Find All Inbox Rules that Forwards Emails Externally in Office 365 using PowerShell

Office 365 Inbox rules can automatically perform actions on incoming and outgoing emails, such as forward, flag, move, copy, and more. Inbox rules are often known for automatic email forwarding. Admins can configure mailbox forwarding rules either by using EAC or PowerShell. Additionally, users can create inbox rules directly from the Outlook settings.

But what if your users create a risky inbox rule to forward emails to external users (outside the organization)? Does not that seem like a potentially dangerous exposure to the organization?

Yes, it is! Therefore, it is best to be aware of the Outlook rules configured for forwarding emails to external users. With this, you can decide whether to disable the rules or have an overview of them. Here in this blog, let’s see how to find all the inbox rules that forward emails externally.

Admins can track emails that were forwarded to an external domain through ‘Auto forwarded message report’ in the EAC. But the report will not provide information about inbox rules. Through PowerShell, you can get the desired result. But for a PowerShell newbie, it would be very challenging to work. Because you need to perform multiple iterations between the Get-Mailbox and Get-InboxRule cmdlets to retrieve inbox rule details and generate reports with various parameters.

But what if a readily available PowerShell script does the work for us? Yes, the below PowerShell script gets the mailbox forwarding rules that forward emails to an external domains or personal email addresses.

Download Now: GetInboxRulesWithExternalForwarding.ps1

• The script uses modern authentication to connect to Exchange Online. 
• The script can be executed with MFA enabled account. 
• Automatically installs the EXO V2 module (if not installed already) upon your confirmation. 
• Helps to filter-out forwarding rules that forwards emails to external users by excluding guest accounts.
• The script is scheduler – friendly. i.e., credentials can be passed as parameters rather than being saved inside the script. 
• Exports the report result to a CSV file.

To run this script, you can choose any of the below methods.     

Method 1: To run the script with both MFA and non-MFA accounts. 

Method 2: To run a script non-interactively, you can use the below format. 

You can use this format to schedule a PowerShell script in the Windows Task Scheduler. If the admin account is MFA enabled, you have to disable MFA based on the Conditional Access Policy.

After executing the script, the output file will be stored in the current working directory. The exported output files will have the following attributes:

• Mailbox Name – Mailbox identity
• UPN – User Principal Name of mailbox
• Inbox Rule Name – Name of the inbox rule
• Forward to – Forwards the message to the specified recipient.
• Forward as attachment to – Forwards the message to the specified recipient as an attachment.
• Redirect to – Redirects the message to the specified recipient.

Note: To get a list of Office 365 mailboxes with email forwarding configurations (including both internal and external), you can download our dedicated script to generate email forwarding report.

The script finds the inbox rules set to Forward to, Forward as attachment, and Redirect to external recipients. By default, the script will generate a report for all the external users. By using an advanced filtered parameter, you can exclude guest users from the list.

• List inbox rules that forward mail to external users
• Find inbox rules with external forwarding excluding guest users

Note: Guest users are external users who were added as ‘guests’ in the tenant.

It is important to be aware of the auto-forwarding inbox rules to external email addresses. Because it will result in some significant data exposure. Run the script to get the list of all the inbox rules forwarding the emails externally in Office 365.

In this case, both the external and guest users are included.

Cases like forwarding emails to guest users when you are in a project may occur. So, you are advised to exclude guest users when exporting reports. In this case, you can opt to use the parameter –ExcludeGuestUsers. It’ll export to a CSV file considering only external users without considering the guest users.

Microsoft equips multiple ways to configure auto-forwarding. But it lacks in providing admin-friendly reports to identify email forwarding configurations in the organization. Even with PowerShell, it is a bit baffling as you need to consider multiple forwarding configurations and their respective PowerShell cmdlets.

To overcome these pain points, you can try out the AdminDroid Office 365 reporting tool. The tool provides the following reports on auto-forwarding configurations.

Auto-forwarding Configuration Reports:

• Mailboxes with SMTP forwarding
• Mailboxes with internal forwarding
• Mailboxes with forwarding and redirecting configurations
• Mailboxes with external forwarding
• Emails forwarding to external domains
• Inbox rules with forwarding configuration- summary report

Shared Mailboxes’ Email Forwarding Reports:

• Shared mailboxes with internal & external forwarding
• Shared mailboxes with inbox rules
• Shared mailboxes with forwarding set using Inbox rules

Audit Forwarding Configuration Changes in Inbox Rules:

• Internal forwarding rule changes

• External forwarding rule changes

Each report provides AI-powered graphical analysis to gain insights and better understand the data in a visually appealing manner.

Additionally, AdminDroid provides 1500+ pre-built reports on various Office 365 services to efficiently manage, report, monitor, and get insights about your Office 365 environment. You can also download Free Microsoft 365 reporting tool by AdminDroid to

• Get reports on users, groups, group memberships
• Subscription and license reports
• Monitor users’ login activities,
• Track license changes, password changes, group membership changes, etc.

Conclusion:

External forwarding or redirecting emails results in the organization’s confidential information ending in places it shouldn’t go. To combat this issue, Microsoft offers several techniques to block email forwarding in Office 365, such as blocking auto-forwarding using remote domains, blocking auto-forwarding using transport rules, etc.

Also, you can set an alert policy to send an alert notification when someone has auto-forwarded mail to an external account. It will help you identify external forwarding emails & senders and take necessary actions to prevent data leakage.

Hope you find this blog helpful!