SOLVED

Mail Forwarding Rules

%3CLINGO-SUB%20id%3D%22lingo-sub-158506%22%20slang%3D%22en-US%22%3EMail%20Forwarding%20Rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-158506%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20PowerShell%20script%20that%20gets%20run%20weekly%20early%20Monday%20morning%20that%20sends%20me%20an%20Excel%20report%20on%20the%20mailing%20rules%20and%20delegates.%26nbsp%3B%20But%20I%20somehow%20am%20still%20getting%20no%20score%20on%20it%20(sometimes%20it%20counts%20it%2C%20sometimes%20it%20doesn't).%26nbsp%3B%20In%20the%20description%2C%20it%20states%20that%20I%20can%20also%20look%20for%20the%20creation%20of%20rules%20through%20Audit%20Log%20Search.%26nbsp%3B%20I%20cannot%20figure%20out%20what%20option%20to%20choose%20inside%20of%20the%20Security%20%26amp%3B%20Compliance%20Audit%20Log%20Search...%26nbsp%3B%20Is%20there%20one%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-195722%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Mail%20Forwarding%20Rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-195722%22%20slang%3D%22en-US%22%3E%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F80218%22%20target%3D%22_blank%22%3E%40Aaron%20Myers%3C%2FA%3E%26nbsp%3Bwrote%3A%3CBR%20%2F%3EI%20think%20the%20only%20way%20you%20get%20the%20score%20on%20the%20security%20%26amp%3B%20compliance%20Secure%20Score%20page%20is%20by%20%3CSTRONG%3Eactually%20clicking%20on%20the%20link%20to%20go%20to%20the%20github%20page%20where%20the%20PS%20is%20located%3C%2FSTRONG%3E.%20They%20need%20to%20add%20in%20a%20way%20to%20check%20it%20off%20for%20use%20cases%20where%20we%20are%20already%20running%20the%20script.%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%3CP%3EThat.%20Is.%20Asinine.%20So%2C%20it%20doesn't%20check%20if%20you%20actually%20have%20checked%20the%20forwarding%20rules%2C%20but%20if%20you%20have%20actually%20visited%20the%20page%20where%20the%20PowerShell%20script%20resides.%26nbsp%3B%20Huh.%20I%20got%20credit%20doing%20that...%26nbsp%3B%20Just%20wish%20they%20would%20change%20the%20verbiage%20stating%20that%20you%20can%20go%20to%20the%20Audit%20Logs%20and%20check%20on%20who%20created%20rules%20(which%20is%20not%20possible).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-195259%22%20slang%3D%22en-US%22%3ERE%3A%20Mail%20Forwarding%20Rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-195259%22%20slang%3D%22en-US%22%3EI%20think%20the%20only%20way%20you%20get%20the%20score%20on%20the%20security%20%26amp%3B%20compliance%20Secure%20Score%20page%20is%20by%20actually%20clicking%20on%20the%20link%20to%20go%20to%20the%20github%20page%20where%20the%20PS%20is%20located.%20They%20need%20to%20add%20in%20a%20way%20to%20check%20it%20off%20for%20use%20cases%20where%20we%20are%20already%20running%20the%20script.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-195238%22%20slang%3D%22en-US%22%3ERe%3A%20Mail%20Forwarding%20Rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-195238%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20Mailbox%20Forwarding%20Rules%20does%20not%20seem%20to%20be%20working.%26nbsp%3B%20I%20have%20a%20report%20that%20is%20run%20from%20a%20server%20and%20sent%20to%20me%20as%20an%20excel%20attachment%20that%20has%20the%20mailbox%20forwarding%20rules.%26nbsp%3B%20What%20is%20the%20criteria%20for%20this%20to%20be%20considered%20as%20accomplished%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-166167%22%20slang%3D%22en-US%22%3ERe%3A%20Mail%20Forwarding%20Rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-166167%22%20slang%3D%22en-US%22%3E%3CP%3EOwner-created%20rules%20are%20not%20audited%20afaik.%20But%20you%20can%20use%20the%20Get-InboxRule%20cmdlet%20to%20report%20on%20them.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-165840%22%20slang%3D%22en-US%22%3ERe%3A%20Mail%20Forwarding%20Rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-165840%22%20slang%3D%22en-US%22%3E%3CP%3EHas%20anyone%20figured%20out%20a%20way%20to%20look%20at%20Mail%20Forwarding%20Rules%20for%20Secure%20Score%20using%20the%20Audit%20Log%20Search%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-158922%22%20slang%3D%22en-US%22%3ERe%3A%20Mail%20Forwarding%20Rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-158922%22%20slang%3D%22en-US%22%3E%3CP%3EOne%20of%20the%20items%20you%20are%20supposed%20to%20check%20are%20%22Review%20mailbox%20forwarding%20rules%20weekly%22.%26nbsp%3B%20If%20you%20expand%20the%20option%2C%20the%20description%20says%3A%20%22%3CSPAN%3EThere%20are%20several%20ways%20you%20can%20do%20this%2C%20including%20simply%20reviewing%20the%20list%20of%20mail%20forwarding%20rules%20to%20external%20domains%20on%20all%20of%20your%20mailboxes%20using%20a%20PowerShell%20script%2C%20%3CSTRONG%3Eor%20by%20reviewing%20mail%20forwarding%20rule%20creation%20activity%20in%20the%20last%20week%20from%20the%20Audit%20Log%20Search%3C%2FSTRONG%3E.%22%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3EIf%20you%20click%20on%20Learn%20More%20and%20click%20on%20the%20Review%20button%2C%20you%20are%20taken%20to%20this%20page%3A%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOfficeDev%2FO365-InvestigationTooling%2Fblob%2Fmaster%2FDumpDelegatesandForwardingRules.ps1.%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FOfficeDev%2FO365-InvestigationTooling%2Fblob%2Fmaster%2FDumpDelegatesandForwardingRules.ps1.%26nbsp%3B%3C%2FA%3E%20I%20have%20set%20up%20this%20in%20a%20schedule%20to%20run%20every%20Monday%20morning%20at%201am.%26nbsp%3B%20It%20takes%20about%208%20hours%20to%20run%20and%20I%20receive%20an%20email%20of%20the%20results.%26nbsp%3B%20If%20it%20was%20successful%2C%20I%20am%20supposed%20to%20get%20a%20score%20of%205%20points.%26nbsp%3B%20I%20am%20now%20at%200%20today%20for%20that%20review.%26nbsp%3B%20I%20am%20curious%20how%20to%20search%20for%20newly%20created%20rules%20in%20mailboxes%20in%20the%20Audit%20Search.%3C%2FP%3E%0A%3CP%3E%3CLI-WRAPPER%3E%3C%2FLI-WRAPPER%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-158905%22%20slang%3D%22en-US%22%3ERe%3A%20Mail%20Forwarding%20Rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-158905%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20sure%20what%20you%20mean%20by%20%22score%22%2C%20perhaps%20you%20can%20share%20the%20script%3F%20Owner-created%20rules%20are%20not%20audited%20in%20Exchange%20Online%20btw.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

