Exploring Permissions in Exchange 2016

This tutorial on Exchange 2016 is focus on to learn about the Role Based Access Control in Exchange Server 2016.


Microsoft Exchange Server 2016 consists of a large set of pre-declared and predefined permissions, depending on the Role Based Access Control (RBAC) authentications and permissions model, which you might use right away to simply grant permissions with ease to your administrators and users.



Main topics



  1. Role-Based Permissions
  2. Role Groups And Role Assignment Policies
  3. Work With Role Groups
  4. Work With Role Assignment Policies


  • 1) Role-Based Permissions


In Exchange 2016, the permissions which you grant to administrators and users are mainly depends on management functional roles. A functional role defines the set of tasks action that an administrator or user can conduct. For instance, a management role denoted as Mail Recipients defines the tasks which someone can perform on a set of mailboxes, contacts, and distribution groups. While a role is assigned and allocated to an administrator or user, which person is granted the permissions offered by the role.


There are two categories of roles, end-user roles and administrative roles:


  • Administrative roles   Such roles includes permissions which can be assigned to administrators or specialist users by utilizing role groups which manage a part of the Exchange organization, like recipients, servers, or databases.


  • End-user roles   These roles allocated and assigned using role assignment policies, empowering and enable users to manage various aspects of their own mailbox and distribution groups which they own. End-user roles commence with the prefix My.


Roles provide permissions to conduct tasks to administrators and users by making cmdlets available to those who are allocated the roles. As the Exchange Administration Center (EAC) and the Exchange Management Shell make use of cmdlets to manage and control Exchange, granting access to a cmdlet provides the administrator or user permission to conduct the task in every Exchange management interfaces.



  • 2) Role Groups And Role Assignment Policies


Roles grant permissions and authorizations to perform tasks in Exchange 2016, however you need an simple way to allocate them to administrators and users. Exchange 2016 offers you with the following help to perform that:


  • Role groups   Role groups empower you to grant permissions to administrators and specialist users.


  • Role allocation and assignment policies   This enable you to grant permissions to end users to alter settings on their own mailbox or distribution groups which they own.


  • 3) Work With Role Groups


To manage and control your permissions using role groups in Exchange 2016, we suggest you to use the Exchange admin center (EAC). While you utilize the EAC to control and manage role groups, you are permitted to add and remove roles and members, create role groups, and replicate role groups with ease. The EAC offers simple dialog boxes, like the new role group dialog box, depicted in the following figure below, to conduct these tasks.




New functional role group dialog box in the EAC




Work with role groups - MS Exchange


In case none of the role groups included with Exchange 2016 have the permissions you require, you can use the EAC to define and create a role group and add the roles which have the permissions you require. For your new role group, you’ll require to:


  1. Select a name for your role group.
  2. Choose the roles you wish to append to the role group.
  3. Append members to the role group.
  4. To store, save the role group.


After the role group is created, you manage it like any other role group.


In case there’s a current existing role group which has some, however not all, of the permissions you require, you can replicate it and then execute changes to create a role group. Copying an existing role group permits you perform alterations to it without affecting the core original role group. As part of copying the role group, you can append a new name and illustration, add and remove roles to and from the new role group, and also append new members. While you create or replicate a role group, you utilize the same dialog box that’s shown in the above figure.


Existing current role groups are allowed to be modified. You can add and remove roles from existing current role groups, and add and remove members from it at the same time, using an EAC dialog box familiar to the one shown in the preceding figure. By adding and removing roles to and from role groups, you turn on and off administrative functional features for members of that particular role group.



Please Note, though you are permitted to alter the roles assigned to built-in role groups, we suggest you to replicate built-in role groups, perform necessary amendments on the role group copy, and then append members to the role group clone.


  • 4) Work With Role Assignment Policies


To manage and control the permissions which you grant end users to manage their own mailbox in Exchange 2016, we suggest you to use the EAC. While you use the EAC to manage and control end-user permissions, you are allowed to append roles, delete or remove roles, and create role allocation or assignment policies with simplicity and ease. The EAC offers simple dialog boxes, like the role assignment policy dialog box, depicted in the following given figure, to perform these tasks.




Role allocation and assignment policy dialog box in the EAC


role assignment policies - exchange


Exchange 2016 consists of a role assignment policy denoted as Default Role Assignment Policy. This role assignment or allocation policy enables users whose mailboxes are collaborated and associated with it to conduct the following:


  • Join or leave distribution groups which permit members to manage and control their own membership.
  • View and modify basic fundamental mailbox settings on their own mailbox, like Inbox rules, spelling behavior, junk mail settings, and Microsoft ActiveSync devices.
  • Edit and modify their contact information, like the work address and phone number,   pager number, and mobile phone number.
  • View, Create, or modify text message settings.
  • Modify or View voice mail settings.
  • Modify or View their marketplace apps.
  • Create or generate team mailboxes and connect them to Microsoft SharePoint lists.


In case you want to add or remove permissions from the Default Role Assignment Policy or any other role allocation policy, you are allowed to use the EAC. While you open the role assignment policy in the EAC, choose the check box next to the roles you wish to allocate to it or clear the check box next to the roles you want to truncate. The alterations you perform to the role assignment policy are applicable to every mailbox associated with it.


In case you want to allocate different end-user authentications or permissions to the several types of users in your organization, you can design or create role assignment policies. You can mention a new name for the role assignment policy, and then choose the roles you want to assign to the role assignment or allocation policy. After you create or design a role assignment policy, you can associate it with mailboxes using the EAC.


In case you want to alter which role assignment policy is the default, you require using the Exchange Management Shell. While you change the default role allocation policy, any mailboxes that are designed and created will be associated with the new altered default role assignment policy in case one wasn’t explicitly specified. The role assignment policy collaborated with existing mailboxes doesn’t change when you choose a new default role assignment policy.


Kristin is a content strategist at Techarex Networks. Kristin follows the B2B technology space closely and loves to write on the latest changes in technology, futuretech and fixes for day to day how to issues. Besides writing Kristin also loves music, moves and skating.

Techarex Networks provides the complete range of Hosted Exchange solutions and services, giving access to reliable, secure, messaging and collaborative enterprise-grade solutions having 99.999% uptime with unmatched SLA. Provide enterprise-level sync with Outlook Web App and mobile devices. Anywhere, anytime access using Instant Message and video calling integration.