Disable automatic forwarding in Office 365 and Exchange Server to prevent information leakage


This article is describing a brief guide on how to prevent internal users from auto-forwarding emails to external mailbox users and on how to disable automatic email forwarding in Office 365 and Exchange Server.

Allowing users to use mail auto-forwarding brings the risk of information leakage. Additionally, users can select the option to not keep a copy of the message in the mailbox which could also result in data loss.

 

How to remove the automatic email forwarding options from Outlook on the web (OWA) in Exchange Server and Exchange Online

 

Automatic email forwarding options in Outlook Web App in Exchange Server and Exchange Online

 

In Exchange administrators control which actions can be performed by the users through Role Based Access Control. To remove the option shown in the picture above you need to modify the Default Role Assignment Policy. The Default Role Assignment Policy contains a Management Role called MyBaseOptions which is holding the parameters responsible for the forwarding and letting users perform the desired changes through the graphical interface of OWA by running Set-Mailbox on the background :

 

DeliverToMailboxAndForward
ForwardingAddress
ForwardingSmtpAddress

 

As you can’t modify the build-in role MyBaseOptions, you need to create a new role to replace it with.

  1. Create a new management role based on the MyBaseOptions role:
    New-ManagementRole MyBaseOptions-DisableForwarding -Parent MyBaseOptions
  2. Remove the forwarding parameters from the MyBaseOptions-DisableForwarding role
    Set-ManagementRoleEntry MyBaseOptions-DisableForwarding\Set-Mailbox -RemoveParameter -Parameters DeliverToMailboxAndForward,ForwardingAddress,ForwardingSmtpAddress

     

    Note: If you want to retrieve the parameters that will be left available for the Set-Mailbox cmdlet after the modification of the role which you’ve created:
    (Get-ManagementRoleEntry MyBaseOptions-DisableForwarding\Set-Mailbox).parameters

  3. As you have created the role, you have 2 options – modifying the default policy for all users or creating a different policy and assign it to a targeted group of people.3.1. Modify the Default Role Assignment Policy for all users by replacing MyBaseOptions with MyBaseOptions-DisableForwarding.

    The easiest way to do this is from  Exchange Admin Center > Permissions > User Roles > edit the Default Role Assignment Policy > clear MyBaseOptions and then select MyBaseOptions-DisableForwarding.

    3.2. Create a new role assignment policy which will contain the MyBaseOptions-DisableForwarding role


    New-RoleAssignmentPolicy -Name DisabledForwardingRoleAssignmentPolicy -Roles MyBaseOptions-DisableForwarding,MyContactInformation,MyRetentionPolicies,MyMailSubscriptions,MyTextMessaging,MyVoiceMail,MyDistributionGroupMembership,MyDistributionGroups, MyProfileInformation

    After creating the new policy, you can apply it to targeted user for example:


    Set-Mailbox –Identity user@domain.com -RoleAssignmentPolicy DisabledForwardingRoleAssignmentPolicy

    Note: Give it some time to replicate after the change.

    The expected result of both of the actions is the following:


Removing
any existing auto-forwarding left from before the implantation of the new role

 

As the forwarding can be set to both internal and external recipients you might want to export a list of the mailboxes which had configured the settings before the Role Assignment Policy modifications. This will allow you to remove only the forwarding to external addresses with precision:


Get-Mailbox -ResultSize Unlimited -Filter {(RecipientTypeDetails -ne "DiscoveryMailbox") -and ((ForwardingSmtpAddress -ne $null) -or (ForwardingAddress -ne $null))} | Select Identity | Export-Csv c:\ForwardingSetBefore.csv -append

If you want to remove any kind of forwarding regardless the location:


Get-Mailbox -filter {(RecipientTypeDetails -ne "DiscoveryMailbox") -and ((ForwardingSmtpAddress -ne $null) -or (ForwardingAddress -ne $null))} | Set-Mailbox -ForwardingSmtpAddress $null -ForwardingAddress $null

Disable forwarding set through Inbox Rules

As the Inbox Rule are frequently created by the users and can’t be blocked on server side, you need to disable this on a Remote Domain level.
The cmdlet below will disable the forwarding to all external domains. If you want to restrict this for particular domains only replace you can do so as well.


Set-RemoteDomain Default -AutoForwardEnabled $false

Or you can clear the selection for the Default Remote Domain settings from Exchange Admin Center >  Mail Flow > Remote Domains

As that setting will be applicable for all newly sent emails but will not eliminate the rules, you can use the cmdlet below will export a list of the mailboxes which have forwarding rules configured, review them and remove them upon demand as well:

 

foreach ($a in (Get-Mailbox -ResultSize Unlimited |select PrimarySMTPAddress)) {Get-InboxRule -Mailbox $a.PrimarySMTPAddress |fl Name,Identity,ForwardTo,ForwardAsAttachmentTo | Export-Csv c:\InboxRules.csv -append }

 

Remove-InboxRule -Mailbox user@domain.com -Identity "RuleName"

 

Note: In case you are facing an issue with corrupted or hidden Inbox rules, yet you still want to remove them, please consult the following article.

 

Another option which you might consider, as it will be notifying your users as well,  is to configure a transport rule to handle the blocking of any auto-forward message types:

 


Comments (0)

Skip to main content