Disable automatic email forwarding in Office 365 and Exchange Server

by Bharat Suneja

Exchange Server and Exchange Online allow your users to automatically forward email to an external email address. Over the years, I’ve written about forwarding email to an external email address in Exchange, the risks of forwarding work email to personal email accounts and listing users with email forwarding enabled.


Figure 1: Automatic email forwarding options in Outlook Web App in Exchange Server and Exchange Online

Allowing users to automatically forward mail to an external email address brings the risk of information leakage. Additionally, users can select the option to not keep a copy of the message in the mailbox. If the message does not get delivered to a mailbox at all, it can’t be archived and won’t be available for eDiscovery. This is by design. However, it’s important to note that this may result in your organization being out of compliance and you should change the settings in your Exchange organization, as explained below, to prevent this from occurring.

If messages are never delivered to a mailbox, they can’t be archived and won’t be available for eDiscovery.

You can capture messages in the transport pipeline by using Journaling, which creates a copy of the message and delivers it with a Journal report to a journaling mailbox (or more appropriately, a journaling recipient). The merits and demerits of using Journaling v/s In-Place Archiving, In-Place Hold and Litigation Hold make for interesting conversation but are beyond the scope of this article.

Update 08/13/2015: Microsoft has now added functionality to archive auto-forwarded messages for users on Hold. See Archiving auto-forwarded messages in Exchange Online and Exchange Server.

For now, let’s find out how to disable automatic email forwarding in Exchange Online and Exchange Server.

Role-Based Access Control (RBAC) puts you in control

Exchange Server and Exchange Online provide you great granular control over what your users can and cannot do using Role-Based Access Control.

Brief RBAC 101: Exchange controls the settings a user can change using a Management Role Assignment Policy. A Role Assignment Policy consists of a number of Management Roles and a Management Role contains Management Role Entries – the basic building block that defines each Exchange cmdlet and the parameters of the cmdlet that a user can use. You can think of the Management Role Entry as the equivalent of file level NTFS permission (aka an Access Control Entry) that applies to Exchange cmdlets and parameters. Of course, most users will never learn of this complexity as they change their settings using the UX in OWA (and Outlook).

The default Role Assignment Policy assigned to users is the Default Role Assignment Policy. If you look at the Permissions slab in the EAC, you can change the individual roles included in the policy, but you can’t change the individual cmdlets and parameters that each role provides. What this means is that you can’t specifically disable forwarding-related parameters using the EAC.

Remove email forwarding parameters from the Default Role Assignment Policy

The following forwarding-related parameters of a mailbox are configured using the Set-Mailbox cmdlet:

  • DeliverToMailboxAndForward
  • ForwardingAddress
  • ForwardingSmtpAddress

Let’s find out which Management Roles include these parameters of Set-Mailbox:

Get-ManagementRole -cmdlet Set-Mailbox -CmdletParameters ForwardingSmtpAddress

This returns a list of 3 Management Roles:

Name RoleType
—- ——–
Mail Recipients MailRecipients
User Options UserOptions
MyBaseOptions MyBaseOptions

Out of the three roles, the Default Role Assignment Policy includes the MyBaseOptions role. You can’t modify the default MyBaseOptions role. But you can create a new Management Role (e.g. MyBaseOptions-NoForwarding) based on the MyBaseOptions role and then modify the Default Role Assignment Policy to replace MyBaseOptions with the new role.


Figure 2: The MyBaseOptions management role in the Default Role Assignment Policy allows users to set up automatic email forwarding

1. Create a new management role based on the MyBaseOptions role

This command creates a new Management Role called MyBaseOptions-NoForwarding based on the MyBaseOptions role.

New-ManagementRole MyBaseOptions-NoForwarding -Parent MyBaseOptions

2. Remove the forwarding-related parameters from the MyBaseOptions-NoFowarding role

This command removes the forwarding-related parameters from the new MyBaseOptions-NoForwarding role.

