Exchange Server and Exchange Online allow your users to automatically forward email to an external email address. Over the years, I’ve written about forwarding email to an external email address in Exchange, the risks of forwarding work email to personal email accounts and listing users with email forwarding enabled.

Figure 1: Automatic email forwarding options in Outlook Web App in Exchange Server and Exchange Online

Allowing users to automatically forward mail to an external email address brings the risk of information leakage. Additionally, users can select the option to not keep a copy of the message in the mailbox. If the message does not get delivered to a mailbox at all, it can’t be archived and won’t be available for eDiscovery. This is by design. However, it’s important to note that this may result in your organization being out of compliance and you should change the settings in your Exchange organization, as explained below, to prevent this from occurring.

If messages are never delivered to a mailbox, they can’t be archived and won’t be available for eDiscovery.

You can capture messages in the transport pipeline by using Journaling, which creates a copy of the message and delivers it with a Journal report to a journaling mailbox (or more appropriately, a journaling recipient). The merits and demerits of using Journaling v/s In-Place Archiving, In-Place Hold and Litigation Hold make for interesting conversation but are beyond the scope of this article.

For now, let’s find out how to disable automatic email forwarding in Exchange Online and Exchange Server.

Role-Based Access Control (RBAC) puts you in control

Exchange Server and Exchange Online provide you great granular control over what your users can and cannot do using Role-Based Access Control.

Brief RBAC 101: Exchange controls the settings a user can change using a Management Role Assignment Policy. A Role Assignment Policy consists of a number of Management Roles and a Management Role contains Management Role Entries – the basic building block that defines each Exchange cmdlet and the parameters of the cmdlet that a user can use. You can think of the Management Role Entry as the equivalent of file level NTFS permission (aka an Access Control Entry) that applies to Exchange cmdlets and parameters. Of course, most users will never learn of this complexity as they change their settings using the UX in OWA (and Outlook).

The default Role Assignment Policy assigned to users is the Default Role Assignment Policy. If you look at the Permissions slab in the EAC, you can change the individual roles included in the policy, but you can’t change the individual cmdlets and parameters that each role provides. What this means is that you can’t specifically disable forwarding-related parameters using the EAC.

Remove email forwarding parameters from the Default Role Assignment Policy

The following forwarding-related parameters of a mailbox are configured using the Set-Mailbox cmdlet:

  • DeliverToMailboxAndForward
  • ForwardingAddress
  • ForwardingSmtpAddress

Let’s find out which Management Roles include these parameters of Set-Mailbox:

Get-ManagementRole -cmdlet Set-Mailbox -CmdletParameters ForwardingSmtpAddress

This returns a list of 3 Management Roles:

Name RoleType
—- ——–
Mail Recipients MailRecipients
User Options UserOptions
MyBaseOptions MyBaseOptions

Out of the three roles, the Default Role Assignment Policy includes the MyBaseOptions role. You can’t modify the default MyBaseOptions role. But you can create a new Management Role (e.g. MyBaseOptions-NoForwarding) based on the MyBaseOptions role and then modify the Default Role Assignment Policy to replace MyBaseOptions with the new role.

Figure 2: The MyBaseOptions management role in the Default Role Assignment Policy allows users to set up automatic email forwarding

1. Create a new management role based on the MyBaseOptions role

This command creates a new Management Role called MyBaseOptions-NoForwarding based on the MyBaseOptions role.

New-ManagementRole MyBaseOptions-NoForwarding -Parent MyBaseOptions

2. Remove the forwarding-related parameters from the MyBaseOptions-NoFowarding role

This command removes the forwarding-related parameters from the new MyBaseOptions-NoForwarding role.

Set-ManagementRoleEntry MyBaseOptions-NoForwarding\Set-Mailbox -RemoveParameter -Parameters DeliverToMailboxAndForward,ForwardingAddress,ForwardingSmtpAddress

PowerShell Tip: List parameters included in a management role entry

A management role has entries for each cmdlet and its parameters that someone who’s assigned the role is allowed to use. Use this command to list the parameters of a cmdlet included in a management role entry:

(Get-ManagementRoleEntry <ManagementRoleName>\<CmdletName>).parameters

This command retrieves all parameters of Set-Mailbox cmdlet included in role entries in the MyBaseOptions-NoForwarding role:

(Get-ManagementRoleEntry MyBaseOptions-NoForwarding\Set-Mailbox).parameters

3. Replace the MyBaseOptions role in Default Role Assignment Policy with MyBaseOptions-NoForwarding

If you want to disable automatic email forwarding for all users in your organizations, you should modify the Default Role Assignment Policy to replace the default MyBaseOptions role with the new MyBaseOptions-NoForwarding role you created. You can do this easily using the EAC:

  1. In the EAC, go to Permissions > User Roles and edit the Default Role Assignment Policy
  2. You’ll notice that both the MyBaseOptions and the new role MyBaseOptions-NoForwarding are selected. Clear MyBaseOptions and then select MyBaseOptions-NoForwarding.

    Figure 3: Unchek MyBaseOptions and then check MyBaseOptions-NoForwarding

It takes some time for the policy to refresh. Now if the users go to User Options in OWA, they won’t see the Forwarding options.

Figure 4: No email forwarding options in Outlook Web App in Exchange Server and Exchange Online

Remove automatic email forwarding for users who’ve already set it up

Modifying the Default Role Assignment Policy or creating and applying a new role assignment policy prevents users from setting up automatic email forwarding in the future. You’ll also need to check and disable automatic forwarding for users who may have already set it up.