I have a PowerShell script that gets run weekly early Monday morning that sends me an Excel report on the mailing rules and delegates.  But I somehow am still getting no score on it (sometimes it counts it, sometimes it doesn't).  In the description, it states that I can also look for the creation of rules through Audit Log Search.  I cannot figure out what option to choose inside of the Security & Compliance Audit Log Search...  Is there one?

7 Replies

Not sure what you mean by "score", perhaps you can share the script? Owner-created rules are not audited in Exchange Online btw.

One of the items you are supposed to check are "Review mailbox forwarding rules weekly".  If you expand the option, the description says: "There are several ways you can do this, including simply reviewing the list of mail forwarding rules to external domains on all of your mailboxes using a PowerShell script, or by reviewing mail forwarding rule creation activity in the last week from the Audit Log Search."  If you click on Learn More and click on the Review button, you are taken to this page: https://github.com/OfficeDev/O365-InvestigationTooling/blob/master/DumpDelegatesandForwardingRules.p... I have set up this in a schedule to run every Monday morning at 1am.  It takes about 8 hours to run and I receive an email of the results.  If it was successful, I am supposed to get a score of 5 points.  I am now at 0 today for that review.  I am curious how to search for newly created rules in mailboxes in the Audit Search.

Has anyone figured out a way to look at Mail Forwarding Rules for Secure Score using the Audit Log Search?

Owner-created rules are not audited afaik. But you can use the Get-InboxRule cmdlet to report on them.

The Mailbox Forwarding Rules does not seem to be working.  I have a report that is run from a server and sent to me as an excel attachment that has the mailbox forwarding rules.  What is the criteria for this to be considered as accomplished?

best response confirmed by Zeff Wheelock (Frequent Contributor)
Solution
I think the only way you get the score on the security & compliance Secure Score page is by actually clicking on the link to go to the github page where the PS is located. They need to add in a way to check it off for use cases where we are already running the script.

@Aaron Myers wrote:
I think the only way you get the score on the security & compliance Secure Score page is by actually clicking on the link to go to the github page where the PS is located. They need to add in a way to check it off for use cases where we are already running the script.

That. Is. Asinine. So, it doesn't check if you actually have checked the forwarding rules, but if you have actually visited the page where the PowerShell script resides.  Huh. I got credit doing that...  Just wish they would change the verbiage stating that you can go to the Audit Logs and check on who created rules (which is not possible).