Disable automatic email forwarding in Office 365 and Exchange Server

by Bharat Suneja

Exchange Server and Exchange Online allow your users to automatically forward email to an external email address. Over the years, I’ve written about forwarding email to an external email address in Exchange, the risks of forwarding work email to personal email accounts and listing users with email forwarding enabled.


Figure 1: Automatic email forwarding options in Outlook Web App in Exchange Server and Exchange Online

Allowing users to automatically forward mail to an external email address brings the risk of information leakage. Additionally, users can select the option to not keep a copy of the message in the mailbox. If the message does not get delivered to a mailbox at all, it can’t be archived and won’t be available for eDiscovery. This is by design. However, it’s important to note that this may result in your organization being out of compliance and you should change the settings in your Exchange organization, as explained below, to prevent this from occurring.

If messages are never delivered to a mailbox, they can’t be archived and won’t be available for eDiscovery.

You can capture messages in the transport pipeline by using Journaling, which creates a copy of the message and delivers it with a Journal report to a journaling mailbox (or more appropriately, a journaling recipient). The merits and demerits of using Journaling v/s In-Place Archiving, In-Place Hold and Litigation Hold make for interesting conversation but are beyond the scope of this article.

Update 08/13/2015: Microsoft has now added functionality to archive auto-forwarded messages for users on Hold. See Archiving auto-forwarded messages in Exchange Online and Exchange Server.

For now, let’s find out how to disable automatic email forwarding in Exchange Online and Exchange Server.

Role-Based Access Control (RBAC) puts you in control

Exchange Server and Exchange Online provide you great granular control over what your users can and cannot do using Role-Based Access Control.

Brief RBAC 101: Exchange controls the settings a user can change using a Management Role Assignment Policy. A Role Assignment Policy consists of a number of Management Roles and a Management Role contains Management Role Entries – the basic building block that defines each Exchange cmdlet and the parameters of the cmdlet that a user can use. You can think of the Management Role Entry as the equivalent of file level NTFS permission (aka an Access Control Entry or ACE) that applies to Exchange cmdlets and parameters. Of course, most users will never learn of this complexity as they change their settings using the UX in OWA (and Outlook).

The default Role Assignment Policy assigned to users is the Default Role Assignment Policy. If you look at the Permissions slab in the EAC, you can change the individual roles included in the policy, but you can’t change the individual cmdlets and parameters that each role provides. What this means is that you can’t specifically disable forwarding-related parameters using the EAC.

Remove email forwarding parameters from the Default Role Assignment Policy

The following forwarding-related parameters of a mailbox are configured using the Set-Mailbox cmdlet:

  • DeliverToMailboxAndForward
  • ForwardingAddress
  • ForwardingSmtpAddress

Let’s find out which Management Roles include these parameters of Set-Mailbox:

Get-ManagementRole -cmdlet Set-Mailbox -CmdletParameters ForwardingSmtpAddress

This returns a list of 3 Management Roles:

Name RoleType
—- ——–
Mail Recipients MailRecipients
User Options UserOptions
MyBaseOptions MyBaseOptions

Out of the three roles, the Default Role Assignment Policy includes the MyBaseOptions role. You can’t modify the default MyBaseOptions role. But you can create a new Management Role (e.g. MyBaseOptions-NoForwarding) based on the MyBaseOptions role and then modify the Default Role Assignment Policy to replace MyBaseOptions with the new role.


Figure 2: The MyBaseOptions management role in the Default Role Assignment Policy allows users to set up automatic email forwarding

1. Create a new management role based on the MyBaseOptions role

This command creates a new Management Role called MyBaseOptions-NoForwarding based on the MyBaseOptions role.

New-ManagementRole MyBaseOptions-NoForwarding -Parent MyBaseOptions

2. Remove the forwarding-related parameters from the MyBaseOptions-NoFowarding role

This command removes the forwarding-related parameters from the new MyBaseOptions-NoForwarding role.

