Delap advisors can help you achieve your business goals. Learn How
While there are some legitimate reasons where a company may wish to allow auto-forwarding of business email, the vast majority of the time the best course of action is to simply disable email auto-forwarding functionality.
Not only does this follow Microsoft’s security best practices, but it limits a cyber attacker’s ability to silently forward all email to an external email account in the event they are able to compromise one of your employee’s email accounts.
My position on the value of user passwords alone is fairly well known: Passwords alone are not good enough, you should consider properly implemented multi-factor authentication and other mitigating controls.
The following are step-by-step procedures for two methods of disabling email auto-forwarding in Office 365. Let’s dive in!
The first option is to set the rule within 'Remote Domain'. This method applies to all methods a user may leverage to attempt mail forwarding. A potential downside is that no notification is provided to the user when their attempt at auto-forwarding email is blocked.
Login to Office 365 using an account with administrator rights.
Open the 'Admin centers' navigation tree on the left and click on 'Exchange'.
Click on 'mail flow', then on 'remote domains'.
Ensure that the box for 'Allow automatic forwarding' is not selected. Then click 'Save'.
The second method is to create a transport rule in the 'Exchange Online Admin Center'. This approach allows for more granular control over how rules around auto-forwarding are applied. The main downside that must be considered is that this method does not block users from leveraging the 'Start/Stop Forwarding' function in Outlook Web Access (OWA).
Login to Office 365 using an account with administrator rights.
Open the 'Admin centers' navigation tree on the left and click on 'Exchange'.
Click on 'Mail flow'.
Click on the '+' sign to create a new rule. If you are not seeing all of the options below, ensure you click on 'More options' near the bottom of the screen. You may choose to include multiple conditions based on your business requirements, but the key factor is to include the condition: "The message type is... Auto-forward".
You can choose to alter the explanation that follows the 'reject' action or choose to create exceptions for specific personnel.
If you found this article useful or would like assistance from our team of security experts, reach out to our team.