Update: Starting November 2022, protection.microsoft.com URL does not work anymore. Please go to security.microsoft.com instead for the AntiSpam feature mentioned in this post.
We realize that many...
Updated Dec 08, 2023
Version 10.0
Blog Post
Hi Arindam,
This has been one of the best articles on blocking external forwarding that I have found, but it leaves some unanswered questions for my specific situation. We would like to block users from creating new rules for automatic forwarding to external domains. In other words, I wish to allow only existing automatic forwarding to external domain rules (whitelist.)
We are a hybrid environment with all mailboxes migrated to EOL.
Requirements:
-Existing automatic forwarding rules must remain active due to politics and we will work to manually audit and remediate existing forwarding on a per user basis.
-Administrators will need to be able to create automatic forwarding rules for specific users to external domains without creating rule exceptions, modifying policies, or editing mail flow. This is to avoid workflow delays due to required CAB approval and simplify support tickets.
-All users should be able to manually forward emails and utilize OOF automatic replies.
-Block users from utilizing OOF settings to automatically forward emails
Based on your article, a transport rule would be the best option available but I am unable to find documentation that confirms existing automatic forwarding rules would remain enabled. Your article states that Admins would be able to utilize the EAC (ForwardingAddress) to configure new requests. I understand that OWA users would still be able to create new automatic forwarding using the web app (ForwardingSmtpAddress.) I could utilize the RBAC to hide those options in OWA.
Would a transport rule utilizing the following settings meet my requirements? I have included additional IF conditions to try and improve efficiency:
Apply this rule if The message properties, message type = Auto-Forward
And The recipient is, external/internal = Outside the organization
Block the message, Reject the message without an explanation (my understanding is utilizing an NDR would not notify the user attempting to create the forwarding rule and would likely create confusion for end-users as only the Sender would receive notifications)
No exceptions
Some have recommended including exceptions for the administrators group but while testing, I was unable to choose a Group, only specific users.
Unfortunately email security is secondary to end-user convenience at this time, primarily due to business politics, but I am open to any suggestions that will chip away at this risk, even partial solutions.