Disable auto forwarding email to external recipients using Microsoft Flow

Brass Contributor

There are several ways to block auto forwarding of email to external recipients via Exchange Online. However there's also an option to create a flow for new email enabling auto forwarding to external recipients using Microsoft Flow!
Problem with this method is that none of the existing methods of blocking these emails is applicable. These emails are directly sent form the users mailbox and therefor not apply to the existing rules.
The DLP option for flow is also not able to prevent this because it only blocks sharing data between connectors.
Because everyone with enabled Azure AD account is able to use Microsoft Flow (even if they don't have the feature enabled within their license plan), there's no way to block this (as far as I know).
Is there any way to avoid this?

11 Replies

That's most likely because Flow doesn't do an actual "forward" action, but simply prepares a new message and copies all the relevant details. You as the admin are able to see the types of Flows your users are using, and delete them if needed.

@Vasil MichevI agree that as an Admin you're able to (re)view flows which users have created but the problem with that is that it will always be reactive. We need to be able to prevent users to use this functionality and with that prevent all mailbox data to leave the organization.

Well you've proactively enabled the users to use Flow :)

 

I don't disagree with you, it would be nice to be able to control such flows, but as you noted above this one doesn't seem to be captured by the Flow DLP capabilities. You can crawl the Unified audit log for any events corresponding to the Flow or even attach an alert to them, but that's still reactive. Then again, there are potentially dozen other Flows that can be abused to send/save data to an external location, so you might as well re-evaluate the need to enable Flow.

@Vasil Michevthat's just it. Like I explained in the post, we've not actively enabled Flow (feature is not enabled within the licensing plan) but users are still able to use Flow.
The only way, I currently see, to proactively prevent users from using Flow to auto forward messages, is to block acces using Conditional Access for example. There's no known other way to disable the service?!
And more importantly there's no way to block the users from auto forwarding using Flow without completely blocking access.
Or is there?

Disabling the license should at least remove the app tiles for Flow, but yeah that's security by obscurity. Let me ping few folks...

So looking at the audit logs, it seems that Flow makes direct connection to the mailbox in order to forward each message, meaning you can just block the IP ranges by any feature that allows such control (CA, auth policies, etc): https://docs.microsoft.com/en-us/flow/limits-and-config#ip-address-configuration

@Michel van Vliet  

Not sure about how to block forwarding using Microsoft Flow! Have heard this first time. I had a word with my O365CloudExperts team and they answered me that you can block it EXO as there are several options:
blogs.technet.microsoft.com/exchange/2017/12/22/the-many-ways-to-block-automatic-email-forwarding-in-exchange-online/
 
Regards,
Akshay

@Akshay_ManeThe Exchange part is clear (and in place) but this does not prevent Flow form using EXO to forward emails to external recipients.

@Vasil Michevthanks for the suggestion. The downside of going down this road is that when IP addresses/rangers change (or are added) these are not automatically reflected tot the block configuration, which leaves gaps. And we'd like to only block forwarding to external recipients but let users be able to forward to internet recipients. 

@Vasil MichevAfter several test scenario's it seems there's no way to block the connection from Flow to Exchange Online using Conditional Access policies.
However, I managed to get an active block for Flow using a Client Access Rule within Exchange Online.
I used the following PowerShell code to block the US en Europe IP addresses from Flow:

$IPRanges="13.69.227.208-13.69.227.223","52.178.150.68","13.69.64.208-13.69.64.223","52.174.88.118","52.166.241.149","52.166.244.232","52.166.245.173","52.166.243.169","52.178.37.42","40.69.45.126","40.69.45.11","40.69.45.93","40.69.42.254","52.164.249.26","137.117.161.181","13.89.171.80-13.89.171.95","52.173.245.164","40.71.11.80-40.71.11.95","40.71.249.205","40.70.146.208-40.70.146.223","52.232.188.154","52.162.107.160-52.162.107.175","52.162.242.161","40.112.243.160-40.112.243.175","104.42.122.49","104.43.232.28","104.43.232.242","104.43.235.249","104.43.234.211","52.160.93.247","52.160.91.66","52.160.92.131","52.160.95.100","40.117.101.91","40.117.98.246","40.117.101.120","40.117.100.191","13.71.195.32-13.71.195.47","52.161.102.22","13.66.140.128-13.66.140.143","52.183.78.157","52.161.26.191","52.161.27.42","52.161.29.40","52.161.26.33","52.161.31.35","13.66.213.240","13.66.214.51","13.66.210.166","13.66.213.29","13.66.208.24"

New-ClientAccessRule -Name "Block Flow Access" -Action DenyAccess  -AnyOfClientIPAddressesOrRanges $IPRanges


Which resulted in an error within Flow (=good in this case :-))
Flow-Error.png
 
It would be nice if we can get a formal procedure to get this blocked for example using DLP but for now this does the trick.

With CA policies you can block those exact IP ranges, although it's a tedious process. CARs are indeed another option, as is blocking the connectors' user-agent string: https://docs.microsoft.com/en-us/connectors/office365/