Exchange Online · Permissions & Delegation

Role Management

Enables admins to manage management role groups, role assignment policies, management roles, role entries, assignments, and scopes. Core role for delegating Exchange administration.

Scope: Exchange RBAC configuration and delegation

Permissions

  • Create, modify, and delete role groups
  • Add and remove role group members
  • Create and manage role assignment policies
  • Modify management role entries and scopes
  • Delegate role assignments to others

Common use cases

  • Delegating Exchange administration to teams
  • Creating custom role groups with specific permissions
  • Managing role assignment policies for end users
  • Restricting role scope to specific organizational units

Best practices

  • Follow least privilege principle
  • Document custom role group purposes and membership
  • Review role assignments periodically
  • Use role scopes to limit administrative reach
  • Consider PIM for privileged role group membership

Security considerations

  • Can grant administrative access to any Exchange feature
  • Changes immediately affect organization security posture
  • Can elevate permissions for any user
  • Role Management role is only assigned to Organization Management by default

Common questions

When should I assign the Role Management role?

Assign Role Management when you need to: Delegating Exchange administration to teams; Creating custom role groups with specific permissions; Managing role assignment policies for end users; and Restricting role scope to specific organizational units. It is part of Exchange Online and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Role Management role do?

The Role Management role grants permissions including: Create, modify, and delete role groups; Add and remove role group members; Create and manage role assignment policies; Modify management role entries and scopes; and Delegate role assignments to others. See the Permissions section above for the full list.

What are the security risks of the Role Management role?

Key considerations when assigning Role Management: Can grant administrative access to any Exchange feature; Changes immediately affect organization security posture; Can elevate permissions for any user; and Role Management role is only assigned to Organization Management by default. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →