Feature permissions in Exchange Online

The permissions required to perform tasks to manage Microsoft Exchange Online vary depending on the procedure being performed or the cmdlet you want to run.

For information about Exchange Online Protection (EOP) permissions, see Feature Permissions in EOP.

To find out what permissions you need to perform the procedure or run the cmdlet, do the following:

  1. In the table below, find the feature that is most related to the procedure you want to perform or the cmdlet you want to run.

  2. Next, look at the permissions required for the feature. You must be assigned one of those role groups, an equivalent custom role group, or an equivalent management role. You can also click on a role group to see its management roles. If a feature lists more than one role group, you only need to be assigned one of the role groups to use the feature. For more information about role groups and management roles, see Understanding Role Based Access Control.

  3. Now, run the Get-ManagementRoleAssignment cmdlet to look at the role groups or management roles assigned to you to see if you have the permissions that are necessary to manage the feature.

    Note

    You must be assigned the Role Management management role to run the Get-ManagementRoleAssignment cmdlet. If you don't have permissions to run the Get-ManagementRoleAssignment cmdlet, ask your Exchange administrator to retrieve the role groups or management roles assigned to you.

If you want to delegate the ability to manage a feature to another user, see Delegate role assignments.

Exchange Online permissions

You can use the features in the following table to manage your Exchange Online organization and recipients. Users who are assigned the View-Only Management role group can view the configuration of the features in the following table. For more information, see View-only Organization Management.

Feature Permissions required
Anti-malware
Organization Management
Hygiene Management
Anti-spam
Organization Management
Hygiene Management
Data loss prevention
Organization Management
Compliance Management
Office 365 connectors
Organization Management
Journal archiving
Organization Management
Recipient Management
Linked user
Organization Management
Recipient Management
Mail flow
Organization Management
Microsoft Office 365 Message Encryption (OME)
Organization Management
Compliance Management
Records Management
Message trace
Organization Management
Compliance Management
Help Desk
Organization configuration
Organization Management
POP3 and IMAP4 permissions
Organization Management
Quarantine
Organization Management
Hygiene Management
Subscriptions
Organization Management
Recipient Management
Note: A user can create subscriptions in their own mailbox. An administrator can't create subscriptions in another user's mailbox, but they can modify or delete subscriptions in another user's mailbox.
Supervision
Organization Management
View reports
Organization Management - users have access to mailbox reports and mail protection reports.
View-Only Organization Management - users have access to mailbox reports.
View-Only Recipients - users have access to mail protection reports.
Compliance Management - users have access to mail protection reports and Data Loss Prevention (DLP) reports (if their subscription has DLP capabilities).