| title | Exchange Administrator |
|---|---|
| description | Exchange Administrator |
| ms.topic | include |
| ms.date | 01/26/2026 |
| ms.custom | include file |
Users with this role have global permissions within Microsoft Exchange Online, when the service is present. Also has the ability to create and manage all Microsoft 365 groups, manage support tickets, and monitor service health. For more information, see About admin roles in the Microsoft 365 admin center.
Note
In the Microsoft Graph API and Microsoft Graph PowerShell, this role is named Exchange Service Administrator. In the Azure portal, it is named Exchange Administrator. In the Exchange admin center, it is named Exchange Online administrator.
[!div class="mx-tableFixed"]
Actions Description microsoft.azure.serviceHealth/allEntities/allTasks Read and configure Azure Service Health microsoft.azure.supportTickets/allEntities/allTasks Create and manage Azure support tickets microsoft.backup/exchangeProtectionPolicies/allProperties/allTasks Create and manage Exchange Online protection policy in Microsoft 365 Backup microsoft.backup/exchangeRestoreSessions/allProperties/allTasks Read and configure restore session for Exchange Online in Microsoft 365 Backup microsoft.backup/restorePoints/userMailboxes/allProperties/allTasks Manage all restore points associated with selected Exchange Online mailboxes in M365 Backup microsoft.backup/userMailboxProtectionUnits/allProperties/allTasks Manage mailboxes added to Exchange Online protection policy in Microsoft 365 Backup microsoft.backup/userMailboxRestoreArtifacts/allProperties/allTasks Manage mailboxes added to restore session for Exchange Online in Microsoft 365 Backup microsoft.directory/contacts/allProperties/read Read all properties for contacts microsoft.directory/contacts/memberOf/read Read the group membership for all contacts in Microsoft Entra ID microsoft.directory/contacts/standard/read Read basic properties on contacts in Microsoft Entra ID microsoft.directory/groups.unified/assignedLabels/update Update the assigned labels property on Microsoft 365 groups of assigned membership type, excluding role-assignable groups microsoft.directory/groups.unified/basic/update Update basic properties on Microsoft 365 groups, excluding role-assignable groups microsoft.directory/groups.unified/create Create Microsoft 365 groups, excluding role-assignable groups microsoft.directory/groups.unified/delete Delete Microsoft 365 groups, excluding role-assignable groups microsoft.directory/groups.unified/members/update Update members of Microsoft 365 groups, excluding role-assignable groups microsoft.directory/groups.unified/owners/update Update owners of Microsoft 365 groups, excluding role-assignable groups microsoft.directory/groups.unified/restore Restore Microsoft 365 groups from soft-deleted container, excluding role-assignable groups microsoft.directory/groups/hiddenMembers/read Read hidden members of Security groups and Microsoft 365 groups, including role-assignable groups microsoft.directory/onPremisesSynchronization/standard/read Read standard on-premises directory synchronization information microsoft.office365.exchange/allEntities/basic/allTasks Manage all aspects of Exchange Online microsoft.office365.network/performance/allProperties/read Read all network performance properties in the Microsoft 365 admin center microsoft.office365.serviceHealth/allEntities/allTasks Read and configure Service Health in the Microsoft 365 admin center microsoft.office365.supportTickets/allEntities/allTasks Create and manage Microsoft 365 service requests microsoft.office365.usageReports/allEntities/allProperties/read Read Office 365 usage reports microsoft.office365.webPortal/allEntities/standard/read Read basic properties on all resources in the Microsoft 365 admin center