Have you run a report to see if users have setup Outlook rules to auto-forward email to an external email like their personal email? I was blown away after running a report to find multiple users who had a generic rule to forward their email to their personal email. If you’re concerned about data loss this is a big issue, let’s take a look at how to stop users from auto-forwarding email to external users.
Find out who is auto-forwarding
Take a look below at a way to setup a Mail Flow rule in the Exchange Admin Center to start blocking message type of auto-forward. You will want to use the following for:
Apply this rule if:
The sender is located: Inside the organization
The recipient is located: Outside the organization
The message type is: Auto-forward
Do the following:
Reject the message with the explanation: <Use your own custom explanation for users to see.
Generate incident report and send it to: <email address>
The recipient address includes: <add any exceptions here to still allow>
Finally choose to “Test with (or without) Policy Tips” – what this will do is start testing the rule. You will want to be sure you have added an option to send incident reports so that you can find out who is abusing this auto-forwarding rule. When you’re ready, you will change the mode to Enforce as detailed in the screenshot above.
Removing the option to Forward
There is a place in the Outlook settings that you can remove for auto-forwarding email. If you are using this for service or shared mailboxes you will want to make any forwarding changes in the Exchange admin center, not at the user level. Microsoft has documented this process, you can follow these steps in Turning off forwarding in Exchange Online. Those steps are for making a change at the user level, I would recommend making a change at the tenant level so all current and future users will have this option removed. First you will need to run 2 commands in PowerShell:
Once this is complete you will see a new option in your Exchange Admin Center > Permissions > User roles > Default Role Assignment Policy (you may have more policies). Now open up that policy and check the box next to the “MyBaseOptionsNewDefault” that you created in PowerShell.
Here is a before and after of what it will now look like in the Outlook web app under Settings > Mail > Forwarding (option is completely removed):
I hope this gives you guidance on how to stop users from auto-forwarding email to external users. The first step was to put up a wall with a Mail Flow rule so they can’t setup any forwarding rules. The second step was to remove the option in the Outlook user interface for forwarding all email. Users can still forward emails one at a time, but now there shouldn’t be any way they are doing it with auto-forwarding. If you liked this, be sure to see other tips in the Office 365 category.
A common way to stop security threats for your users would be to protect email from foreign countries. If you do business internationally keep in mind you will want to be sure those countries are not blocked. I’ve blocked most international country codes in Exchange Online since our company only works domestically. Recently we’ve started working with off shore teams though so I needed to take a closer look at how this all works.
Protect email from foreign countries
Go to the Exchange Admin Center > Protection > spam filter. Under international spam you will see languages and countries. If you click the + sign you will find a whole list you can select (hold down Shift or Control button to select a range to add). Click Save and away you go, you are now have a way to protect email from foreign countries or languages.
If you haven’t inspected an email header before, now is a good time to do some reading. Here is a good article from Microsoft on just about everything for anti-spam message headers. Microsoft also has a Message Header Analyzer to help you break down everything in a more readable format.
Since we started working with users internationally with their own email servers we needed to come up with a way to be sure their emails weren’t going to be marked as spam. I didn’t want to just remove the entire country they worked in since it was known as a large source of spam. Also they’re email system could change and start to come from another country next door. So I tested if we added the domain to our Allow List if it would overrule any kind of country setting we had. It did! If you add a domain to your spam allow list it will deliver even though you are blocking that international country code. See my article Tips with Office 365 Email Safe Senders if you haven’t worked with that setting before.
This is a very quick way to help protect email from foreign countries. It’s an easy hole to plug pretty quickly, you can always be more aggressive at first then start to pull back as your user’s report the need to communicate internationally. The emails will land in your Quarantine, they won’t be blocked completely.
I’m back! I’ve been away for the past few months focused on email migrations for a few companies that we’ve recently acquired. I wanted to post a few lessons learned from what I’ve recently learned on email migrations. I’ve done close to 20 acquisitions in my career, still not an expert but some may say I’m smarter than the average bear.
MigrationWiz by BitTitan
Using a migration tool is highly suggested! It’s going to cost some money but this software is worth it. In most cases if you want to migrate both email and documents it’s going to cost you around $15 per user. It’s not going to be free, but it won’t break the bank either. I’ve used MigraitonWiz for years now, there’s still my go to because of the simplicity and price.
I’ve worked with technical staff in most acquisitions, but very few have good backups and understanding on how everything works. Do as much exporting of properties you can to keep around for when something doesn’t work after the migration. I’ve gone to these almost every time to find an email address or forwarding rule that couldn’t remember how it worked.
Be prepared and start updating DNS before the migration. I’ve been surprised to find MX records with 1 day TTLs. This doesn’t always represent how long it will take to update DNS when you are ready to cutover from one email system to another, but the shorter you can reduce these the less time you will be waiting around on migration night.
I’ve been managing Office 365 and Exchange Online since 2015, there’s still plenty to learn for migrating. If you are doing a tenant to tenant migration, get your scripts ready! You will need to change all userPrincipalNames and Primary Email Addresses to the default .onmicrosoft.com domain before you can start removing email addresses. You will need to do that because you can’t remove a domain from a tenant to verify in another tenant until they are all gone. And I mean, all gone. Which brings me back to my second point, be sure you export everything first before you start deleting 😉
Last thoughts on email migrations
There’s a lot of work that goes into email migrations but the more time you spend ahead of a migration the less time it will require after you migrate. Hope these few tips will help you in your next migration. See more tips on Office 365 here.
Recently I’ve had trouble with email safe senders for a domain in our Office 365 Exchange environment. Let’s take a look at some tips with Office 365 email safe senders. Usually my first place to go is the Exchange Admin Center. Now go to Protection > Spam filter > Allow lists – Add the sender/domain you want to allow. Here is Microsoft’s documentation: Create organization-wide safe sender or blocked sender lists in Office 365
Typically this is the resolution, the emails will arrive in any user’s mailbox after this. However, this was not my case this time. I went to the client side of equation to try there.
Tips with Office 365 Safe Senders
Here are few PowerShell methods to review and set rules for a user. This will display all of the emails/domains the user has set as a trusted sender.