Exchange Online RBAC Roles

Exchange Online RBAC roles for recipient management, mail flow, compliance, organisation management, and helpdesk operations.

18 roles across 6 categories. Open the interactive map →

Organization Management

Full administrative access to Exchange Online organization settings

  • Organization Management

    Members have administrative access to the entire Exchange Online organization and can perform almost any task. This is the most powerful Exchange role group.

  • Exchange Administrator

    Entra ID role that provides full administrative access to Exchange Online. Members are synchronized to the ExchangeServiceAdmins role group which inherits Organization Management permissions.

  • Help Desk

    Members can view and manage the configuration for individual recipients and view recipients in the Exchange organization. Limited to settings that users can manage on their own mailbox.

Recipient Management

Manage mailboxes, mail users, contacts, and distribution groups

  • Recipient Management

    Members have administrative access to create or modify Exchange Online recipients within the organization. Ideal for delegated administration of mailboxes and groups.

  • Mail Recipients

    Manage existing mailboxes and recipient settings without the ability to create new mailboxes.

  • Distribution Groups

    Create and manage distribution groups and mail-enabled security groups.

  • Shared Mailboxes

    Create and manage shared mailboxes, resource mailboxes, and room mailboxes.

Mail Flow

Manage transport rules, connectors, and mail routing

  • Transport Rules

    Create and manage mail flow rules (transport rules) that apply conditions and actions to messages passing through the organization.

  • Connectors

    Manage mail flow connectors that control how email flows between Exchange Online and external systems including on-premises Exchange, partner organizations, and third-party services.

  • Remote and Accepted Domains

    Manage remote domains, accepted domains, and connectors that define valid email domains and how external domains are treated.

Compliance & Security

Manage compliance, eDiscovery, and security features in Exchange

  • Compliance Management

    Members can configure and manage compliance settings within Exchange in accordance with organizational policies. Covers DLP, retention, journaling, and IRM.

  • Discovery Management

    Members can perform searches of mailboxes for data that meets specific criteria and can configure legal holds on mailboxes. By default, this role group has no members.

  • Hygiene Management

    Members can manage Exchange anti-spam features, grant permissions for antivirus products to integrate with Exchange, and manage mail flow rules for hygiene purposes.

  • Records Management

    Members can configure compliance features such as retention policy tags, message classifications, and mail flow rules for records purposes.

Permissions & Delegation

Manage role assignments and delegation in Exchange

  • Role Management

    Enables admins to manage management role groups, role assignment policies, management roles, role entries, assignments, and scopes. Core role for delegating Exchange administration.

  • Delegated Setup

    Allows limited administrative access for initial Exchange setup and configuration tasks.

View-Only & Reporting

Read-only access for monitoring and reporting