Share via

Built-in RBAC Roles for Exchange Online

  • Article

Applies to: Office 365 for professionals and small businesses, Office 365 for enterprises, Live@edu

There are several built-in management roles, also called RBAC roles or simply roles. They're divided into two types by user:

  • Built-in end-user roles
  • Built-in administrator roles

This topic describes what each role can do and also explains how to do the following:

  • View details about roles
  • View all roles
  • View end-user roles only
  • View administrator roles only
  • View all the cmdlets and parameters that are defined for a role

Built-in end-user roles

Here are the end-user roles and a quick description of what each role can do.

Note   In Live@edu organizations, the role names correspond to the mailbox plan in which they're used. For example, there are two MyDistributionGroups roles: MyDistributionGroups_DefaultMailboxPlan and MyDistributionGroups_GalDisabledMailboxPlan.

Role name

What users can do

MyBaseOptions

Required for users to access Outlook Web App > Options from their own mailbox.

MyContactInformation

In Outlook Web App > Options > Account > My Account, edit their address and telephone number in the shared address book.

MyContactInformation has the following child roles:

  • MyAddressInformation   Change all elements of their mailing address, work telephone number, and fax number.
  • MyMobileInformation   Change their mobile phone and pager numbers.
  • MyPersonalInformation   Change their home telephone number and Web page.

MyDistributionGroupMembership

In Outlook Web App > Options > Groups, join or leave existing distribution groups.

MyDistributionGroups

In Outlook Web App > Options > Groups, create new distribution groups, delete groups they own, modify groups they own, and manage group membership for groups they own.

MyMailSubscriptions

In Outlook Web App > Options > Account > Connected Accounts, create POP, IMAP, or Hotmail subscriptions to external mailboxes.

MyProfileInformation

In Outlook Web App > Options > Account, edit their first name, middle initial, last name, and display name in the shared address book.

MyProfileInformation has the following child roles:

  • MyDisplayName   Change their display name.
  • MyName   Change their first name, middle initial, last name and Notes field.

MyRetentionPolicies

Manage their retention policies in Outlook Web App > Options > Organize E-mail > Retention Policies.

Note   This feature isn't available to all organizations.

MyTextMessaging

In Outlook Web App > Options > Phone > Text Messaging, configure their text messaging settings.

Note   This feature isn't available to all organizations.

MyVoiceMail

In Outlook Web App > Options > Phone > Voice Mail, update their voice mail settings.

Note   This feature isn't available to all organizations.

Return to top

Built-in administrator roles

Here are the administrator roles, a quick description of what each role can do, and the role groups that have the role assigned to them by default.

Note   Not all roles exist in all cloud-based organizations. Also, the inclusion of a role here doesn't mean your cloud-based organization has the functionality implied by the role. Some roles exist but aren't applicable to your cloud-based organization because of your enrollment type.

Role name

What users can do

Role groups this role is assigned to by default

ApplicationImpersonation

Run Exchange Management Web Services. Exchange Management Web Services allow programmatic access to cloud-based mailboxes.

None

Audit Logs

Manage the logs generated by audit logging.
  • Organization Management
  • Records Management

Distribution Groups

Manage distribution groups and dynamic distribution groups in the shared address book.
  • Organization Management
  • Recipient Management

Federated Sharing

Manage federated sharing relationships between different organizations.

Organization Management

GALSynchronizationManagement

Used in Outlook Live Directory Sync (OLSync), environments, formerly known as OLSync 2010 environments.

Note   This role only exists in Live@edu organizations.

Organization Management

Information Rights Management

Configure the cloud-based service to work with an on-premises deployment of Active Directory Rights management Services (AD RMS) on Windows Server 2008.

Organization Management

Journaling

Manage journal rules in an organization.
  • Organization Management
  • Records Management

Legal Hold

Configure mailbox data to be retained for litigation purposes in an organization.
  • Discovery Management
  • Organization Management

Mail Recipient Creation

Create, modify, and delete mailboxes, mail contacts, and mail users.
  • Organization Management
  • Recipient Management

Mail Recipients

Modify the settings of existing mailboxes, mail contacts, and mail users.
  • Organization Management
  • Recipient Management

Mail Tips

Configure the organization-wide MailTips settings.

