Disable users ability to create rules...

Occasional Contributor

For security reasons we need to disable users abilities to create rules in the Outlook application. I have searched high and low and cannot find where or how this can be done...


Any help would be greatly appreciated.

13 Replies


It looks like it can be set in OWA policy under Information Management / Inbox Rules.


I'd thought in Outlook you'd be able to set it via Group Policy but I've had a look at the available options in the OL2016 template and don't see anything which covers it.

Which is a bit strange. You would think that anything that could be enabled / disabled in OWA that isn't OWA exclusive should also be configurable in Outlook.


Failing that you'd probably have to look at updating the My Base Options roles for the users which I think includes rule settings.
So users would still see rules management in Outlook but wouldn't be able to apply any changes.


@Neill Tinlin Thank you for the response! I did disable that, doesn't that only apply to creating rules in the web app though?


I will look into the My Base Options and see. Thank you!

There's now way to disable this for the desktop client afaik. The only thing I could think of is to disable the corresponding buttons/UI controls, but for that to work you will need to know the actual control IDs. Check here for more info: https://www.slipstick.com/how-to-outlook/group-policy-disable-commands/

@Vasil Michev Thank you, I don't think that would help. The purpose is to stop any malicious people who have stolen credentials from creating rules. They would be accessing it from outside our domain.


Rules to do what? auto-Forward emails? You can easily prevent that in better ways. Otherwise, I'm not sure what rules you are concerned about.

@Andy David Typically once a users credentials are stolen, the malicious individual creates a rule to move all (or sometimes specific) emails to a specified folder, that the actual user would never typically check. That way the user is unaware of any suspicious activity until it is usually too late.


We have implemented multi-factor authentication, which should make it much more difficult for this to occur. But as an added security the partners of my company would like to block the creation of any rules.


Also, rules to move emails do not fall under the forwarding/redirect rules. So the option to prevent that does not apply sadly...


Well, to be honest, I think this is an unnecessary concern - esp with the implementation of MFA.

If you were to block the ability to create rules, that would hamper your user's from being able to manage their mailboxes effectively and, as in all these things, security has to be balanced with practicality .  I'm still not seeing what real harm is being done to a mailbox if a bad actor moved a message to another folder.  

@Andy David Well in this case the bad actor, we will call him Jimmy, intercepted an email about a incoming wire from a client to our company of a VERY large amount, using stolen credentials. Jimmy convinced the client to send the money to another bank account, telling them our original account was compromised. The client, thinking that the contact was still the proper person in our company, complied and sent them the money. 


Jimmy was smart enough to set up a rule for all incoming and sent emails to and from the clients domain to be moved to the RSS feeds folder, which no one on God's green earth uses, so that the real employee, whose credentials were stolen, within our company would never see them. 


A lot of things were done wrong by the client, there were quite a few red flags and they never called to confirm with us. We also should have had better security long ago. But one of the measures the company partners would like to make to help ensure this never happens again, is to stop all rules from being created. Or at the very least some form of alert whenever one is created. This is not a terrible request as it is a VERY common way the Jimmies of the world operate. 


You may think it unnecessary, but if you lost this amount of money maybe you would change your mind?


It may be extreme, but thankfully almost no one in our company uses rules. And it will put the minds of our accounting folks and partners at rest.


Thanks for your input!


Was this before or after MFA was implemented? :) 

So, of course, this is just my personal opinion, but I still think that preventing a user from creating rules is overkill and alot of unnecessary FUD. That same bad actor could do alot of bad things if they have the creds beyond rules, but I get it, its important to these customers. I dont think there is really an option to do this on the Outlook side.  I was thinking setting the rulesquota may work, but the minimum is 32KB.

Good Luck however.



Hi, just wondering if you have a solution to this.  I just got hit with exactly the same attack that you mentioned.  We will be implementing MFA shortly but I also want to disable rules in OWA.  Can you point me in the right direction?  tks

@Ken_Runyon Try this

Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -RulesEnabled $false

"OwaMailboxPolicy-Default" is the name of OWA policy that's assigned to the target user which can be found on Exchange Admin Center (as seen on screenshot).OWA policy.PNG



@Andy David 

Does anyone know how to prevent the creation of rules?

I introduced MFA but my account was broken into again and this time horrible Jimmy (lets call him) created a rule to hide emails as well as changing the fone number of my MFA to his fone. 
RESULT: emails hacked and money fraudulently transferred out of accounts. 
some one please help. How do you prevent rules altogether?




My 2 pennies: Cart before the horse? Rules are good, hackers are bad, First stop hackers (MFA, block basic auth, P1 conditional access etc, whatever works for your situation). Run daily reports on successful Logins (are they coming from your offices or from Nigeria), run reports on Failed Logins (has the Hacker community found another way trying to bypass MFA?), train users on phishing techniques. All this can be automated for pennies, and will stop any successful hacks (if they are good enough) within hours or less. Still too long but you can't always win them all.
Blocking rules does nothing to help you imho, modern hackers don't even create rules anymore, too obvious. But again, just my opinion. Next month it might all change again, that's the fun of it....