As you know, there has been an option for Exchange administrator but also for end user to automatically forward incoming email to another email address – either internal or external – for a very long time.
As end user can automatically forward incoming email either by setting a server-side rule or using the option available from the Outlook Settings when using Outlook Web Access; automatic forwarding is not always visible nor control by Exchange administrator.
You should also know automatic forwarding is most of the time not a good thing as you can not easily control data leak.
Well, here are the options available to Exchange Online administrator to manage – aka block – automatic forwarding to external email address.
- Outbound spam policy
You can manage automatic forwarding by setting up the Automatic forwarding enabled setting from the Threat Management\Policy blade from the Security portal (https://protection.office.com/). This option has been available for quite some time
This will block the user setting mentioned above.
- Remote domain configuration
This option is a new capability to manage automatic forwarding. While the above solution (Outbound spam policy) is the best, it applies to all external domain. The remote domain configuration allows you to block automatic forwarding in general but allow it for some specific domains.
This option is available from the new Exchange Online admin center (https://admin.exchange.microsoft.com/) by accessing the Mail flow\Remote domains blade
- Transport rule
This is not for say a solution but this can make the trick too
Finally, Exchange administrator can be alerted on suspicious email forwarding using the Alert policies; you may already know that you can be alerted when an automatic forwarding is set (Alert for automatic forwarding) but this one will let you keep the automatic forwarding capability available for your end user and notify you when suspicious forwarding is set.
You can manage this new alert – called Suspicious email forwarding activity from the Alerts\Alert policies blade from the Security portal (https://protection.office.com/)