Microsoft Purview · Global & Security Roles

MailFlow Administrator

Members can monitor and view mail flow insights and reports in the Microsoft Defender portal. Read-focused role for understanding mail flow patterns, queues, and delivery issues without permission to modify transport configuration.

Scope: Read-only mail flow monitoring in the Microsoft Defender portal — does not include Exchange transport configuration

Permissions

  • View mail flow reports in Defender portal
  • Access mail flow insights and trends
  • View message tracking logs
  • Monitor queue health and delivery metrics
  • Access top sender/recipient analytics

Common use cases

  • Investigating mail delivery delays and queue buildup
  • Monitoring tenant-wide mail flow health
  • Identifying top senders/recipients for capacity planning
  • Diagnosing mail flow issues during incidents
  • Reporting on mail flow trends to leadership

Best practices

  • Pair with Exchange Administrator for staff who also need transport configuration
  • Use for help desk Tier 2/3 staff investigating mail delivery tickets
  • Coordinate with Security Operator role for security-related mail flow events
  • Combine reports with Quarantine Administrator data for full mail flow picture

Security considerations

  • Mail flow reports may reveal sender/recipient relationships — protect access
  • Message tracking logs include subject lines — privacy implications
  • Read-only — cannot modify mail flow rules or quarantine messages

Common questions

When should I assign the MailFlow Administrator role?

Assign MailFlow Administrator when you need to: Investigating mail delivery delays and queue buildup; Monitoring tenant-wide mail flow health; Identifying top senders/recipients for capacity planning; Diagnosing mail flow issues during incidents; and Reporting on mail flow trends to leadership. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the MailFlow Administrator role do?

The MailFlow Administrator role grants permissions including: View mail flow reports in Defender portal; Access mail flow insights and trends; View message tracking logs; Monitor queue health and delivery metrics; and Access top sender/recipient analytics. See the Permissions section above for the full list.

What are the security risks of the MailFlow Administrator role?

Key considerations when assigning MailFlow Administrator: Mail flow reports may reveal sender/recipient relationships — protect access; Message tracking logs include subject lines — privacy implications; and Read-only — cannot modify mail flow rules or quarantine messages. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →