Introduction

Methods for automatically forwarding email messages to different email addresses is available in OWA, as an Outlook rule, or at the mailbox level, set by an administrator. The prevention of Outlook rules and OWA forwarding are controlled at the organization level via remote domains, however, there are limitations with OWA forwarding and remote domains. Mailbox level forwarding is performed by an Exchange administrator that has been granted requisite permissions.

Note: Mailbox forwarding requires a mail-enabled or mailbox-enabled object to forward the message to. For example, if an administrator wanted to forward all emails from userA’s mailbox to person@domain.com, an Exchange contact is required for person@domain.com.

There are two types of domains within Exchange, accepted domains, and remote domains. Accepted domains are any domains that your organizations accepts email for, like domain.com. All other domains are considered remote domains. By default, Exchange online creates a default remote domain that is represented by the * symbol. Any settings within the default domain apply to all external domains.

Outside the default remote domain, additional remote domains can be added to Exchange Online. Within any additional remote domain, forwarding can be enabled for that remote domain. For example, if Contoso added Microsoft as a remote domain through an Outlook rule, end-users could forward their Contoso email to any SMTP address that ended with @microsoft.com.

Changing forwarding settings does not change how end-users interact with OWA and Outlook rules. For example, if forwarding is disabled within Contoso, end-users could still create Outlook rules or add a forwarding address in OWA. Email messages wouldn’t be forwarded, which could generate confusion for end-users and result in a help desk call.

Within OWA, Role Base Access Control (RBAC) settings can be modified to remove forwarding options. When forwarding is hidden, users wouldn’t see forwarding options in OWA settings.

Outlook forwarding rules cannot be hidden from the end-user. They will be able to specify the action of forwarding an email message within an Outlook rule even with forwarding disable.

Each of the forwarding options are applied to different attributes in a mailbox. The following sections will cover what occurs on the mailbox when forwarding is enabled.

OWA Forwarding

OWA forwarding is enabled when the end-user is logged into OWA and chooses the settings option.

When forwarding is enabled through OWA, the forwarding email address is stored in the ForwardingSMTPAddress on the mailbox.

RBAC Configuration

Create a new base option from the parent base option called NoForward

New-ManagementRole -Parent MyBaseOptions -Name NoForward

Remove the forwarding parameters from set-mailbox

Set-ManagementRoleEntry MyBaseOptions-NoForwarding\Set-Mailbox -RemoveParameter -Parameters DeliverToMailboxAndForward,ForwardingAddress,ForwardingSmtpAddress

Create a new role assignment policy that replaces MyBaseOptions with NoForward.

New-RoleAssignmentPolicy -Name DenyForwardingRoleAssignmentPolicy -Roles NoForward, MyContactInformation, MyRetentionPolicies, MyMailSubscriptions, MyTextMessaging, MyVoiceMail, MyDistributionGroupMembership, MyDistributionGroups, MyProfileInformation

To make the new mailbox policy as the default policy, we ran the following command.

Set-RoleAssignmentPolicy -Identity DenyForwardingRoleAssignmentPolicy -IsDefault

Existing User

The new policy can be assigned in two methods via the EAC or PowerShell.

To assign the policy via PowerShell use the Set-Mailbox command with the RoleAssignmentPolicy policy.

To assign the Policy through the EAC navigate to Mailbox Features > Role assignment policy and select the new policy on a given mailbox.

The next time the user logs in, the forwarding option will not be available within OWA settings.

New User

Created a new user named Colton

The default policy did not get applied

User Experience

Once the new RBAC policy is applied to a mailbox, the forwarding option is removed from the OWA settings.

Inbox Rules

Inbox rules within Outlook can be used to forward email messages to internal and external recipients. There are three types of forwarding rules.

• Forward message – Forward message to a specified recipient
• Forward as an attachment – Create a new email message and forward the message as an attachment
• Redirect message – Redirect the message

The three forwarding rules can be added as an action within an Inbox rule. As the example outlines below, all email messages will be forwarded to Contoso.com.

There is no clean way to remove the forwarding Inbox rules however, by modifying the remote domains settings within Exchange Online, forwarding can be blocked or only allowed to specified domains.

Remote Domains

Inbox forwarding rules are controlled by the remote domains within Exchange Online. The remote domain configuration can be found under Mail Flow > Remote Domains.

Out of the box there is one remote domain.

The default remote domain has forwarding enabled.

New remote domains can be to allow forwarding to specific domains.

Where are Inbox Rules Stored

An Outlook forwarding rule is considered a server-side rule. All server-side rules are stored in the mailbox. Each inbox rule consists of condition(s), action(s), and exception(s). Forwarding is considered an action. The forwarding Outlook rules are stored in the ForwardAsAttachmentTo and ForwardTo parameters of an Outlook rule.

Mailbox Forwarding

An Exchange administrator enables the mailbox forwarding option at the mailbox level. To enable mailbox forwarding, select the mailbox > Properties > Mailbox Feature > Mail Flow

Note: Checking Deliver message to both forwarding address and mailbox ensures a copy of each message is stored in the recipient’s mailbox and the forwarding addresses mailbox.

Unlike OWA forwarding and Inbox rule forwarding, mailbox forwarding, forwards email messages even if forwarding is disabled within the default remote domain.

The forward email address set by the administrator is stored within the ForwardingAddress parameter.

Recommendation

Our recommendation for mail forwarding within most organizations is the following:

• Disable forwarding on the default remote domain
• *Optional* Create remote domains that your organization wants to allow mailbox rule forwarding to
• Create a new RBAC mailbox policy, *set the new mailbox policy as the default policy*, so it applies to all new mailboxes, and apply the mailbox policy to all existing mailboxes

  Note: The default policy has not applied to new mailboxes during my lab. Per this article it should work in Exchange Online.

• A future blog will discuss implementing an auditing script that will remove any new forwarding Outlook rules and send a notification to the end-user informing them why the rule was removed.

By disabling forwarding on the default remote domain, administrators can control which mailboxes or domains messages can be forwarded to.

Two main reasons to hide the forwarding option in OWA are; if any remote domain allows for forwarding, an email message is forwarded, even if the forwarding domain isn’t an approved SMTP domain. For example, if Microsoft.com was an approved forwarding domain. If an end-user enabled forwarding in OWA for Yahoo.com, the mailbox would forward the email messages to a Yahoo SMTP address. From our testing, if any remote domain allows for forwarding, the forwarding of emails always works from OWA. The second reason is the DeliverToMailboxAndForward parameter is a shared attribute between the end-user and the Exchange Administrator.

If the DeliverToMailboxAndForward parameter is set to $true; messages will be delivered to the mailbox and the forwarding address. If the parameter is set to $false, messages are delivered only to the forwarding address. The DeliverToMailboxAndForward is a shared parameter between OWA forwarding and mailbox forwarding. If the administrator sets DeliverToMailboxAndForward to true, thus allowing email messages to be delivered to both mailboxes, the end-user could log into OWA can uncheck Keep a copy of the forwarded messages and change the value of the DeliverToMailboxAndForward.