compliance
  • Test retention policies before broad deployment

Security considerations

  • Retention policies can permanently delete content
  • Journaling copies messages externally - protect journal recipients
  • Audit log access reveals administrative actions

Common questions

When should I assign the Records Management role?

Assign Records Management when you need to: Implementing email lifecycle management; Configuring auto-archive policies; Managing retention for regulatory compliance; and Setting up message journaling. It is part of Exchange Online and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Records Management role do?

The Records Management role grants permissions including: Audit Logs - Search administrator audit log; Journaling - Configure journaling rules; Message Tracking - Track message delivery; Retention Management - Manage retention policies and tags; and Transport Rules - Create and manage mail flow rules. See the Permissions section above for the full list.

What are the security risks of the Records Management role?

Key considerations when assigning Records Management: Retention policies can permanently delete content; Journaling copies messages externally - protect journal recipients; and Audit log access reveals administrative actions. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →