Applies to: Exchange Server 2010 SP3
Topic Last Modified: 2011-11-09
The Exchange Online in Microsoft Office 365 organization is based on Exchange 2010 and, like on-premises organizations, uses Role Based Access Control (RBAC) to control permissions. Administrators are granted permissions using management role groups, and end users are granted permissions using management role assignment policies.
Learn more about RBAC at: Understanding Permissions
Administrator Permissions
By default, the user that was used to create the Office 365 service is made a member of the Organization Management role group in the Exchange Online organization. This user can manage the entire Office 365 organization, including configuration of organization-level settings and management of Exchange Online recipients.
You can add additional administrators in the Office 365 organization, depending on the management that needs to take place. You can add additional organization administrators and recipient administrators enable specialist users to perform compliance tasks such as discovery, configure custom permissions, and more. All permissions management for Office 365 administrators must be performed in the Exchange Online organization using either the Exchange Control Panel (ECP) or remote PowerShell.
However, it's important to note that there is no transfer of permissions between the on-premises organization and the Office 365 organization. Any permissions that you've defined in the on-premises organization must be re-created in the Office 365 organization.
See the following topics for more information:
End User Permissions
As with administrator permissions, end users in Exchange Online can be granted permissions. By default, end users are granted permissions via the default role assignment policy. This policy is applied to every mailbox in the Exchange Online organization. If the permissions granted by default are sufficient, you don't need to change anything.
If you do want to customize end user permissions, you can either modify the existing default role assignment policy, or you can create new assignment policies. If you create multiple assignment policies, you can assign different policies to different groups of mailboxes, enabling you to control permissions granted to each group depending on their requirements. All permissions management for cloud-based end users must be performed in the Exchange Online organization using either the ECP or remote PowerShell.
Like administrator permissions, end user permissions aren't transferred between the on-premises organization and the Exchange Online organization. Any permissions that you've defined in the on-premises organization must be re-created in the Exchange Online organization.
The following table lists the permissions granted by the default role assignment policies in the Exchange Online organization.
Default role assignment policy permissions
Management role | Description |
---|---|
MyBaseOptions |
The |
MyContactInformation |
The |
MyDistributionGroupMembership |
The |
MyDistributionGroups |
The |
MyMailSubscription |
The |
MyProfileInformation |
The |
MyRetentionPolicies |
The |
MyTextMessaging |
The |
MyVoiceMail |
The |
See the following topics for more information: