Public Preview: Exchange Online RBAC management in Microsoft Graph using Unified RBAC Schema

Today, we’re excited to announce the public preview of Exchange Online Role Based Access Control (RBAC) management in Microsoft Graph. The preview is designed for admins who want a consistent management interface, and for developers who want to programmatically control RBAC.

The public preview supports create, read, update, and delete APIs in Microsoft Graph which conform to a Microsoft-wide RBAC schema. Exchange Online RBAC role assignments, role definitions, and management scopes are supported through this new API.

With this preview, Exchange Online joins other RBAC systems in the Microsoft Graph Beta API, namely, Cloud PC, Intune, and Azure AD directory roles and entitlement management.

How Unified RBAC for Exchange Online works

Admins assigned the appropriate RBAC role in Exchange Online can access Unified RBAC using the Microsoft Graph beta endpoint or by using Microsoft Graph PowerShell. RBAC data remains stored in Exchange Online and can be configured using Exchange Online PowerShell.

In addition to Exchange RBAC permissions, you will also need one of these permissions:

• RoleManagement.Read.All
• RoleManagement.ReadWrite.All
• RoleManagement.Read.Exchange
• RoleManagement.ReadWrite.Exchange

Actions and entities supported in this preview:

Reading the list of role assignments assigned with a management scope:

Reading the list of Management Scopes:

List roles using Microsoft Graph PowerShell:

Try the Public Preview Today

Unified RBAC is available to all tenants today as a part of the public preview. See Use the Microsoft Graph SDKs with the beta API and roleManagement resource type for more information.

We’d love your feedback on the preview. You can leave a comment here or share it with us at exourbacpreview@microsoft.com.

FAQs

Does this API support app-only access?
Not yet. This will be added to the preview later.

Exchange Online Team