Implement user roles for role assignment policies
An organization's Exchange environment includes built-in management role groups. It also includes default role assignment policies and built-in user roles for managing end-user activities within Exchange.
The following table identifies the built-in user roles that are available in RBAC to support an organization's Exchange environment.
Role | Assigned to Default Role Assignment Policy by default? | Description |
---|---|---|
My Custom Apps | Yes | Install custom apps. |
My Marketplace Apps | Yes | Install marketplace apps. |
My ReadWriteMailbox Apps | Yes | Install apps with ReadWriteMailbox permissions. |
MyBaseOptions | Yes | Required for users to access options in Outlook on the web from their own mailbox. |
MyContactInformation | Yes | Edit their address and telephone number in the global address list (GAL). This role contains the following child roles: • MyAddressInformation: Change all elements of their mailing address, work telephone number, and fax number. • MyMobileInformation: Change their mobile phone and pager numbers. • MyPersonalInformation: Change their home telephone number and web page. If you think this role gives users too much power, you can remove the role from the role assignment policy, and assign one or more of the child roles. |
MyDistributionGroupMembership | Yes | Join or leave existing distribution groups (if the group is configured to let members join or leave the group). |
MyDistributionGroups | Yes | Create new distribution groups, delete groups they own, modify groups they own, and manage group membership for groups they own. |
MyMailboxDelegation | No | Allows users to grant send on behalf of permissions to other users on their mailbox. Messages clearly show the sender in the From field (<Sender> on behalf of <Mailbox>), but replies are delivered to the mailbox, not the sender. |
MyMailSubscriptions | Yes | Connected accounts were removed from Outlook on the web in November 2018. |
MyProfileInformation | Yes | Edit their first name, middle initial, last name, and display name in the GAL. This role contains the following child roles: • MyDisplayName: Change their display name. • MyName: Change their first name, middle initial, last name and Notes property. If you think this role gives users too much power, you can remove the role from the role assignment policy, and assign one of the child roles. |
MyRetentionPolicies | Yes | Allows users to add personal tags that aren't part of their assigned retention policy. |
MyTeamMailboxes | Yes | Site mailboxes were discontinued in favor of Microsoft 365 groups in September 2017. |
MyTextMessaging | Yes | Enable text message notifications for meetings and new email messages. |
MyVoiceMail | Yes | Update their voice mail settings. |
You can use the EAC to assign default roles to a role assignment policy. To view all user roles available in your organization, you should run the following command in the Exchange Management Shell:
Get-ManagementRole | where { $_.IsEndUserRole -eq $true }
Knowledge check
Choose the best response for the following question. Then select Check your answers.