Set-ManagementRoleEntry MyBaseOptions-NoForwarding\Set-Mailbox -RemoveParameter -Parameters DeliverToMailboxAndForward,ForwardingAddress,ForwardingSmtpAddress

PowerShell Tip: List parameters included in a management role entry

A management role has entries for each cmdlet and its parameters that someone who’s assigned the role is allowed to use. Use this command to list the parameters of a cmdlet included in a management role entry:

(Get-ManagementRoleEntry <ManagementRoleName>\<CmdletName>).parameters

This command retrieves all parameters of Set-Mailbox cmdlet included in role entries in the MyBaseOptions-NoForwarding role:

(Get-ManagementRoleEntry MyBaseOptions-NoForwarding\Set-Mailbox).parameters

3. Replace the MyBaseOptions role in Default Role Assignment Policy with MyBaseOptions-NoForwarding

If you want to disable automatic email forwarding for all users in your organizations, you should modify the Default Role Assignment Policy to replace the default MyBaseOptions role with the new MyBaseOptions-NoForwarding role you created. You can do this easily using the EAC:

  1. In the EAC, go to Permissions > User Roles and edit the Default Role Assignment Policy
  2. You’ll notice that both the MyBaseOptions and the new role MyBaseOptions-NoForwarding are selected. Clear MyBaseOptions and then select MyBaseOptions-NoForwarding.


    Figure 3: Unchek MyBaseOptions and then check MyBaseOptions-NoForwarding

It takes some time for the policy to refresh. Now if the users go to User Options in OWA, they won’t see the Forwarding options.


Figure 4: No email forwarding options in Outlook Web App in Exchange Server and Exchange Online

Remove automatic email forwarding for users who’ve already set it up

Modifying the Default Role Assignment Policy or creating and applying a new role assignment policy prevents users from setting up automatic email forwarding in the future. You’ll also need to check and disable automatic forwarding for users who may have already set it up.

  1. Use this command to list users who have set up automatic email forwarding to an external address:

    Get-Mailbox -Filter {Name -notlike “DiscoverySearchMailbox*” -and ForwardingSmtpAddress -ne $null}
    | ft name,*forward* -auto

    Update 9/27/2017: While testing the command again in response to a comment, I noticed there are two forwarding-related parameters. More in Set-Mailbox cmdlet help for details.

    • ForwardingAddress, which is used to specify a recipient inside your organization, and
    • ForwardingSmtpAddress, used to specify the SMTP address of a recipient who’s typically outside the organization.

    To list both internal and external forwarding recipients, use this updated command:

    Get-Mailbox -Filter {Name -notlike “DiscoverySearchMailbox*” -and (ForwardingSmtpAddress -ne $null -or ForwardingAddress -ne $null)} | ft name,*forward* -auto

  2. Inspect the list of mailboxes returned and the email addresses they forward to.

    Use this command to remove automatic email forwarding to external recipients:

    Get-Mailbox -Filter {Name -notlike “DiscoverySearchMailbox*” -and ForwardingSmtpAddress -ne $null}
    | Set-Mailbox -ForwardingSmtpAddress $null

    Use this command to remove automatic email forwarding to internal and external recipients:

    Get-Mailbox -Filter {Name -notlike “DiscoverySearchMailbox*” -and (ForwardingSmtpAddress -ne $null -or ForwardingAddress -ne $null)}
    | Set-Mailbox -ForwardingSmtpAddress $null -ForwardingAddress $null

Disable automatic email forwarding using Inbox rules

Removing forwarding options and disabling existing auto-forwarding settings prevents server-side automatic forwarding. But your users may still be able to use mechanisms such as Inbox Rules in Outlook and OWA or other email clients to automatically forward email to external users. To disable client-side automatic email forwarding outside your organization, you must configure Remote Domain settings.

Use the EAC to disable automatic email forwarding to external domains

  1. In the EAC, go to Mailflow > Remote Domains
  2. Select the remote domains for which you want to disable automatic email forwarding. Settings for the Default remote domain (the * namespace) apply to all external domains. If you want to allow automatic email forwarding to specific domains, you can create new Remote Domains.
  3. In Default remote domain settings, clear Allow automatic forwarding.


