Microsoft Purview · Global & Security Roles
MailFlow Administrator
Members can monitor and view mail flow insights and reports in the Microsoft Defender portal. Read-focused role for understanding mail flow patterns, queues, and delivery issues without permission to modify transport configuration.
Scope: Read-only mail flow monitoring in the Microsoft Defender portal — does not include Exchange transport configuration
Permissions
- View mail flow reports in Defender portal
- Access mail flow insights and trends
- View message tracking logs
- Monitor queue health and delivery metrics
- Access top sender/recipient analytics
Common use cases
- Investigating mail delivery delays and queue buildup
- Monitoring tenant-wide mail flow health
- Identifying top senders/recipients for capacity planning
- Diagnosing mail flow issues during incidents
- Reporting on mail flow trends to leadership
Best practices
- Pair with Exchange Administrator for staff who also need transport configuration
- Use for help desk Tier 2/3 staff investigating mail delivery tickets
- Coordinate with Security Operator role for security-related mail flow events
- Combine reports with Quarantine Administrator data for full mail flow picture
Security considerations
- Mail flow reports may reveal sender/recipient relationships — protect access
- Message tracking logs include subject lines — privacy implications
- Read-only — cannot modify mail flow rules or quarantine messages
Common questions
When should I assign the MailFlow Administrator role?
Assign MailFlow Administrator when you need to: Investigating mail delivery delays and queue buildup; Monitoring tenant-wide mail flow health; Identifying top senders/recipients for capacity planning; Diagnosing mail flow issues during incidents; and Reporting on mail flow trends to leadership. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the MailFlow Administrator role do?
The MailFlow Administrator role grants permissions including: View mail flow reports in Defender portal; Access mail flow insights and trends; View message tracking logs; Monitor queue health and delivery metrics; and Access top sender/recipient analytics. See the Permissions section above for the full list.
What are the security risks of the MailFlow Administrator role?
Key considerations when assigning MailFlow Administrator: Mail flow reports may reveal sender/recipient relationships — protect access; Message tracking logs include subject lines — privacy implications; and Read-only — cannot modify mail flow rules or quarantine messages. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.