Permissions in standalone EOP
Standalone Exchange Online Protection (EOP) organization without Exchange Online mailboxes uses the Role Based Access Control (RBAC) permissions model to easily grant permissions to admins. You can use the permission features in standalone EOP to get your new organization up and running quickly.
To grant permissions to users, see Manage admin role groups in EOP.
For more information about permissions across Microsoft 365, see About admin roles.
Role-based permissions
The admin permissions that you grant to users are based on management roles. A management role defines the cmdlets that are available for a set of given tasks. The Exchange admin center (EAC) and standalone EOP PowerShell both use cmdlets. So, granting access to a cmdlet gives users permission to do tasks in the EAC or in standalone EOP PowerShell. For example, the Mail Recipients role defines the cmdlets that are required to modify mail users.
Role groups
To make it easier to assign roles to users, standalone EOP uses role groups. Management roles are assigned to role groups, and the role group members get the permissions that are associated with the roles. In other words, management roles aren't directly assigned to users; they're assigned to role group. This model allows you to assign many roles to many role group members at once. Role group members can be mail users, mail-enabled security groups, users from the Microsoft 365 admin center, and other role groups.
The following figure shows the relationship between users, role groups, and roles.
The available role groups in standalone EOP are described in the following table.
Role group | Description | Default roles assigned |
---|---|---|
Communication Compliance | Although this role group is available, it does nothing useful in standalone EOP. | Communication Compliance Admin Communication Compliance Investigation |
Communication Compliance Administrators | Although this role group is available, it does nothing useful in standalone EOP. | Communication Compliance Admin |
Compliance Administrator | Manage settings for device management, data loss prevention, reports, and preservation. | Communication Compliance Admin Insider Risk Management Admin |
Compliance Management | Configure and manage compliance settings within the organization, including data loss prevention (DLP) if your subscription has DLP capabilities. Members of the Compliance Administrator role in Microsoft Entra ID automatically get the permissions of this role group. |
Audit Logs Compliance Admin Data Loss Prevention Information Rights Management Journaling Message Tracking Retention Management Transport Rules View-Only Audit Logs View-Only Configuration View-Only Recipients |
Discovery Management | perform searches of mailboxes in the Exchange organization for data that meets specific criteria. | Legal Hold Mailbox Search |
Help Desk | View and manage mail users. | Reset Password User Options View-Only Recipients |
Hygiene Management | Manage protection features (anti-spam, anti-malware, etc.). | Transport Hygiene View-Only Configuration View-Only Recipients |
Information Protection | Full control over all information protection features, including sensitivity labels and their policies, DLP, all classifier types, activity and content explorers, and all related reports. | Information Protection Admin Information Protection Investigator Information Protection Reader |
Information Protection Admins | Although this role group is available, it does nothing useful in standalone EOP. | Information Protection Admin |
Information Protection Analysts | Although this role group is available, it does nothing useful in standalone EOP. | None |
Information Protection Investigators | Search the unified audit log | Information Protection Investigator |
Information Protection Readers | Search the unified audit log and view the Mail Traffic and Mail Traffic Summary reports. | Information Protection Reader |
Insider Risk Management | Manage access control for Insider risk management. | Insider Risk Management Admin Insider Risk Management Investigation |
Insider Risk Management Admins | Although this role group is available, it does nothing useful in standalone EOP. | Insider Risk Management Admin |
Insider Risk Management Investigators | Although this role group is available, it does nothing useful in standalone EOP. | Insider Risk Management Investigation |
Organization Management | Admin access to the entire organization and the ability to perform almost any task. Members of the Global Administrator role in Microsoft Entra ID automatically get the permissions of this role group. Important: Because the Organization Management role group is a powerful role, only users that perform organizational-level administrative tasks should be members of this role group. |
Audit Logs Communication Compliance Admin Communication Compliance Investigation Compliance Admin Data Loss Prevention Distribution Groups E-Mail Address Policies Federated Sharing Information Protection Admin Information Protection Investigator Information Protection Reader Information Rights Management Insider Risk Management Admin Insider Risk Management Investigation Journaling Legal Hold Mail Enabled Public Folders Mail Recipient Creation Mail Recipients Mail Tips Message Tracking Migration Move Mailboxes Org Custom Apps Org Marketplace Apps Organization Client Access Organization Configuration Organization Transport Settings Privacy Management Admin Privacy Management Investigation Public Folders Recipient Policies Remote and Accepted Domains Reset Password Retention Management Role Management Security Admin Security Group Creation and Membership Security Reader TenantPlacesManagement Transport Hygiene Transport Rules User Options View-Only Audit Logs View-Only Configuration View-Only Recipients |
Privacy Management | Although this role group is available, it does nothing useful in standalone EOP. | Privacy Management Admin Privacy Management Investigation |
Privacy Management Administrators | Although this role group is available, it does nothing useful in standalone EOP. | Privacy Management Admin |
Privacy Management Investigators | Although this role group is available, it does nothing useful in standalone EOP. | Privacy Management Investigation |
Recipient Management | Create, manage, and remove recipient objects in the organization. | Distribution Groups Mail Recipient Creation Mail Recipients Message Tracking Migration Move Mailboxes Recipient Policies Reset Password |
Records Management | Configure compliance features, such as retention policy tags, message classifications, and mail flow rules (also known as transport rules). | Audit Logs Journaling Message Tracking Retention Management Transport Rules |
RIM-MailboxAdmins<GUID> | Not used | ApplicationImpersonation |
Security Administrator | Configure all aspects of protection in the organization (anti-spam, anti-malware, anti-spoofing, quarantine, etc.). Members of the Security Administrator role in Microsoft Entra ID automatically get the permissions of this role group. |
Security Admin SensitivityLabelAdministrator |
Security Operator | Manage security alerts, and also view reports and settings of security features. Members of the Security Operator role in Microsoft Entra ID automatically get the permissions of this role group. |
Tenant AllowBlockList Manager |
SecurityReader | View-only access to all aspects of protection in the organization (anti-spam, anti-malware, anti-spoofing, quarantine, etc.). Members of the Security Reader role in Microsoft Entra ID automatically get the permissions of this role group. |
Security Reader |
TenantAdmins_<Number> | Membership in this role group is synchronized across services and managed centrally. This role group isn't assigned any roles, but it's a member of the Organization Management role group and inherits those permissions. | None |
View-Only Organization Management | View recipient, protection, and configuration objects and their properties in the organization. | View-Only Configuration View-Only Recipients |
If you work in a small organization, you might only use the Organization Management role group. In larger organizations with admins who are responsible for specific tasks (for example, recipient configuration only), you might also use the Recipient Management role group. Admins can then manage their specific areas without permissions in areas that they're not responsible for.
If the built-in role groups in Exchange Online don't match the job function of your admins, you can create role groups and add roles to them. For more information, see Manage role groups in standalone EOP.
Roles
The built-in roles that are available in standalone EOP are described in the following table.
Role | Description | Default role group assignments |
---|---|---|
Address Lists | Enables admins to manage address lists, global address lists, and offline address lists in an organization. | None |
Audit Logs | Search the administrator audit log and view the results. | Compliance Management Organization Management Records Management |
Communication Compliance Admin | Although this role is available, it does nothing useful in standalone EOP. | Communication Compliance Communication Compliance Administrators Compliance Administrator Organization Management |
Communication Compliance Investigation | Although this role is available, it does nothing useful in standalone EOP. | Organization Management |
Compliance Admin | Lets people view and edit settings and reports for compliance features. | Compliance Management Organization Management |
Data Loss Prevention | Enables admins to manage Data Loss Prevention (DLP) settings in the organization. | Compliance Management Organization Management |
Distribution Groups | Create and manage all distribution groups, mail-enabled security groups, and members. | Organization Management Recipient Management |
E-Mail Address Policies | Enables admins to manage email address policies in an organization. | Organization Management |
Federated Sharing | Enables admins to manage cross-forest and cross-organization sharing in an organization. | Organization Management |
Information Protection Admin | Although this role is available, it does nothing useful in standalone EOP. | Information Protection Information Protection Admins Organization Management |
Information Protection Investigator | Search the unified audit log. | Information Protection Information Protection Investigators Organization Management |
Information Protection Reader | Search the unified audit log and view the Mail Traffic and Mail Traffic Summary reports. | Information Protection Information Protection Readers Organization Management |
Information Rights Management | Manage the Information Rights Management (IRM) features of Exchange in an organization. | Compliance Management Organization Management |
Insider Risk Management Admin | Although this role is available, it does nothing useful in standalone EOP. | Compliance Administrator Insider Risk Management Insider Risk Management Admins Organization Management |
Insider Risk Management Investigation | Although this role is available, it does nothing useful in standalone EOP. | Insider Risk Management Insider Risk Management Investigators Organization Management |
Journaling | Enables admins to manage journaling configuration in an organization. | Compliance Management Organization Management Records Management |
Legal Hold | Enables admins to configure whether data within a mailbox should be retained for litigation purposes in an organization. | Discovery Management Organization Management |
Mail Enabled Public Folders | Enables admins to configure whether individual public folders are mail-enabled or mail-disabled in an organization. | Organization Management |
Mail Recipient Creation | Create and remove mail users and mail contacts. | Organization Management Recipient Management |
Mail Recipients | Modify existing mail users and mail contacts. | Organization Management Recipient Management |
Mail Tips | Enables admins to manage MailTip settings in an organization. | Organization Management |
Mailbox Import Export | Enables admins to import and export mailbox content. | Organization Management |
Mailbox Search | Enables admins to search the content of one or more mailboxes in an organization. | Discovery Management |
Message Tracking | Enables admins to track messages in an organization. | Compliance Management Organization Management Recipient Management Records Management |
Migration | Enables admins to migrate mailboxes and mailbox content into or out of an organization. | Organization Management Recipient Management |
Move Mailboxes | Enables admins to move mailboxes. | Organization Management Recipient Management |
Organization Client Access | Enables admins to manage Client Access settings in an organization. | Organization Management |
Organization Configuration | Enables admins to manage organization-wide settings. | Organization Management |
Organization Transport Settings | Enables admins to manage hybrid and organization-wide mail transport settings. | Organization Management |
Privacy Management Admin | Although this role is available, it does nothing useful in standalone EOP. | Organization Management Privacy Management Privacy Management Administrators |
Privacy Management Investigation | Although this role is available, it does nothing useful in standalone EOP. | Organization Management Privacy Management Privacy Management Investigators |
Public Folders | Enables admins to manage public folders in an organization. | Organization Management |
Recipient Policies | Enables admins to manage recipient policies (authentication policies, data encryption policies mobile device mailbox policies, and Outlook on the web mailbox policies) in an organization. | Organization Management Recipient Management |
Remote and Accepted Domains | Manage remote domains, accepted domains, and connectors. | Organization Management |
Reset Password | Enables admins to set room mailbox passwords. | Help Desk Organization Management Recipient Management |
Retention Management | Lets people manage retention policies. | Compliance Management Organization Management Records Management |
Role Management | Enables admins to manage management role groups, role assignment policies, management roles, role entries, assignments, and scopes in an organization. | Organization Management |
Security Admin | Manage the configuration and reports for all security and protection features. | Organization Management Security Administrator |
Security Group Creation and Membership | Create and manage mail-enabled security groups. | Organization Management |
Security Reader | View the configuration and reports for security and protection features. | Organization Management Security Reader |
SensitivityLabelAdministrator | Lets people edit sensitivity label properties. | Organization Management Security Administrator |
Tenant AllowBlockList Manager | Lets people manage the Tenant Allow/Block List. | Organization Management Security Operator |
TenantPlacesManagement | Although this role is available, it does nothing useful in standalone EOP. | Organization Management |
Transport Hygiene | Manage anti-malware, anti-spam features, and anti-spoofing features. | Hygiene Management Organization Management |
Transport Rules | Create and manage mail flow rules (also known as transport rules). | Compliance Management Organization Management Records Management |
User Options | Enables admins to view the Outlook on the web options of users in the organization. | Help Desk Organization Management |
View-Only Audit Logs | Search the administrator audit log and view the results. | Compliance Management Organization Management |
View-Only Configuration | View all of the organization and mail flow (non-recipient) settings in the organization. | Compliance Management Hygiene Management Organization Management View-Only Organization Management |
View-Only Recipients | View recipient properties and run message trace. | Compliance Management Help Desk Hygiene Management Organization Management View-Only Organization Management |
Note
- Role names that start with the prefix 'My' (for example, MyContactInformation) are end-user roles. End-user roles are assigned to users in role assignment policies, which allow users to operate on object they own (for example, their own account or distribution groups they created). For more information, see Role assignment policies in Exchange Online.
- Role names that start or end with 'Application' are part of RBAC for Applications in Exchange Online. For more information, see Role Based Access Control for Applications in Exchange Online.
Microsoft 365 permissions in standalone EOP
When you create a user in the Microsoft 365 admin center, you can choose whether to assign various Microsoft Entra roles (for example, Global Administrator, Exchange Administrator, and Global Reader), to the user. Most of the Microsoft Entra roles grant administrative permissions in EOP to the user.
Note
The account you used to create your standalone EOP organization is automatically assigned to the Global Administrator role.
The following table lists the Microsoft Entra roles and the standalone EOP role groups that they correspond to. For more information about these roles, see About admin roles.
Microsoft Entra role | EOP role group |
---|---|
Global Administrator | Organization Management Note: The Global Administrator role and the Organization Management role group are tied together using a special Company Administrator role group. The Company Administrator role group is managed internally and can't be modified directly. |
Exchange Administrator | Organization Management |
Global Reader | ViewOnlyOrganization Management |
Helpdesk Administrator | Help Desk |
Service Support Administrator | None |
SharePoint Administrator | None |
Teams Administrator | None |
User Administrator | Recipient Management |
User Experience Success Manager | None |
Users can be granted administrative rights in EOP without adding them to Microsoft Entra roles by adding the user as a member of an EOP role group. The user gets permissions in EOP, but they don't get permissions in other Microsoft 365 workloads. For instructions, see Use the EAC to manage role groups.