Microsoft Exchange Online uses a Role Based Access Control (RBAC) model to allow organization administrators to finely control what users and IT employees can do in the service. For example, if a compliance officer is responsible for mailbox search requests, the administrator can delegate this administrative feature to the officer through RBAC. Exchange Online uses the same RBAC framework as Microsoft Exchange Server 2013.
At its highest level, RBAC is made up of management roles, management role groups, and management role assignment policies. The following sections provide more information about each RBAC component.
For more information about the RBAC permissions model that's used in Exchange Online, see Permissions.
In Exchange Online, the permissions that you grant to administrators and users are based on management roles. A role defines the set of tasks that an administrator or user can perform. For example, a management role called
Mail Recipients defines the tasks that someone can perform on a set of mailboxes, contacts, and distribution groups. When a role is assigned to an administrator or user, that person is granted the permissions provided by the role.
There are two types of roles, administrative roles and end-user roles:
Administrative roles These roles contain permissions that can be assigned to administrators or specialist users by using role groups that manage a part of the Exchange Online organization, such as recipients, servers, or databases.
End-user roles These roles, assigned by using role assignment policies, let users manage aspects of their own mailboxes and distribution groups that they own. End-user roles begin with the prefix
Roles give administrators and users permissions to perform tasks by making cmdlets available to those who are assigned the roles. Because the Exchange admin center (EAC) and Exchange Management Shell use cmdlets to manage Exchange Online, granting access to a cmdlet gives the administrator or user permission to perform the task in each of the Exchange Online management interfaces.
The role-based permissions for Microsoft Online Services overlap with those of Exchange Online RBAC in two ways. First, users who are Global Administrators or Service Administrators in Microsoft Online are automatically assigned to the Organization Management role group in Exchange Online. Second, users who are Help Desk Administrators in Microsoft Online are automatically assigned to the Help Desk role group in Exchange Online. Otherwise, the two security models are managed separately.
Some roles available in the on-premises version of Microsoft Exchange Server 2013 may not be available in Exchange Online.
For more information about permissions in Exchange Online, see Role-Based Permissions.
Management role groups associate management roles to a group of administrators or specialist users. Administrators manage a broad Exchange Online organization or recipient configuration. Specialist users manage the specific features of Exchange Online, such as compliance, or they may have limited management abilities, such as Help desk members, but aren't given broad administrative rights. Role groups typically associate administrative management roles that let administrators and specialist users manage the configuration of their organization and recipients. For example, whether administrators can manage recipients or use mailbox discovery features is controlled by using role groups.
Some role groups available in the on-premises version of Microsoft Exchange Server 2013 may not be available in Exchange Online.
For more information about role groups, see Role groups and role assignment policies.
Role assignment policies
Management role assignment policies associate end-user management roles to users. Role assignment policies consist of roles that control what users can do with their mailboxes or distribution groups. These roles don't allow management of features that aren't directly associated with the user. When you create a role assignment policy, you define everything a user can do with his or her mailbox. For example, a role assignment policy might allow a user to set the display name, set up voice mail, and configure Inbox rules. Another role assignment policy might allow a user to change the address, use text messaging, and set up distribution groups. Every user with an Exchange Online mailbox, including administrators, is given a role assignment policy by default. You can decide which role assignment policy should be assigned by default, choose what the default role assignment policy should include, override the default for certain mailboxes, or not assign any role assignment policies by default.
Some role assignments available in the on-premises version of Microsoft Exchange Server 2013 may not be available in Exchange Online.
For more information about role assignment policies, see Role groups and role assignment policies.
To view feature availability across plans, standalone options, and on-premises solutions, see Exchange Online service description.