Organization Management

Mailbox Import Export

Export the contents of a mailbox to a folder in another mailbox.

Note   In the cloud-based service, you can't export the mailbox to a Personal Folder file (.pst).

None

Mailbox Search

Search the mailboxes in the organization for messages that contain specific keywords.

Discovery Management

Message Tracking

Use Delivery Reports for administrators. Delivery Reports tracks delivery information about messages sent by or received from any specific mailbox in your organization.
  • Organization Management
  • Recipient Management
  • Records Management

Migration

Use IMAP mail migration to migrate the contents of users' mailboxes from an IMAP messaging system to the cloud-based account.
  • Organization Management
  • Recipient Management

Move Mailboxes

Move mailboxes in federated sharing environments.
  • Organization Management
  • Recipient Management

Organization Client Access

Configure organization-wide Exchange ActiveSync policies and rules.

Organization Management

Organization Configuration

Manage organization-wide settings, including the Exchange ActiveSync organization settings.

Organization Management

Organization Transport Settings

Manage organization-wide transport settings, including delivery status notification (DSN) settings.

Organization Management

Recipient Policies

Manage recipient policies, for example, Exchange ActiveSync mailbox policies and Outlook Web App mailbox policies.
  • Organization Management
  • Recipient Management

Remote and Accepted Domains

Manage remote domains and accepted domains.

Organization Management

Reset Password

Reset passwords for existing mailboxes and mail users.
  • Help Desk
  • Organization Management
  • Recipient Management

Retention Management

Manage e-mail retention settings in mailboxes.
  • Organization Management
  • Records Management

Role Management

Manage RBAC roles.

Organization Management

Security Group Creation and Membership

Create, delete, and modify security groups.

Organization Management

Supervision

Enable, disable, and configure the bad words supervision policy, the closed campus supervision policy, and the anti-bullying supervision policy.

Note   This role exists in Live@edu organizations only.

Organization Management

Transport Rules

Manage transport rules, also known as organization-wide rules.
  • Organization Management
  • Records Management

UM Mailboxes

Manage Unified Messaging settings of mailboxes and other recipients.

Note   This role doesn't exist in Live@edu organizations.
  • Organization Management
  • UM Management

UM Prompts

Manage customized Unified Messaging voice prompts in an organization.

Note   This role doesn't exist in Live@edu organizations.
  • Organization Management
  • UM Management

Unified Messaging

Manage organization-wide Unified Messaging features.

Note   This role doesn't exist in Live@edu organizations.
  • Organization Management
  • UM Management

User Options

View and configure other users' mailbox settings in Outlook Web App > Options for troubleshooting purposes.
  • Help Desk
  • Organization Management

View-Only Audit Logs

View the logs generated by audit logging.
  • Organization Management

View-Only Configuration

View organization-wide configuration settings.
  • Organization Management
  • View-Only Organization Management

View-Only Recipients

View user and group object properties.
  • Help Desk
  • Organization Management
  • View-Only Organization Management

Return to top

View details about roles

You can use Windows PowerShell to view detailed information about roles.

To learn how to install and configure Windows PowerShell and connect to the service, see Use Windows PowerShell in Exchange Online.

View all roles

Run the following command:

Get-ManagementRole

View end-user roles only

Run the following command:

Get-ManagementRole | Where {$_.IsEndUserRole -eq $true}

View administrator roles only

Run the following command:

Get-ManagementRole | Where {$_.IsEndUserRole -eq $false}

Return to top

View all the cmdlets and parameters that are defined for a role

To really understand the capabilities of a role, you need to know the cmdlets and parameters that are defined for the role. To get the details, run the following command:

Get-ManagementRoleEntry <role name>\* | ConvertTo-HTML > <path and file name>.htm

For example, to list the properties of the Mail Recipients role and direct the output of the command to the file C:\My Documents\MailRecipients.htm, run the following command:

Get-ManagementRoleEntry "Mail Recipients\*" | ConvertTo-HTML > "C:\My Documents\MailRecipients.htm"

To see the results, open the MailRecipients.htm file in a Web browser.

Note   The Name and Parameter columns in the HTML file are the most interesting.