This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
The permissions required to perform tasks to manage Microsoft Exchange Online vary depending on the procedure being performed or the cmdlet you want to run.
To find out what permissions you need to perform the procedure or run the cmdlet, do the following:
In the table below, find the feature that is most related to the procedure you want to perform or the cmdlet you want to run.
Next, look at the permissions required for the feature. You must be assigned one of those role groups, an equivalent custom role group, or an equivalent management role. You can also click on a role group to see its management roles. If a feature lists more than one role group, you only need to be assigned one of the role groups to use the feature. For more information about role groups and management roles, see Understanding Role Based Access Control.
Now, run the Get-ManagementRoleAssignment cmdlet to look at the role groups or management roles assigned to you to see if you have the permissions that are necessary to manage the feature.
Note
You must be assigned the Role Management management role to run the Get-ManagementRoleAssignment cmdlet. If you don't have permissions to run the Get-ManagementRoleAssignment cmdlet, ask your Exchange administrator to retrieve the role groups or management roles assigned to you.
If you want to delegate the ability to manage a feature to another user, see Delegate role assignments.
You can use the features in the following table to manage your Exchange Online organization and recipients. Users who are assigned the View-Only Management role group can view the configuration of the features in the following table. For more information about these role groups, see Role groups.
| Feature | Permissions required |
|---|---|
| Anti-malware | Organization Management Hygiene Management |
| Anti-spam | Organization Management Hygiene Management |
| Arbitration | Organization Management |
| Client Access user settings | Organization Management |
| Data loss prevention (DLP) | Organization Management Compliance Management |
| Discovery mailboxes - Create | Organization Management Recipient Management |
| Distribution groups | Organization Management Recipient Management |
| Domains | Organization Management |
| Microsoft 365 or Office 365 connectors | Organization Management |
| In-Place eDiscovery | Discovery Management Note: By default, the Discovery Management role group doesn't have any members. No users, including admins, have the required permissions to search mailboxes. For more information, see Assign eDiscovery permissions in Exchange. |
| In-Place Hold | Discovery Management Organization Management Notes:
|
| Journal archiving | Organization Management Recipient Management |
| Journaling | Organization Management Records Management |
| Linked user | Organization Management Recipient Management |
| Mail flow | Organization Management |
| Mail flow rules | Organization Management |
| Mailbox settings | Organization Management Recipient Management |
| Message Encryption | Organization Management Compliance Management Records Management |
| Message trace | Organization Management Compliance Management Help Desk |
| Messaging records management | Compliance Management Organization Management Records Management |
| Mobile devices | Organization Management Recipient Management |
| Organization configuration | Organization Management |
| Outlook on thew web mailbox policies | Organization Management Recipient Management |
| Permissions and delegation | Organization Management |
| Public folders | Organization Management Public Folder Management Mail-enabled public folders require Recipient Management |
| POP3 and IMAP4 permissions | Organization Management |
| Quarantine | Organization Management Hygiene Management |
| Recipients | Organization Management Recipient Management |
| Retention policies | Organization Management Recipient Management Records Management |
| Role assignments | Organization Management |
| Supervision | Organization Management |
| Unified Messaging | Organization Management Unified Messaging Management |
| View-only administrator audit logging | Organization Management Records Management |
| View reports | Organization Management: Users have access to mailbox reports and mail protection reports. View-Only Organization Management: Users have access to mailbox reports. View-Only Recipients: Users have access to mail protection reports. Compliance Management: Users have access to mail protection reports and data loss prevention (DLP) reports (if their subscription has DLP capabilities). |
Note
To find the permissions that are required to run any Exchange Online cmdlet, see Find the permissions required to run any Exchange cmdlet.
Training
Module
Manage Exchange Online by using Windows PowerShell - Training
This module covers managing mailboxes, resources, and admin roles in Exchange Online with PowerShell.
Certification
Microsoft Certified: Information Protection and Compliance Administrator Associate - Certifications
Demonstrate the fundamentals of data security, lifecycle management, information security, and compliance to protect a Microsoft 365 deployment.
Documentation
Permissions in Exchange Online
Exchange Online in Microsoft 365 and Office 365 includes a large set of predefined permissions, based on the Role Based Access Control (RBAC) permissions model, which you can use right away to easily grant permissions to your admins and users. You can use the permissions features in Exchange Online so that you can get your new organization up and running quickly.
Admin can learn about the different recipient types in Exchange Online.
Role assignment policies in Exchange Online
Admins can learn about role assignment policies, and how to view, create, modify, remove, and assign them in Exchange Online.