Feature permissions in EOP

The permissions required to perform tasks to manage Microsoft Exchange Online Protection (EOP) vary depending on the feature you are managing.

To set up EOP, you must be an Office 365 Global Admin, or an Exchange Company Administrator (the Organization Management role group).

Exchange Online Protection permissions

To find out what permissions you need to manage EOP features, see the following table. If a feature lists more than one role group, you only need to be assigned one of the role groups to use the feature.

Feature Permissions required
Anti-malware
Organization Management
Hygiene Management
Anti-spam
Organization Management
Hygiene Management
Mail flow rules
Organization Management
Records Management
Domains
Organization Management
View-Only Organization Management
Advanced Threat Protection (ATP)
Organization Management
Hygiene Management
Office 365 connectors
Organization Management
Message trace
Organization Management
View-Only Organization Management
Organization configuration
Organization Management
Quarantine
Organization Management
View-Only Organization Management
Hygiene Management
Users, Contacts, and Role Groups
Organization Management
View-Only Organization Management
Hygiene Management
Distribution Groups and Security Groups
Organization Management
View-Only Organization Management
Hygiene Management
View reports
Organization Management - users have access to mail protection reports.
View-Only Recipients - users have access to mail protection reports.
Compliance Management - users have access to mail protection reports and Data Loss Prevention (DLP) reports (if their subscription has DLP capabilities).