On demand disable forwarding? OWA and Outlook?

%3CLINGO-SUB%20id%3D%22lingo-sub-93117%22%20slang%3D%22en-US%22%3EOn%20demand%20disable%20forwarding%3F%20OWA%20and%20Outlook%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-93117%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20recently%20saw%20a%20video%20(that%20I%20can%20no%20longer%20find)%20that%20seemed%20to%20show%20that%20it%20was%20possible%20to%20limit%20forwarding%20%22ala%20cart%22%20on%20outgoing%20e-mails%20in%20a%20way%20that%20would%20disallow%20forwarding%20within%20the%20organization%20and%20put%20a%20%22This%20should%20not%20be%20forwarded%22%20blurb%20in%20messages%20received%20outside%20the%20organization.%20Is%20this%20a%20thing%3F%20I%20know%20I%20can%20disable%20forwarding%20en%20masse%2C%20but%20I'm%20really%20looking%20to%20give%20the%20end%20user%20the%20option%20to%20enable%20on%20a%20per%20e-mail%20basis.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EM%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-93117%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%20center%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%20Administration%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-180246%22%20slang%3D%22en-US%22%3ERe%3A%20On%20demand%20disable%20forwarding%3F%20OWA%20and%20Outlook%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-180246%22%20slang%3D%22en-US%22%3E%3CP%3EI%20got%20it..%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20had%20to%20go%20to%20'The%20message%20properties'%2C%20then%20'include%20message%20type'%3C%2FP%3E%0A%3CP%3Ethen%20select%20Auto-Forward%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-180187%22%20slang%3D%22en-US%22%3ERe%3A%20On%20demand%20disable%20forwarding%3F%20OWA%20and%20Outlook%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-180187%22%20slang%3D%22en-US%22%3E%3CP%3EMake%20sure%20to%20press%20the%20%22More%20options%22%20link%20on%20the%20bottom%20of%20the%20New%20rule%20dialog%2C%20it%20will%20bring%20up%20all%20the%20other%20conditions.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-180123%22%20slang%3D%22en-US%22%3ERe%3A%20On%20demand%20disable%20forwarding%3F%20OWA%20and%20Outlook%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-180123%22%20slang%3D%22en-US%22%3E%3CP%3EI%20do%20not%20have%20this%20condition%3A%26nbsp%3B%3CSPAN%3EAND%20IF%26nbsp%3BThe%20message%20type%20is%20%E2%80%98Auto-Forward%E2%80%99%3C%2FSPAN%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20can't%20use%20powershell%20because%20I%20am%20also%20AD%20on-prem.%20Any%20ideas%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-93369%22%20slang%3D%22en-US%22%3ERe%3A%20On%20demand%20disable%20forwarding%3F%20OWA%20and%20Outlook%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-93369%22%20slang%3D%22en-US%22%3E%3CP%3EWell%2C%20if%20you%20want%20control%20in%20the%20user's%20hands%2C%20you%20might%20look%20at%20Azure%20Information%20Protection%20labels.%20AIP%20allows%20users%20to%20select%20a%20label%20to%20identify%20the%20level%20of%20sensitivity%20of%20information%20in%20a%20message.%20The%20policy%20behind%20a%20label%20can%20apply%20an%20IRM%20template%20to%20really%20sensitive%20stuff%20and%20that%20would%20block%20the%20ability%20of%20external%20people%20to%20read%20the%20content%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-93356%22%20slang%3D%22en-US%22%3ERe%3A%20On%20demand%20disable%20forwarding%3F%20OWA%20and%20Outlook%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-93356%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20response.%20To%20be%20clear%2C%20I'm%20looking%20to%20give%20the%20end%20user%20the%20ability%20to%20choose%20on%20a%20%22per%20e-mail%22%20basis%20on%20whether%20or%20not%20to%20disallow%20forwarding%20through%20their%20Outlook.%20I.E.%20Sending%20an%20e-mail%20that%20contains%20sensitive%20information%20and%20enabling%20%22DO%20Not%20Forward%22%20for%20just%20that%20particualr%20e-mail.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-93257%22%20slang%3D%22en-US%22%3ERe%3A%20On%20demand%20disable%20forwarding%3F%20OWA%20and%20Outlook%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-93257%22%20slang%3D%22en-US%22%3E%3CP%3ETo%20be%20specific%2C%20what%20Vasil%20has%20highlighted%20is%20an%20Exchange%20transport%20rule%20that%20will%20check%20for%20messages%20autoforwarded%20by%20users%20and%20block%20them.%20The%20advantage%20of%20this%20approach%20is%20that%20it%20is%20guaranteed%20to%20work%20because%20all%20email%20must%20flow%20through%20the%20transport%20system%20and%20be%20checked%20against%20the%20tenant's%20rules.%20However%2C%20introducing%20such%20a%20rule%20without%20prior%20advice%20and%20consultation%20with%20users%20might%20provoke%20a%20negative%20reaction%20from%20people%2C%20so%20perhaps%20user%20education%20is%20a%20better%20first%20step.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-93217%22%20slang%3D%22en-US%22%3ERe%3A%20On%20demand%20disable%20forwarding%3F%20OWA%20and%20Outlook%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-93217%22%20slang%3D%22en-US%22%3E%3CP%3EThis%26nbsp%3Bis%20nothing%20new%2C%20the%20only%20new%20part%20about%20it%20is%20that%20it%20got%26nbsp%3Bincluded%20as%20part%20of%20the%20Secure%20Score%20recommendations%2Factions%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Foffice365security%2Fmitigating-client-external-forwarding-rules-with-secure-score%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Foffice365security%2Fmitigating-client-external-forwarding-rules-with-secure-score%2F%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere's%20the%20actual%20rule%20syntax%3A%20IF%26nbsp%3BThe%20Sender%20is%20located%20%E2%80%98Inside%20the%20organization%E2%80%99%20AND%20IF%26nbsp%3BThe%20Recipient%20is%20located%20%E2%80%98Outside%20the%20organization%E2%80%99%20AND%20IF%26nbsp%3BThe%20message%20type%20is%20%E2%80%98Auto-Forward%E2%80%99%20THEN%20Reject%20the%20message%20with%20the%20explanation%20%E2%80%98External%20Email%20Forwarding%20via%20Client%20Rules%20is%20not%20permitted%E2%80%99%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hello,

 

I recently saw a video (that I can no longer find) that seemed to show that it was possible to limit forwarding "ala cart" on outgoing e-mails in a way that would disallow forwarding within the organization and put a "This should not be forwarded" blurb in messages received outside the organization. Is this a thing? I know I can disable forwarding en masse, but I'm really looking to give the end user the option to enable on a per e-mail basis.

 

M

7 Replies
Highlighted

This is nothing new, the only new part about it is that it got included as part of the Secure Score recommendations/actions: https://blogs.technet.microsoft.com/office365security/mitigating-client-external-forwarding-rules-wi...

 

Here's the actual rule syntax: IF The Sender is located ‘Inside the organization’ AND IF The Recipient is located ‘Outside the organization’ AND IF The message type is ‘Auto-Forward’ THEN Reject the message with the explanation ‘External Email Forwarding via Client Rules is not permitted’

Highlighted

To be specific, what Vasil has highlighted is an Exchange transport rule that will check for messages autoforwarded by users and block them. The advantage of this approach is that it is guaranteed to work because all email must flow through the transport system and be checked against the tenant's rules. However, introducing such a rule without prior advice and consultation with users might provoke a negative reaction from people, so perhaps user education is a better first step.

Highlighted

Thanks for the response. To be clear, I'm looking to give the end user the ability to choose on a "per e-mail" basis on whether or not to disallow forwarding through their Outlook. I.E. Sending an e-mail that contains sensitive information and enabling "DO Not Forward" for just that particualr e-mail.

Highlighted

Well, if you want control in the user's hands, you might look at Azure Information Protection labels. AIP allows users to select a label to identify the level of sensitivity of information in a message. The policy behind a label can apply an IRM template to really sensitive stuff and that would block the ability of external people to read the content,

Highlighted

I do not have this condition: AND IF The message type is ‘Auto-Forward’ 

I can't use powershell because I am also AD on-prem. Any ideas?

Highlighted

Make sure to press the "More options" link on the bottom of the New rule dialog, it will bring up all the other conditions.

Highlighted

I got it.. 

I had to go to 'The message properties', then 'include message type'

then select Auto-Forward