Permissions in Exchange 2013 hybrid deployments

Applies to: Exchange Server 2013

Topic Last Modified: 2013-01-28

The Exchange Online in Microsoft Office 365 organization is based on Microsoft Exchange Server 2013 and, like on-premises organizations, it also uses Role Based Access Control (RBAC) to control permissions. Administrators are granted permissions using management role groups, and end users are granted permissions using management role assignment policies.

Learn more about permissions in Exchange Online and Exchange 2013 at: Permissions

Administrator permissions

By default, the user that was used to create the Office 365 tenant is made a member of the Organization Management management role group in the Exchange Online organization. This user can manage the entire Exchange Online organization, including configuration of organization-level settings and management of Exchange Online recipients.

You can add additional administrators in the Exchange Online organization, depending on the management that needs to take place. For example, you can add additional organization administrators and recipient administrators, enable specialist users to perform compliance tasks such as discovery, configure custom permissions, and more. All Exchange Online permissions management for Office 365 administrators must be performed in the Exchange Online organization using either the Exchange Administration Center (EAC) or remote PowerShell.

Important:
There is no transfer of permissions between the on-premises organization and the Office 365 organization. Permissions that you've defined in the on-premises organization must be re-created in the Office 365 organization.

For more information, see Manage role groups and Manage role group members.

End user permissions

As with administrator permissions, end users in Exchange Online can be granted permissions. By default, end users are granted permissions via the default role assignment policy. This policy is applied to every mailbox in the Exchange Online organization. If the permissions granted by default are sufficient, you don't need to change anything.

If you do want to customize end user permissions, you can either modify the existing default role assignment policy, or you can create new assignment policies. If you create multiple assignment policies, you can assign different policies to different groups of mailboxes, enabling you to control permissions granted to each group depending on their requirements. All permissions management for Exchange Online end users must be performed in the Exchange Online organization using either the EAC or remote PowerShell.

Like administrator permissions, end user permissions aren't transferred between the on-premises organization and the Exchange Online organization. Any permissions that you've defined in the on-premises organization must be re-created in the Exchange Online organization.

For more information, see Manage role assignment policies and Change the assignment policy on a mailbox.

The following table lists the permissions granted by the default role assignment policies in the Exchange Online organization.

Default role assignment policy permissions

Management role	Description
MyTeamMailboxes	The `MyTeamMailboxes` management role enables individual users to create site mailboxes and connect them to Microsoft SharePoint sites.
My Marketplace Apps	The `My Marketplace Apps` management role enables individual users to view and modify their Microsoft Office marketplace apps.
MyBaseOptions	The `MyBaseOptions` management role enables individual users to view and modify the basic configuration of their own mailbox and associated settings.
MyContactInformation	The `MyContactInformation` management role enables individual users to modify their contact information, including address and phone numbers.
MyDistributionGroupMembership	The `MyDistributionGroupMembership` management role enables individual users to view and modify their membership in distribution groups in an organization, provided that those distribution groups allow manipulation of group membership.
MyDistributionGroups	The `MyDistributionGroups` management role enables individual users to create, modify, and view distribution groups, and to modify, view, remove, and add members to distribution groups they own.
MyMailSubscription	The `MyMailSubscription` role enables individual users to view and modify their e-mail subscription settings such as message format and protocol defaults.
MyProfileInformation	The `MyProfileInformation` management role enables individual users to modify their name.
MyRetentionPolicies	The `MyRetentionPolicies` management role enables individual users to view their retention tags, and to view and modify their retention tag settings and defaults.
MyTextMessaging	The `MyTextMessaging` management role enables individual users to create, view, and modify their text messaging settings.
MyVoiceMail	The `MyVoiceMail` management role enables individual users to view and modify their voice mail settings.