Freigeben über

How to prevent internal users from autoforwaring mails to external recipients

  • Artikel

For reasons of their own, some users create Inbox rules to auto-forward their work mails to their private mail or other external domains. As an administrator thats not necessarily at desired scenario.

To prevent internal users from auto-forwaring mails to external recipients you can create a Transport Rule.

Log into the Microsoft Online Portal, and navigate to the Exchange Online Control Panel (ECP)

  1. Change the view so you are managing the entire organization, and not just your individual mailbox (Mail>Options>"Manage My Organisation" -- see top of picture below)
  2. Select "Mail Control" and make sure you are viewing the "Rules" tab (see left of picture below)
  3. Click the "New" button to display the "New Rule" dialog and start building a new transport rule (see center of picture below)

In the dialog "New Rule", clicking ”More Options” …

...will enable adding more conditions

After clicking ”Add Condition” twice you have a triple AND-condition

For the first condition, in the "If..." section pick ”the sender….” and then ”is external/internal”

In the ”Select Scope” dialog pick ”Inside the organisation”

For the second condition repeat the above with ”the recipient…”  and then ”is external/internal” and then ”Outside the organisation”

For the third and final condition pick ”the message properties…”  and then ”include the message type”

In the ”Select Message Type” dialog pick ”Auto-forward”

Finally set the Action to be taken if the above condition is met. Under the ”Do the following….” click ”Add Action”

Pick ”Block the message…”  and then ”Reject the message and include an explanation”

If the conditions are met and the message is rejected, a non-delivery report (NDR) is returned to the sender. You can create customized text, which appears in the NDR, to explain why a message was rejected (e.g. Auto-forwarding from internal to external is blocked)

Optional – name the rule

Click Save to save the rule.

Comments

  • Anonymous
    January 01, 2003
    I think it is better to hide the option to forward or redirect through RBAC. After connecting to Exchange Online through PowerShell run the following:

    New-ManagementRole -Name "Disable-Auto-Forward" -Parent MyBaseOptions
    Set-ManagementRoleEntry "Disable-Auto-ForwardSet-Mailbox" -Parameters DeliverToMailboxAndForward,ForwardingAddress,ForwardingSmtpAddress –RemoveParameter
    Set-ManagementRoleEntry "Disable-Auto-ForwardNew-Inboxrule" -Parameters ForwardAsAttachmentTo,ForwardTo,RedirectTo –RemoveParameter

    Sign into the EAC click on Permissions > User Roles > Click on the Plus sign to add an additional Role Assignment Policy naming it whatever you want and under MyBaseOptions you will see the Disable-Auto-Forward option that you will want to place a check mark in. Save the Role Assignment Policy.

    Assign the Role Assignment Policy to the user(s) desired.

    • Anonymous
      June 15, 2016
      I tried running the powershell command and got errors. Should this be broken up into sections or ran all at once?
      • Anonymous
        October 25, 2016
        I was able to run these 3 lines by adding the missing \ in lines 2 and 3New-ManagementRole -Name “Disable-Auto-Forward” -Parent MyBaseOptionsSet-ManagementRoleEntry “Disable-Auto-Forward\Set-Mailbox” -Parameters DeliverToMailboxAndForward,ForwardingAddress,ForwardingSmtpAddress –RemoveParameterSet-ManagementRoleEntry “Disable-Auto-Forward\New-Inboxrule” -Parameters ForwardAsAttachmentTo,ForwardTo,RedirectTo –RemoveParameter
    • Anonymous
      June 23, 2017
      How would one remove the "Disable-Auto-Forward" role after performing the PowerShell commands listed? The checkbox show for the Disable-Auto-Forward option shown under MyBaseOptions is grayed out.

  • Anonymous
    January 01, 2003
    Tak! Very useful.

  • Anonymous
    January 01, 2003
    Thank you for this post. Very helpfull. I have only one question. I added a rejection reason but that reason is not send.
    We are using Exchange 2013 SP1

  • Anonymous
    September 22, 2013
    Hi Jesper, I followed exactly the above steps, but no success, my incoming emails are still being forwarded to my personal address. I tried sending from external to my company email and then from internal to my company emails, in both cases it failed! Any ideas? Thanks Sharad

  • Anonymous
    October 21, 2013
    This only works for Outlook clients.  Kiosk accounts can still forward to personal email accounts.

  • Anonymous
    February 05, 2014
    Hi Team, need help on how we can prevert users to set up email forwarding from OWA

  • Anonymous
    February 05, 2014
    Tim is right, "This only works for Outlook clients. Kiosk accounts can still forward to personal email accounts."

  • Anonymous
    October 21, 2014
    The comment has been removed

  • Anonymous
    March 16, 2015
    Use a rule within a DLP policy to block auto-forwards attempted via a rule created in Office 365 OWA. The rule would use the same conditions as the transport rule.

  • Anonymous
    August 20, 2015
    From the EMC, under Organization Management Hub Transport select the Remote Domains tab. Rclick, and select properties. Under the Message Format tab uncheck 'Allow automatic forward'. This will restrict auto forward and re-direction outside of the organization.

  • Anonymous
    August 20, 2015
    Oops, my apologies for the post above, which would apply to an onsite Exchange instance. I was searching for info, came across this and didn't note that its referencing Microsoft Online,

  • Anonymous
    October 14, 2015
    @Darrell Q, It's just in a different location in EXO. EAC > Mail Flow > Remote Domains. You helped me plenty. :)

  • Anonymous
    February 20, 2016
    Not that I'm counting but I just realized one of my blog posts actually is closing in on 100k views

  • Anonymous
    July 13, 2017
    Is there a way to prevent the forwarding of messages without preventing the sending of the out of office message outside the organization as a by product? I'm not technical but I've been told that my ooo to external parties is disabled so that our doctors can't forward emails coming into our organization to their unprotected mailbox and risk the sending of protected health information.

  • Anonymous
    August 28, 2017
    This article doesn't apply to OFFICE 365noteNote:When Outlook or Outlook on the web is configured to forward a message, the ForwardingSmtpAddress property is added to the message. The message type isn't changed to AutoForward.