Exchange Online · Permissions & Delegation
Role Management
Enables admins to manage management role groups, role assignment policies, management roles, role entries, assignments, and scopes. Core role for delegating Exchange administration.
Scope: Exchange RBAC configuration and delegation
Permissions
- Create, modify, and delete role groups
- Add and remove role group members
- Create and manage role assignment policies
- Modify management role entries and scopes
- Delegate role assignments to others
Common use cases
- Delegating Exchange administration to teams
- Creating custom role groups with specific permissions
- Managing role assignment policies for end users
- Restricting role scope to specific organizational units
Best practices
- Follow least privilege principle
- Document custom role group purposes and membership
- Review role assignments periodically
- Use role scopes to limit administrative reach
- Consider PIM for privileged role group membership
Security considerations
- Can grant administrative access to any Exchange feature
- Changes immediately affect organization security posture
- Can elevate permissions for any user
- Role Management role is only assigned to Organization Management by default