    Figure 5: Configure Remote Domain settings to disable automatic email forwarding from the client

Or use this PowerShell command:

Set-RemoteDomain Default -AutoForwardEnabled $false

Exchange Server and Exchange Online provide provide you the means to apply granular controls via RBAC and Role Assignment Policies. Use PowerShell to quickly get reporting data and change settings for large number of users.

{ 30 comments… read them below or add one }

Murali July 13, 2015 at 1:28 am

How to remove the role’s management role assignments.

Reply

Chyenne Mollohan August 8, 2018 at 7:14 am

I read the whole article and was like, what a process! We’ll need to consider the impact of users not being able to forward at all.

Does removing the attributes from the New Role also disable the ability to forward to both internal and external addresses?

“Or just use this Powershell Command”. I nearly died laughing at that.

Reply

Jason Gutierrez November 23, 2015 at 11:18 am

What I’m looking for is the next step, which would say [email protected] cannot forward, but [email protected] can.

Reply

[email protected] December 11, 2015 at 5:59 pm

Jason I think you may can create a Role Management Scope to which the Role Entry will Apply to and then granularly control who belongs groups/users who are part of each scope of policy application.

Reply

Frank December 11, 2015 at 6:24 pm

How long it takes the settings to apply?
Implemented the change 30mins ago, logged out and back in and the Forwarding option is still there.

Reply

Magnus March 4, 2016 at 2:07 am

Did you ever get it to work Frank?.

Reply

Frank March 4, 2016 at 10:38 am

Yes Magnus it worked.
I was logging as an admin hence the option was still there.
When I logged on as an user I noticed the option disappeared.

Reply

Magnus March 11, 2016 at 2:29 am

Thanks a lot!, my issues was exactly the same!

Reply

Ian Oh October 25, 2016 at 9:37 pm

Thank you for the article, It works for non-admin user which is great and how can I bring back to what it was before? I mean how can I remove the MyBaseOptions-NoForwarding from the MyBaseOptions?

Reply

Nikki R January 26, 2017 at 5:34 am

Remove-RemoteDomain Default -AutoForwardEnabled $false

Reply

Victor Onofrei July 27, 2017 at 3:56 am

You can either run: Remove-ManagementRole “MyBaseOptions-NoForwarding” as per: https://technet.microsoft.com/en-us/library/dd351170(v=exchg.160).aspx
But I recommend you leave it there and just check the parent MyBaseOptions. This will allow you to play with the role in the feature and simply disable its effects.

Reply

Matthew Wie September 21, 2017 at 8:33 am

I can’t seem to get the query to identify users with forwards to work.

Get-Mailbox -Filter {Name -notlike “DiscoverySearchMailbox*” -and ForwardingSmtpAddress -ne $null} | ft name,*forward* -auto

This results in;

Cannot bind parameter ‘Filter’ to the target. Exception setting “Filter”: “Invalid filter syntax. For a description of the filter parameter syntax see the command help.
“Name -notlike “DiscoverySearchMailbox*” -and ForwardingSmtpAddress -ne $null” at position 16.”

Reply

Bharat Suneja September 27, 2017 at 1:05 pm

Works for me. However, while testing this, I notice there are two Forwarding* parameters – 1) ForwardingAddress (typically specifies recipient in the same org) and 2) ForwardingSmtpAddress (typically external SMTP address). So updated query to list all recipients should be:

Get-Mailbox -Filter {Name -notlike “DiscoverySearchMailbox*” -and (ForwardingSmtpAddress -ne $null -or ForwardingAddress -ne $null)} | ft name,*forward* -auto

Reply

Roy Hutton September 28, 2017 at 8:24 am

get-mailbox * | select-object WindowsEmailAddress, ForwardingSMTPAddress | export-csv c:\forwarding.csv

Reply

Rick November 27, 2017 at 10:35 pm

The reason he got that error, which I got too initially, is because a copy/paste from this blog can easily give you “fancy” (high-order ASCII) quotes, and PowerShell, unfortunately, chokes on them.

Manually type in the quotes in the command or correct them in a text editor before pasting.

Reply

Bryan July 2, 2018 at 7:03 pm

Thanks for the comment on the “fancy” quotes. Yeah, I replaced it with normal quotes and it worked.

Reply

Peter August 29, 2018 at 1:30 am

Hey,

Remove the curly brackets between the DiscoverySearchMailbox and replace with single quote. It should look like;
Get-Mailbox -Filter {Name -notlike ‘DiscoverySearchMailbox*’ -and ForwardingSmtpAddress -ne $null} | ft name,*forward* -auto

Reply

Roy Hutton September 28, 2017 at 8:22 am

Excellent and useful information, thanks for this.

Reply

SS February 6, 2018 at 12:20 am

Thanks Bharat for this excellent article!

I had a question regarding the use of default Remote Domains settings and setting to clear Allow automatic forwarding, will this not have an impact on Out of Office (OOF) messages being sent to external domains?

Reply

Bharat Suneja February 13, 2018 at 9:41 am

No. Automatic forwarding is different than automatic replies (OOFs).

Reply

SysIT March 21, 2018 at 8:20 am

Hello,

Great guide, a note, you can also add it on a per user basis also if you need to. We have a single contact for the company who has forward (C level) but we are blocking it for everyone else.

https://blogs.technet.microsoft.com/educloud/2012/07/05/turning-off-forwarding-in-exchange-online/

Reply

Joe Gomez April 25, 2018 at 3:03 pm

Great article but I after disabling Remote Domains using the default domain, it effectively stops forwarding that has been set up in office 365 as well however the article suggests only mailbox rules. If this is the case all the other configurations seem to be pointless if this is all you want to do. Also, I’m looking to block everyone with the option to allow exceptions and this setting seems to be an all or nothing rule.

Reply

Jeff May 22, 2018 at 9:15 am

I too have noticed that the last step, in Remote Domains stopped all forwarding. That was not wanted. We still wanted a handful of people to be allowed to forward.
How can I allow a few people to forward?

Reply

rory June 10, 2018 at 4:09 am

Hi Bhuarat, following your intro here, I also figured out how to stop inbox rules from forwarding in owa.

Set-ManagementRoleEntry MyBaseOptions-NoForwarding\New-InboxRule -RemoveParameter -Parameters ForwardTo,RedirectTo,ForwardAsAnAttachment

Reply

Bharat Suneja July 2, 2018 at 12:45 pm

Awesome!

Reply

Sam December 11, 2018 at 10:59 pm

Out of interest, will using the two powershell scripts to remove current forwarding and prevent future forwarding by users also remove admin-placed forwarding direct from the admin center?

For example: I have a couple of internal email addresses which are intentionally forwarded to other internal email addresses. I want these to stay in place. They were set inside the admin center. I also want to be able to create more of these in future through the admin center. Will using the powershell script to remove current forwarding remove these as well? Will the prevent-forwarding script also prevent forwarding directly from the admin center?

Reply

Bharat Suneja December 12, 2018 at 7:50 pm

That should be easy to circumvent – dump users with forwarding addresses as shown in the post and then reconfigure the ones that the admin wants to.

Reply

Terry L. September 16, 2019 at 2:22 pm

I attempted to use the Default Role Assignment policy steps provided here. However the Forwarding option remains for OWA users. I got a Microsoft engineer on the phone and they informed me that Forwarding options can no longer be removed using these steps, or any method for that matter.

Is this still working for anyone else?

Reply

Matthew February 4, 2020 at 4:01 pm

This works to remove the Forwarding menu from OWA, however it does NOT stop users/hackers from creating auto-forwarding ‘rules’.

Reply

Martin February 3, 2023 at 7:05 am

@Matthew (February 4, 2020 at 4:01 pm)

To stop Outlook Client auto-forwarding rules to external this can be done by Mail flow rules.

Thanks

Reply

Leave a Comment

{ 2 trackbacks }

Previous post:

Next post: