Exchange Online · Permissions & Delegation
Role Management
Enables admins to manage management role groups, role assignment policies, management roles, role entries, assignments, and scopes. Core role for delegating Exchange administration.
Scope: Exchange RBAC configuration and delegation
Permissions
- Create, modify, and delete role groups
- Add and remove role group members
- Create and manage role assignment policies
- Modify management role entries and scopes
- Delegate role assignments to others
Common use cases
- Delegating Exchange administration to teams
- Creating custom role groups with specific permissions
- Managing role assignment policies for end users
- Restricting role scope to specific organizational units
Best practices
- Follow least privilege principle
- Document custom role group purposes and membership
- Review role assignments periodically
- Use role scopes to limit administrative reach
- Consider PIM for privileged role group membership
Security considerations
- Can grant administrative access to any Exchange feature
- Changes immediately affect organization security posture
- Can elevate permissions for any user
- Role Management role is only assigned to Organization Management by default
Common questions
When should I assign the Role Management role?
Assign Role Management when you need to: Delegating Exchange administration to teams; Creating custom role groups with specific permissions; Managing role assignment policies for end users; and Restricting role scope to specific organizational units. It is part of Exchange Online and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Role Management role do?
The Role Management role grants permissions including: Create, modify, and delete role groups; Add and remove role group members; Create and manage role assignment policies; Modify management role entries and scopes; and Delegate role assignments to others. See the Permissions section above for the full list.
What are the security risks of the Role Management role?
Key considerations when assigning Role Management: Can grant administrative access to any Exchange feature; Changes immediately affect organization security posture; Can elevate permissions for any user; and Role Management role is only assigned to Organization Management by default. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.