Brad Dickinson

Identify and Block External Email Forwarding in Exchange Online Using PowerShell

The content below is taken from the original ( Identify and Block External Email Forwarding in Exchange Online Using PowerShell), to continue reading please visit the site. Remember to respect the Author & Copyright.

Email serves as a fundamental communication tool, offering flexibility for handling emails and coordinating communication. Organizations often use email forwarding to avoid missing important conversations during users’ absence, to distribute workload, etc. This includes forwarding to external domains, which introduces potential risks. Unmonitored email forwardingcan lead to data breaches, compliance issues, and other security concerns. This blogwill guide you to identify and block external email forwarding, enhancingemail monitoringand security.

Review and Block External Email Forwarding in Microsoft 365

External email forwarding can be identified by checking the mailbox’s forwarding configuration and inbox rules in the Exchange Admin Center. However, you need to navigate to each mailbox to verify all the external forwarding configuration details, which is difficult and time-consuming. 

To streamline this process, we have crafted a PowerShell script, which generates reports on external email forwarding configuration for each mailbox and the inbox rules configured with external forwarding. Upon your confirmation, the external forwarding will be blocked, and the inbox rules will be disabled. Isn’t it outstanding? Disabling external forwarding in one go! No navigation and no time-consuming!

Note: By default, the script considers guest users, mail contacts, and mail users as external accounts only. You will have the option to exclude guest users before blocking external forwarding.

Script Highlights:

  1. The script automatically verifies and installs the Exchange PowerShell module(if not installed already) upon your confirmation.
  2. Exports the ‘External email forwarding report’ and ‘Inbox rules with external forwarding report’ into a CSV file.
  3. Blocks external forwarding configuration for all mailboxesupon confirmation.
  4. Disables all the inbox ruleswith external forwarding configurationupon confirmation.
  5. Allows to verify external email forwarding for specific mailboxesand blocks them.
  6. Allows users to modify the generated CSV reportand provide it as input later to block the respective external forwarding configuration.
  7. Provides the detailed log fileafter removing the external forwarding configuration and disabling the inbox rules with external forwarding.
  8. The script can be executed with an MFA-enabled accounttoo.
  9. The script supports Certificate-based authentication (CBA).

Download Script: BlockExternalEmailForwarding.ps1

Sample Output

The script analyses and exports two reports, ‘External email forwarding report’ and ‘Inbox rules with external forwarding report’.

Export External Email Forwarding Configuration Report

The script exports this report with the following attributes:

Export Inbox Rules with External Email Forwarding Configuration Report

The script exports this report with the following attributes:

Once the report is generated, youcan enter‘Y’ as the confirmation to block the external email forwarding and the inbox rules available in the outputfileas shown below.

Once external forwarding is blocked,you will get a txt log file for both outputs as below.

Block External Email Forwarding in Microsoft 365 Using PowerShell – Script Execution Methods

  1. Download the script.
  2. Start the Windows PowerShell.
  3. Select any of the methods provided to execute the script.

Method 1: You can run the script with MFA and non-MFA accounts.

./BlockExternalEmailForwarding.ps1

The above example lets you export the email forwarding configuration reportand the inbox rules with external forwarding reportinto a CSV file.

Method 2: You can explicitly pass credentials (username and password) and execute the script.

./BlockExternalEmailForwarding.ps1 -UserName <UPN> -Password <Password>

The above method is applicable only for non-MFA admin accounts. You can disable MFA for a user via Conditional Access policy.

Method 3:You can also use certificate-based authentication to run the script. To do this, you must register the app in Azure ADand the app allows you to connect to EXO with certificate-based authentication.

./BlockExternalEmailForwarding.ps1 -Organization <Domain> -AppId <ClientId> -CertificateThumbPrint <CertThumbPrint>

You can use either a certificate issued by a recognized certificate authority (CA) or create a self-signed SSL certificate.

Identify and Block External Email Forwarding Configuration in Exchange Online

Utilize the PowerShell script and identifyall theexternal forwarding configurationsand block them to have improved security. Explore more use cases you can achieve using the script below.

  1. Report and block all external forwarding configurations in Office 365
  2. Find and restrict external email forwarding for specific users
  3. Find and block external email forwarding excluding guest users
  4. Verify and block external email forwarding excluding internal guests
  5. Block suspicious external forwarding SMTP address (Input CSV)
  6. Disable inbox rules with external forwarding configuration

1. Report and Block all External Forwarding Configurations in Office 365

Identifying all the external email forwarding configuration, including inbox rules for all mailboxes is essential to detect suspicious forwarding and prevent data loss. You can verify the exported report, and you can decide whether to block all the external forwarding and disable all the inbox rules shown in the output based on your requirements.

Run the below cmdlet to identify and block external email forwarding for all mailboxes.