Use this command to list users who have set up automatic email forwarding to an external address:

Get-Mailbox -Filter {Name -notlike “DiscoverySearchMailbox*” -and ForwardingSmtpAddress -ne $null}
| ft name,*forward* -auto

Inspect the list of mailboxes returned and the email addresses they forward to.

Use this command to remove automatic email forwarding for users who have it set up:

Get-Mailbox -Filter {Name -notlike “DiscoverySearchMailbox*” -and ForwardingSmtpAddress -ne $null}
| Set-Mailbox -ForwardingSmtpAddress $null

Disable automatic email forwarding using Inbox rules

Removing forwarding options and disabling existing auto-forwarding settings prevents server-side automatic forwarding. But your users may still be able to use mechanisms such as Inbox Rules in Outlook and OWA or other email clients to automatically forward email to external users. To disable client-side automatic email forwarding outside your organization, you must configure Remote Domain settings.

Use the EAC to disable automatic email forwarding to external domains

  1. In the EAC, go to Mailflow > Remote Domains
  2. Select the remote domains for which you want to disable automatic email forwarding. Settings for the Default remote domain (the * namespace) apply to all external domains. If you want to allow automatic email forwarding to specific domains, you can create new Remote Domains.
  3. In Default remote domain settings, clear Allow automatic forwarding.

    Figure 5: Configure Remote Domain settings to disable automatic email forwarding from the client

Or use this PowerShell command:

Set-RemoteDomain Default -AutoForwardEnabled $false

Exchange Server and Exchange Online provide provide you the means to apply granular controls via RBAC and Role Assignment Policies. Use PowerShell to quickly get reporting data and change settings for large number of users.


Archiving in the cloud: Recover and restore Inactive Mailboxes in Exchange Online

February 18, 2015

An employee leaves the organization and your organization requires that mailboxes be preserved for a certain period, ranging anywhere from two to seven years or more, to meet business or regulatory compliance requirements, including eDiscovery. Mailbox content should be preserved and discoverable using In-Place eDiscovery during this period. Exchange Online allows you to use Inactive […]

More →

Apple OS X 10.10.2 and iOS 8.1.3 Updates

January 29, 2015

Apple has released OS X Yosemite 10.10.2 and iOS 8.1.3 which fix a bunch of Exchange and Microsoft platform issues. Interestingly, Apple has started adding an Enterprise content section to its update articles. For OS X 10.10.2: From DL1785, OS X Yosemite 10.10.2 Update: Enterprise content For enterprise customers, this update: Improves performance for browsing […]

More →

Is GoGo’s use of a fake SSL certificate a Man-In-The-Middle attack?

January 22, 2015

Adrienne Porter Felt, an engineer on Google’s Chrome security team, recently found in-flight WiFi service provider GoGo using a fake certificate for and tweeted the following, with a screenshot. hey @Gogo, why are you issuing * certificates on your planes? — Adrienne Porter Felt (@__apf__) January 2, 2015 If you’re a GoGo customer, […]

More →

Net neutrality and how ISPs can impact your email security

November 18, 2014

There was a time ISPs limited themselves to providing layer 3 connectivity. You got a connection, and if the link was up and your computer or network configured correctly for Internet Protocol (IP) communication, you could send and receive TCP/IP packets over that link. The ISP controlled the bandwidth, which is the maximum rate at […]

More →

Choosing the right ultrabook: Asus Zenbook, Microsoft Surface Pro 3 and Lenovo Yoga 3 Pro

November 11, 2014

If you spend greater part of your workday on a notebook/ultrabook, selecting your primary work tool is as important as selecting race cars is to race car drivers and selecting cameras & lighting equipment is to photographers. Some obsess over it more than others. I confess to being firmly in the latter category. I won’t […]

More →

Microsoft makes Office 365 the cloud productivity service to beat

October 29, 2014

Pushed back from its normal summer schedule to early fall, Microsoft’s last TechEd conference TechEd Europe 2014 could have been a ho hum affair. Evidently, Microsoft had different plans. In a slew of announcements at TechEd Europe 2014 in Barcelona, Microsoft has raised the bar significantly to make Office 365, the cloud-based productivity service, an almost irresistible proposition […]

More →

Synchronize your PowerShell Profile with OneDrive

September 24, 2014

I make frequent changes to my PowerShell profile and like to have the same PowerShell envirnoment on all computers that I use PS from. To accomplish this, I used to copy the PowerShell profile to a folder on OneDrive (previously known as SkyDrive) and copy it back to the WindowsPowerShell folder on other computers – […]

More →

The Garage Series show from MEC 2014: What’s New in Exchange 2013 SP1…

May 7, 2014

I’ve been participating in the Garage Series shows with host Jeremy Chapman. Most shows are recorded live at Microsoft events such as TechEd, TechReady (an internal Microsoft technical event), Microsoft Exchange Conference (MEC) and Microsoft SharePoint Conference, on the road (some recent ones have been in Prague and Hong Kong). You can find the shows […]

More →

Connection Filtering and RBLs in Exchange 2013

April 17, 2013

Exchange 2003 and later have included Connection Filtering in its repertoire of built-in anitspam tools. In Exchange 2007 and Exchange 2010, this is implemented using the Connection Filtering agent, a transport agent. Connection Filtering agent offers the following functionality: IP Allow List and IP Block List: Static lists of IP addresses you can populate to […]

More →