Set-ManagementRoleEntry MyBaseOptions-NoForwarding\Set-Mailbox -RemoveParameter -Parameters DeliverToMailboxAndForward,ForwardingAddress,ForwardingSmtpAddress

PowerShell Tip: List parameters included in a management role entry

A management role has entries for each cmdlet and its parameters that someone who’s assigned the role is allowed to use. Use this command to list the parameters of a cmdlet included in a management role entry:

(Get-ManagementRoleEntry <ManagementRoleName>\<CmdletName>).parameters

This command retrieves all parameters of Set-Mailbox cmdlet included in role entries in the MyBaseOptions-NoForwarding role:

(Get-ManagementRoleEntry MyBaseOptions-NoForwarding\Set-Mailbox).parameters

3. Replace the MyBaseOptions role in Default Role Assignment Policy with MyBaseOptions-NoForwarding

If you want to disable automatic email forwarding for all users in your organizations, you should modify the Default Role Assignment Policy to replace the default MyBaseOptions role with the new MyBaseOptions-NoForwarding role you created. You can do this easily using the EAC:

  1. In the EAC, go to Permissions > User Roles and edit the Default Role Assignment Policy
  2. You’ll notice that both the MyBaseOptions and the new role MyBaseOptions-NoForwarding are selected. Clear MyBaseOptions and then select MyBaseOptions-NoForwarding.


    Figure 3: Unchek MyBaseOptions and then check MyBaseOptions-NoForwarding

It takes some time for the policy to refresh. Now if the users go to User Options in OWA, they won’t see the Forwarding options.


Figure 4: No email forwarding options in Outlook Web App in Exchange Server and Exchange Online

Remove automatic email forwarding for users who’ve already set it up

Modifying the Default Role Assignment Policy or creating and applying a new role assignment policy prevents users from setting up automatic email forwarding in the future. You’ll also need to check and disable automatic forwarding for users who may have already set it up.

Use this command to list users who have set up automatic email forwarding to an external address:

Get-Mailbox -Filter {Name -notlike “DiscoverySearchMailbox*” -and ForwardingSmtpAddress -ne $null}
| ft name,*forward* -auto

Inspect the list of mailboxes returned and the email addresses they forward to.

Use this command to remove automatic email forwarding for users who have it set up:

Get-Mailbox -Filter {Name -notlike “DiscoverySearchMailbox*” -and ForwardingSmtpAddress -ne $null}
| Set-Mailbox -ForwardingSmtpAddress $null

Disable automatic email forwarding using Inbox rules

Removing forwarding options and disabling existing auto-forwarding settings prevents server-side automatic forwarding. But your users may still be able to use mechanisms such as Inbox Rules in Outlook and OWA or other email clients to automatically forward email to external users. To disable client-side automatic email forwarding outside your organization, you must configure Remote Domain settings.

Use the EAC to disable automatic email forwarding to external domains

  1. In the EAC, go to Mailflow > Remote Domains
  2. Select the remote domains for which you want to disable automatic email forwarding. Settings for the Default remote domain (the * namespace) apply to all external domains. If you want to allow automatic email forwarding to specific domains, you can create new Remote Domains.
  3. In Default remote domain settings, clear Allow automatic forwarding.


    Figure 5: Configure Remote Domain settings to disable automatic email forwarding from the client

Or use this PowerShell command:

Set-RemoteDomain Default -AutoForwardEnabled $false

Exchange Server and Exchange Online provide provide you the means to apply granular controls via RBAC and Role Assignment Policies. Use PowerShell to quickly get reporting data and change settings for large number of users.

{ 7 comments… read them below or add one }

Murali July 13, 2015 at 1:28 am

How to remove the role’s management role assignments.

Reply

Jason Gutierrez November 23, 2015 at 11:18 am
[email protected] December 11, 2015 at 5:59 pm

Jason I think you may can create a Role Management Scope to which the Role Entry will Apply to and then granularly control who belongs groups/users who are part of each scope of policy application.

Reply

Frank December 11, 2015 at 6:24 pm

How long it takes the settings to apply?
Implemented the change 30mins ago, logged out and back in and the Forwarding option is still there.

Reply

Magnus March 4, 2016 at 2:07 am

Did you ever get it to work Frank?.

Reply

Frank March 4, 2016 at 10:38 am

Yes Magnus it worked.
I was logging as an admin hence the option was still there.
When I logged on as an user I noticed the option disappeared.

Reply

Magnus March 11, 2016 at 2:29 am

Thanks a lot!, my issues was exactly the same!

Reply

Leave a Comment

{ 2 trackbacks }

Previous post:

Next post: