#Functional Roles

Functional roles are security / mail-enabled security groups in Microsoft 365 or a group in your local Active Directory, designed to manage permissions and license assignments for group members. By assigning customer's tenant users especially administrators to appropriate functional roles with service-specific permissions, you can authorize them to access Elements and manage their tenant’s data utilizing the service.

On the Functional roles page, the number of functional roles within each tenant that you added to the User management module is displayed.

Clicking a tenant name will redirect you to the Functional roles > Functional role list page where you can view and manage functional roles of the tenant.

In a hybrid tenant, there is a dedicated Source column in the functional role list that explicitly identifies the origin of each functional role.

• Cloud – Indicates that the functional role is stored and managed exclusively within Microsoft Entra ID (cloud-only), with no on-premises association.

• On-premises – Indicates that the functional role is hosted and managed in an on-premises Active Directory (AD) environment, without synchronization to the cloud.

• Hybrid – Indicates that the functional role is synchronized between an on-premises AD and Microsoft Entra ID. This synchronization is typically managed via directory synchronization tools like Azure AD Connect. During Azure AD Connect setup, administrators can choose which organizational units (OU) to synchronize with the cloud. If a newly created functional role resides in an OU designated for synchronization, the functional role will be classified and managed as a hybrid functional role.

#Create a Functional Role

To create a functional role, on the Functional roles page, click a tenant name to access the Functional role list page of the tenant. For a hybrid tenant, click Create functional role and then choose whether to create the functional role in Microsoft 365 or in the on-premises Active Directory. For cloud tenants, you will only have the option to create a functional role in Microsoft 365.

#Cloud Functional Role

Refer to the following steps to create a functional role in Microsoft 365:

1. Create functional role in – If the current tenant is a hybrid tenant, select Microsoft 365 tenant to create a functional role in Microsoft 365. Skip this step if the current tenant is a cloud tenant.

2. Complete the following information:

   • Display name – Enter a display name for the functional role.

   • Description – Enter a description.

   • Mail nickname – Enter a mail nickname.

   • Dynamic – If you want to configure rules to automatically manage membership for this functional role, turn on the toggle and add rules.

   • Enable mailbox – If you want to enable mailbox for this functional role, turn on the toggle.

   • Hide from address list – If you want to hide this functional role from address list, turn on the toggle.

3. Click Create.

#On-Premises Functional Role

Complete the following steps to create a functional role in the on-premises Active Directory:

1. Create functional role in – Select On-Premises environment to create a functional role in the on-premises Active Directory.

2. Complete the following information.

   • Display name – Enter a display name for the functional role.

   • Description – Enter a description.

   • Domain – Select a domain from the local Active Directory.

   • Company/Organization – Select a company/organization from the drop-down list.

   • Enable mailbox – If you want to enable mailbox for this functional role, turn on the toggle.

   • Hide from address list – If you want to hide this functional role from address list, turn on the toggle.

3. Click Create.

#View and Edit a Functional Role

Clicking a functional role will redirect you to the Functional role details page where you can view and manage the functional role details.

#Cloud Functional Role

Switch among the following tabs to update function role details:

• Basics – Under the Basics tab, you can update the functional role’s display name and description if needed. If the functional role is dynamic, you can also update the rules if required.

• Members – Under the Members tab, you can manage functional role members. If the functional role is dynamic, you cannot add or remove members. For detailed instructions, refer to Manage Functional Role Members.

• Licenses – Under the Licenses tab, you can assign or remove licenses for the functional role members. A value changed icon will appear in each updated field. There is a message bar indicating the number of changes under the tab. When ready, you can click Apply changes to apply the updates in batch.

  Note the following:

  • License assignments will be blocked if no user seats are available and the tenant is not connected to a marketplace.

  • If the tenant is connected to a marketplace, license assignment remains available even with zero available units. Selecting a license will automatically create a license request. For detailed instructions on connecting a tenant to a marketplace, refer to Marketplace.

• Security groups – This tab displays all security groups within the tenant.

  To add this functional role to a specific security group, enable the toggle; to remove this functional role from a specific security group, disable the toggle. A value changed icon will appear in each updated field. There is a message bar indicating the number of changes under the tab. When ready, you can click Apply changes to apply the updates in batch.

• Mail-enabled security groups – This tab displays all mail-enabled security groups within the tenant.

  To add this functional role to a specific mail-enabled security group, enable the toggle; to remove this functional role from a specific mail-enabled security group, disable the toggle. A value changed icon will appear in each updated field. There is a message bar indicating the number of changes under the tab. When ready, you can click Apply changes to apply the updates in batch.

• Shared mailboxes– This tab displays all shared mailboxes within the tenant.

  To add mailbox permissions, click the name of a shared mailbox. From the Permissions drop-down list, select one or multiple permissions, and click Apply. There is a message bar indicating the number of changes under the tab. When ready, you can click Apply changes to apply the updates in batch.

  • Full access – Allows a user to open and read/delete emails, manage folders, and act as the mailbox owner. It does not allow sending emails on behalf of the mailbox owner.

  • Send as – Allows a user to send emails as if they were the mailbox.

  • Send on behalf – Allows a user to send emails on behalf of the mailbox owner.

• Equipment mailboxes – This tab displays all equipment mailboxes within the tenant.

  To add mailbox permissions, click the name of a shared mailbox. From the Permissions drop-down list, select one or multiple permissions, and click Apply. There is a message bar indicating the number of changes under the tab. When ready, you can click Apply changes to apply the updates in batch.

  • Full access – Allows a user to open and read/delete emails, manage folders, and act as the mailbox owner. It does not allow sending emails on behalf of the mailbox owner.

  • Send as – Allows a user to send emails as if they were the mailbox.

  • Send on behalf – Allows a user to send emails on behalf of the mailbox owner.

• Room mailboxes – This tab displays all room mailboxes within the tenant.

  To add mailbox permissions, click the name of a shared mailbox. From the Permissions drop-down list, select one or multiple permissions, and click Apply. There is a message bar indicating the number of changes under the tab. When ready, you can click Apply changes to apply the updates in batch.

  • Full access – Allows a user to open and read/delete emails, manage folders, and act as the mailbox owner. It does not allow sending emails on behalf of the mailbox owner.

  • Send as – Allows a user to send emails as if they were the mailbox.

  • Send on behalf – Allows a user to send emails on behalf of the mailbox owner.

• Application groups – This tab displays all application groups (security groups) within the tenant.

  To add this functional role to a specific application group, enable the toggle; to remove this functional role from a specific application group, disable the toggle. A value changed icon will appear in each updated field. There is a message bar indicating the number of changes under the tab. When ready, you can click Apply changes to apply the updates in batch.

  To export application groups, click Export to start the export process. After the process is complete, you can find the exported file in the default download location of your current browser.

• Azure applications – This tab displays all Azure applications within the tenant.

  To add this functional role to a specific Azure application, enable the toggle; to remove functional role user from a specific Azure application, disable the toggle. A value changed icon will appear in each updated field. There is a message bar indicating the number of changes under the tab. When ready, you can click Apply changes to apply the updates in batch.

• SharePoint – This tab displays all SharePoint sites within the tenant. Clicking a site name will redirect you to a new page, where you can view its subsites listed on the left and all libraries within a selected subsite shown on the right.

  To add this functional role to the site visitors, site members, or site owners group of a subsite, turn on the toggle of the corresponding group; to remove this functional role from the site visitors, site members, or site owners group of a subsite, turning off the toggle of the corresponding group. A value changed icon will appear in each updated field. There is a message bar indicating the number of changes under the tab. When ready, you can click Apply changes to apply the updates in batch.

  To add this functional role to the visitors, members, or owners group of a library within a subsite, turn on the toggle of the corresponding group; to remove this functional role from the visitors, members, or owners group of a library within a subsite, turning off the toggle of the corresponding group. A value changed icon will appear in each updated field. There is a message bar indicating the number of changes under the tab. When ready, you can click Apply changes to apply the updates in batch.

• Portal access roles – For detailed instructions, refer to Assign Module Permissions.

• Compliance policies – This tab displays compliance policies assigned to the functional role. Compliance policies are managed in the device management module. For detailed instructions, refer to Manage Policies.

  To assign a compliance policy to a functional role, click Assign policy, select the compliance policies to be assigned, and click Assign.

  To unassign a compliance policy from a functional role, select the compliance policy from the table, click Unassign policy, and then click Unassign policy in the confirmation message.

• Intune apps – This tab displays the apps assigned to the functional role. For detailed instructions, refer to Manage Apps for a Tenant.

  To assign an app to a functional role, click Assign app, select the app to be assigned, and click Assign. Complete the app assignment in the App details panel and click Apply changes to assign the app.

  To unassign an app from a functional role, select the app from the table, click Unassign app, and then click Unassign app in the confirmation message.

• Configuration profiles – This tab displays configuration profiles assigned to the functional role. Configuration profiles are managed in the device management module. For detailed instructions, refer to Manage Policies.

  To assign a configuration profile to a functional role, click Assign profile, select the configuration profiles to be assigned, and click Assign.

  To unassign a configuration profile from a functional role, select the configuration profile from the table, click Unassign profile, and then click Unassign profile in the confirmation message.

• Teams – This tab displays Teams.

  To add this functional role to a specific team, enable the toggle; to remove this functional role from a specific team, disable the toggle. A value changed icon will appear in each updated field. There is a message bar indicating the number of changes under the tab. When ready, you can click Apply changes to apply the updates in batch.

• Audit Logs – This tab displays all action records performed to the current functional role.

#Hybrid Functional Role

Switch among the following tabs to update function role details:

• Basics – Under the Basics tab, you can update the functional role’s display name and description if needed. If the functional role is dynamic, you can also update the rules if required.

• Members – Under the Members tab, you can manage functional role members. If the functional role is dynamic, you cannot add or remove members. For detailed instructions, refer to Manage Functional Role Members.

• Licenses – Under the Licenses tab, you can assign or remove licenses for the functional role members. A value changed icon will appear in each updated field. There is a message bar indicating the number of changes under the tab. When ready, you can click Apply changes to apply the updates in batch.

  Note the following:

  • License assignments will be blocked if no user seats are available and the tenant is not connected to a marketplace.

  • If the tenant is connected to a marketplace, license assignment remains available even with zero available units. Selecting a license will automatically create a license request. For detailed instructions on connecting a tenant to a marketplace, refer to Marketplace.

• Security groups – This tab displays all security groups within the tenant.

  To add this functional role to a specific security group, enable the toggle; to remove this functional role from a specific security group, disable the toggle. A value changed icon will appear in each updated field. There is a message bar indicating the number of changes under the tab. When ready, you can click Apply changes to apply the updates in batch.

• Mail-enabled security groups – This tab displays all mail-enabled security groups within the tenant.

  To add this functional role to a specific mail-enabled security group, enable the toggle; to remove this functional role from a specific mail-enabled security group, disable the toggle. A value changed icon will appear in each updated field. There is a message bar indicating the number of changes under the tab. When ready, you can click Apply changes to apply the updates in batch.

• Shared mailboxes– This tab displays all shared mailboxes within the tenant.

  To add mailbox permissions, click the name of a shared mailbox. From the Permissions drop-down list, select one or multiple permissions, and click Apply. There is a message bar indicating the number of changes under the tab. When ready, you can click Apply changes to apply the updates in batch.

  • Full access – Allows a user to open and read/delete emails, manage folders, and act as the mailbox owner. It does not allow sending emails on behalf of the mailbox owner.

  • Send as – Allows a user to send emails as if they were the mailbox.

  • Send on behalf – Allows a user to send emails on behalf of the mailbox owner.

• Equipment mailboxes – This tab displays all equipment mailboxes within the tenant.

  To add mailbox permissions, click the name of a shared mailbox. From the Permissions drop-down list, select one or multiple permissions, and click Apply. There is a message bar indicating the number of changes under the tab. When ready, you can click Apply changes to apply the updates in batch.

  • Full access – Allows a user to open and read/delete emails, manage folders, and act as the mailbox owner. It does not allow sending emails on behalf of the mailbox owner.

  • Send as – Allows a user to send emails as if they were the mailbox.

  • Send on behalf – Allows a user to send emails on behalf of the mailbox owner.

• Room mailboxes – This tab displays all room mailboxes within the tenant.

  To add mailbox permissions, click the name of a shared mailbox. From the Permissions drop-down list, select one or multiple permissions, and click Apply. There is a message bar indicating the number of changes under the tab. When ready, you can click Apply changes to apply the updates in batch.

  • Full access – Allows a user to open and read/delete emails, manage folders, and act as the mailbox owner. It does not allow sending emails on behalf of the mailbox owner.

  • Send as – Allows a user to send emails as if they were the mailbox.

  • Send on behalf – Allows a user to send emails on behalf of the mailbox owner.

• Application groups – This tab displays all application groups (security groups) within the tenant.

  To add this functional role to a specific application group, enable the toggle; to remove this functional role from a specific application group, disable the toggle. A value changed icon will appear in each updated field. There is a message bar indicating the number of changes under the tab. When ready, you can click Apply changes to apply the updates in batch.

  To export application groups, click Export to start the export process. After the process is complete, you can find the exported file in the default download location of your current browser.

• Azure applications – This tab displays all Azure applications within the tenant.

  To add this functional role to a specific Azure application, enable the toggle; to remove functional role user from a specific Azure application, disable the toggle. A value changed icon will appear in each updated field. There is a message bar indicating the number of changes under the tab. When ready, you can click Apply changes to apply the updates in batch.

• SharePoint – This tab displays all SharePoint sites within the tenant. Clicking a site name will redirect you to a new page, where you can view its subsites listed on the left and all libraries within a selected subsite shown on the right.

  To add this functional role to the site visitors, site members, or site owners group of a subsite, turn on the toggle of the corresponding group; to remove this functional role from the site visitors, site members, or site owners group of a subsite, turning off the toggle of the corresponding group. A value changed icon will appear in each updated field. There is a message bar indicating the number of changes under the tab. When ready, you can click Apply changes to apply the updates in batch.

  To add this functional role to the visitors, members, or owners group of a library within a subsite, turn on the toggle of the corresponding group; to remove this functional role from the visitors, members, or owners group of a library within a subsite, turning off the toggle of the corresponding group. A value changed icon will appear in each updated field. There is a message bar indicating the number of changes under the tab. When ready, you can click Apply changes to apply the updates in batch.

• Shared folders – This tab displays all shared folders within the tenant.

  To grant the Read or Read & Write permissions for a directory to this functional role, enable the toggle; to remove the functional role's permissions for a specific directory, disable the toggle. A value changed icon will appear in each updated field. There is a message bar indicating the number of changes under the tab. When ready, you can click Apply changes to apply the updates in batch.

  To export directories, click Export to start the export process. After the process is complete, you can find the exported file in the default download location of your current browser.

• Portal access roles – For detailed instructions, refer to Assign Module Permissions.

• Compliance policies – This tab displays compliance policies assigned to the functional role. Compliance policies are managed in the device management module. For detailed instructions, refer to Manage Policies.

  To assign a compliance policy to a functional role, click Assign policy, select the compliance policies to be assigned, and click Assign.

  To unassign a compliance policy from a functional role, select the compliance policy from the table, click Unassign policy, and then click Unassign policy in the confirmation message.

• Intune apps – This tab displays the apps assigned to the functional role. For detailed instructions, refer to Manage Apps for a Tenant.

  To assign an app to a functional role, click Assign app, select the app to be assigned, and click Assign. Complete the app assignment in the App details panel and click Apply changes to assign the app.

  To unassign an app from a functional role, select the app from the table, click Unassign app, and then click Unassign app in the confirmation message.

• Configuration profiles – This tab displays configuration profiles assigned to the functional role. Configuration profiles are managed in the device management module. For detailed instructions, refer to Manage Policies.

  To assign a configuration profile to a functional role, click Assign profile, select the configuration profiles to be assigned, and click Assign.

  To unassign a configuration profile from a functional role, select the configuration profile from the table, click Unassign profile, and then click Unassign profile in the confirmation message.

• Teams – This tab displays Teams.

  To add this functional role to a specific team, enable the toggle; to remove this functional role from a specific team, disable the toggle. A value changed icon will appear in each updated field. There is a message bar indicating the number of changes under the tab. When ready, you can click Apply changes to apply the updates in batch.

• Audit Logs – This tab displays all action records performed to the current functional role.

#On-Premises Functional Role

Switch among the following tabs to update function role details of an on-premises functional role:

• Basics – Under the Basics tab, you can update the functional role’s display name and description if needed. If the functional role is dynamic, you can also update the rules if required.

• Members – Under the Members tab, you can manage functional role members. If the functional role is dynamic, you cannot add or remove members. For detailed instructions, refer to Manage Functional Role Members.

• Licenses – Under the Licenses tab, you can assign or remove licenses for the functional role members. A value changed icon will appear in each updated field. There is a message bar indicating the number of changes under the tab. When ready, you can click Apply changes to apply the updates in batch.

  Note the following:

  • License assignments will be blocked if no user seats are available and the tenant is not connected to a marketplace.

  • If the tenant is connected to a marketplace, license assignment remains available even with zero available units. Selecting a license will automatically create a license request. For detailed instructions on connecting a tenant to a marketplace, refer to Marketplace.

• Security groups – This tab displays all local security groups within the tenant.

  To add this functional role to a specific local security group, enable the toggle; to remove this functional role from a specific local security group, disable the toggle. A value changed icon will appear in each updated field. There is a message bar indicating the number of changes under the tab. When ready, you can click Apply changes to apply the updates in batch.

• Application groups – This tab displays all local application groups (security groups) within the tenant.

  To add this functional role to a specific local application group, enable the toggle; to remove this functional role from a specific local application group, disable the toggle. A value changed icon will appear in each updated field. There is a message bar indicating the number of changes under the tab. When ready, you can click Apply changes to apply the updates in batch.

  To export application groups, click Export to start the export process. After the process is complete, you can find the exported file in the default download location of your current browser.

• Shared folders – This tab displays all shared folders within the tenant.

  To grant the Read or Read & Write permissions for a directory to this functional role, enable the toggle; to remove the functional role's permissions for a specific directory, disable the toggle. A value changed icon will appear in each updated field. There is a message bar indicating the number of changes under the tab. When ready, you can click Apply changes to apply the updates in batch.

  To export directories, click Export to start the export process. After the process is complete, you can find the exported file in the default download location of your current browser.

• Audit Logs – This tab displays all action records performed to the current functional role.

#Manage Function Role Members

Members of a functional role automatically receive the permissions and licenses assigned to that functional role. To manage members of a functional role, select the functional role to access its details page, and then go to the Members tab. Here, you can view the total number of members, categorized by their roles such as Owners, Members, and Guests.

To add a user, click Add. Search for the target user and select the user. Assign the appropriate role, either owner or member, and click Add. Note that if the user you want to add is a guest, assigning a specific role is not allowed.

To remove a user from the functional role, select the user you wish to remove and click Remove. Click Remove in the pop-up confirmation message.

#Assign Module Permissions

If you want to allow your customer's tenant users, especially administrators, to access Elements and manage their tenant’s data utilizing premium management services, follow these steps in order:

1. Create a customer role – Create a customer role that includes service-specific permissions for the service. For detailed instructions, refer to Tenant-level Portal Access Roles.

2. Create a functional role – Create a functional role to group users and assign permissions. For detailed instructions, refer to Create a Functional role.

3. Add users to the functional role – Add your customer's tenant users as members of the functional role. For detailed instructions, refer to Manage Function Role Members.

4. Assign the customer role to the functional role.

   On the Functional role > Functional role list page, clicking a functional role gives access to the Functional role details page. Switch to the Portal access roles tab. Find the module-specific customer roles that you want to assign and turn on the toggle. Customer’s tenant users who have been added to the functional role will be authorized to access Elements to manage their owner tenant’s data utilizing the module.

   There is a message bar indicating the number of changes under this tab. When ready, you can click Apply changes to apply the updates in batch.

#Convert Group Type

To convert a functional role to a security group or application group, select the desired functional role, and click Convert. Choose the appropriate target group type and click Convert to complete the process.

#Delete Functional Roles

Select one or multiple functional roles that you want to delete and click Delete. Click Delete in the pop-up confirmation message.

#Export Functional Roles

To export functional roles, click Export above the functional role table. Choose to export the visible columns or all columns, select a file format (.xlsx or .csv), and then click Export. The functional roles report is downloaded to your local device once the process is completed.