./BlockExternalEmailForwarding.ps1

Admins can get two reports, as said before, along with forwarding details. If you confirm to block all the configurations, the script will block all the email forwarding configurations in the output and send you the log file with blocked configuration details.

Note:If auto-email forwarding configuration is enabled, it might lead to severe security concerns if left unmonitored. You can block automatic email forwarding to external domainand protect your resources effectively.

2. Find and Restrict External Email Forwarding for Specific Users

If admins want to review the external forwarding configuration only for specific mailboxes, such as users working on a crucial project, they can prepare and include the CSV file with a list of required user addresses.

To find external email forwarding details for multiple users, you can include the CSV file path in the ‘MailboxNames’ parameter, as shown below.

./BlockExternalEmailForwarding.ps1 -MailboxNames <file path>

Replace the <file path> with the path of your created CSV file. You can also find external forwarding configuration in shared mailboxes and block them by including the desired mailbox address. Remember that the column name containing the users’ UPN should be ‘User Principal Name’ as shown in the image below.

Sample Input:

3. Find and Block External Email Forwarding Excluding Guest Users

Users can collaborate with external guest users for various purposes like project collaboration, etc. So, forwarding emails to them will be legitimate in these scenarios. If admins want to get the external forwarding configurations excluding the external guest users in their organization, you can use the ‘-ExcludeGuests’ parameter while running the script, as shown below.

./BlockExternalEmailForwarding.ps1 -ExcludeGuests

The above script execution returns the emails forwarded to external users other than the guest users in the organization. It helps to easily narrow down to the desired result and block suspicious forwarding settings.

Note:Remember that the script considers the below as Guest users and excludes them from blocking.

4. Verify and Block External Email Forwarding Excluding Internal Guests

Before using B2B collaboration, organizations usually invite guest users and allow them to authorize by setting the internal credentials for them. Also, mail contacts and mail users are also considered as internal guests. They are added for working on projects, tasks, etc. Admins might want to exclude these internal guests in the external forwarding configuration report to drill down directly to desired results.

To achieve this, you can run the script by adding the ‘-ExcludeInternalGuests’ parameter.

./BlockExternalEmailForwarding.ps1 -ExcludeInternalGuests.

Thus, forwarding to internal guest users (organizational users converted as guests) will be excluded from the output.

5. Block Suspicious External Forwarding SMTP Address (Input CSV)

As mentioned before, after executing the script, two reports will be generated: External email forwarding configuration report and Inbox rules with external forwarding report. After the reports are created, the script will prompt for confirmation to block all email forwarding settings displayed. If an admin identifies any forwarding settings that are legitimate and should not be blocked, they can choose ‘No’ when prompted.

Then, they should manually edit the output report by removing these legitimate entries from the output file. Once done, re-run the script with the ‘RemoveEmailForwardingFromCSV’ parameter.

./BlockExternalEmailForwarding.ps1 -RemoveEmailForwardingFromCSV <file path>

Replace the file path with the path of the edited output file. So that instead of blocking all the forwarding settings, you can block only necessary configurations, excluding legitimate forwarding.

6. Disable Inbox Rules with External Forwarding Configurations

Like the above case, if admins don’t want to disable all the inbox rules shown in the output CSV file, admins can edit the file by removing inbox rules that shouldn’t be disabled in the organization. Then, run the script with the ‘-DisableInboxRuleFromCSV’ parameter as shown below.

./BlockExternalEmailForwarding.ps1 -DisableInboxRuleFromCSV <file path>

Replace the <file path> with the edited output file path. After confirmation, all the inbox rules included in the CSV file will be disabled in your organization.

Efficiently Monitor External Email Forwarding in Exchange Online with AdminDroid

AdminDroid’s external forwarding configuration reportlets you view all the external email configuration with precise details, such as external domain, username who configured forwarding, count of forwarding users, external recipients, and more.

It helps to easily get the list of external domains to which emails are forwarded in your organization. Thus, you can easily decide and block suspicious domains effectively.

Moreover, the ‘mailbox with external forwarding inbox rules’ report displays all the inbox rules configured with external forwarding for each mailbox separately. It contains additional details like mailbox name, mailbox UPN, external address configured for forwarding as attachment to, forward to, redirect to, inbox rule condition details, rule processing status, and more. Also, you can get mailbox permission changes, user sign-in stats, and other crucial details.

Also, you can audit configuration changes made on external forwarding rules using the ‘Inbox Rules Configuration Changes with External Forwarding’ report. It helps to precisely identify any suspicious changes made to external forwarding inbox rules and revert them.

I hope this blog helps you to identifythe external forwarding configuration and block unwanted settings in your configuration. Utilize the script to findsuspicious forwardingeasily. Dropyour queries in the comment section. Happy securing!

The post Identify and Block External Email Forwarding in Exchange Online Using PowerShell appeared first on Office 365 Reports.

Exit mobile version