Part of the Microsoft Office 365 offboarding process involves securing your work environment from data leaks. One such component involves eliminating forwarding messages to external addresses to remove the risk of sharing confidential information. These mail forwarding rules in Exchange Online may have been set by the user or by the previous administration team for legitimate reasons at the time. And it’s important to be aware of all of these as sources of breaches especially when the source can be a user who has left the company.

______________________________________________________________________

In this article, I’ll describe how to find email forwarding settings in order to turn them off or simply remove them. I’ll demonstrate how to manage them for a single user in the Office 365 portal, as well as with some PowerShell scripting options.  

Often, managing multiple users is problematic because the O365 admin portal is limited by its UI. Admins resort to PowerShell to get it done but don’t always have the skills for elaborate scripting. Disclaimer: I’m not a PowerShell power user myself so I resort to internet searches to find ready-to-use scripts that can help. I’ve tested them out and shared them here. 

Then finally, at the end, I’ll show you how some parts can be done easier with our third-party tool, sapio365.

Managing mail forwarding rules was demonstrated in the webinar

Speed up multi-user offboarding in Office 365 with sapio365

User-defined SMTP email forwarding 

In this scenario, Grady has set up mail forwarding in several ways. One way is via his Outlook settings.

 

The good news is that I can see it in the Admin center by selecting the user and clicking on ‘Manage email forwarding’ in the Mail tab. From here, I can simply remove it. 

Forwarding rule in Exchange Online Admin Center 

Besides rules set by the user, previous Exchange admins may have also set forwarding rules on a user’s mailbox in the same manner as above or via the Exchange Online admin center.  

These are accessible in the Exchange Online admin center by selecting a mailbox then clicking on ‘Manage mail flow settings.  

Note here that while you can have multiple forwarding addresses setbecause they’re all internal to the organization, the security risk is relatively low. 

In fact, when this rule is set, the user-defined STMP rule is overridden.  

 

Warning message setting up forwarding rule in Exchange Online admin center.

PowerShell 

Since it doesn’t make sense to do this for each mailbox if we were offboarding multiple users, I’ve searched for PowerShell scripts that can help. 

First, let’s connect to Exchange Online PowerShell. Simply supply your credentials when prompted. 

Now that you’re all set, here’s a PowerShell script that searches every mailbox to return only those that have a value set for the two forwarding settings described earlier 

Note: If you only want to retrieve potential externally forwarding rules, remove “{($_.ForwardingAddress -ne $Null) -or. 

 

To clean things up and delete these two forwarding rules for all mailboxes, use this script to nullify those parameters. 

Transport Rules 

It’s worth mentioning that there may also be forwarding rules in place in the form of Office 365 Transport Rules created by previous administrators. You can find and change these in the Exchange Online Admin center. 

PowerShell 

This simple script gives you the same list but with a description to let you know what each does. 

Users inbox rules 

Lastly, let’s look at the most common way users set up mail forwarding rules by navigating to the Rules section of their Outlook settings. Here you can see that Grady has set up two rules, including the “Send me a copy” rule which forwards messages to an external email address.  

Grady's Outlook - Rules

 

Unfortunately, short of logging in as that user to access his mail rules, I’m not able to see these user-set rules in any of the available admin centers. The only native solution I found to access them is through PowerShell.

PowerShell

I start by finding one that works on a single user with the properties I’m interested in. In the case of mail rules, the cmdlet to use for a single mailbox is:

 

To get all mail rules for all mailboxes, I used this script, which worked for me. Be warned: this may take a lot of time depending on the volume of mailboxes to process, and if it does, you’ll be asked to re-authenticate.  

List all rules for each mailbox

 

Once you have identified externally forwarding mail rules, you can remove each one with the following script. 

Delete a mail rule

 

Of course, identifying and removing forwarding inbox rules becomes tedious to do if you’re dealing with several mailboxes, each with its own rules. 

This is usually when you call upon the scripting services of a PowerShell expert! 

sapio365 – simpler than PowerShell 

At this point, I’d like to introduce sapio365 as an easy alternative to scripting your way to your users’ mail rules. 

Briefly, sapio365 is a thick client that installs on your pc and connects you directly to your Office 365 tenant data, so you can see everything in a global view no matter the volume 

In this case, I’m selecting several users and requesting their mail rules with just one click. You can see every mail rule each user has set up underneath the user’s name. Each rule is broken down to its components – conditions, actions, exceptions – so that you know exactly what that rule does 

 

Since I’m only interested in the “Forward to” action component, I filter out all others. I can then select and remove them just as easily. 

The beauty of sapio365 is that it doesn’t require any PowerShell scripting to handle multiple queries and takes care of the information layout for you. Also, sapio365 may complete high volume tasks in as much time or less than the fanciest PowerShell script but is far more reliable in that it does not time out. 

 

In fact, I can schedule a weekly job in the off-hours. This is to be able to sweep through all the mailboxes looking for rules that forward to external email addresses. When it’s done, I’ll get emailed report outlining who’s got these inbox forwarding rules set upOf course like all automated jobs in sapio365, it can be tweaked to actually remove the culprits as it finds them! 

 

I hope reading this article was as helpful to you as it was for me to write it.

Please feel free to share your thoughts on the subject. Because I don’t know about you, but I learn a lot from comments on blog posts 😊 

Keep me posted on more like this!

We’ll keep you up to date on new technical articles, tips and tricks, and upcoming events.

We don’t spam, and you can unsubscribe at any time.

Share This