Controlling Automatic Message Forwarding Using the Remote Domain Configuration

There are multiple options available how you can configure that emails received by a mailbox are automatically forwarded to another recipient.

A user can create an inbox rule to forward mails to another recipient. In Office 365 a user can use the Connected Accounts Tab in the Exchange Control Panel (ECP) to configure Forwarding of all mails delivered to his Exchange Online mailbox. The SMTP address specified in the Connected Accounts tab is written to the Active Directory attribute msExchGenericForwardingAddress. In the Exchange Management Shell (EMS) this attribute is called ForwardingSmtpAddress.

An Exchange administrator can use the Exchange Management Console (EMC) and define the mail forwarding settings of a mailbox in the Mail Flow Settings / Delivery Options tab. The administrator has to pick an existing object from the Global Address List (GAL) as forwarding target. Usually the Exchange administrator will create upfront a mail contact for this purpose. The Active Directory (AD) attribute altRecipient stores the distinguished name of the referenced object in the GAL. In the EMS this is visible as ForwardingAddress.

You can configure that a copy of the mail is stored in the local mailbox before the mail is forwarded to the final recipient. In EMS the parameter is called DeliverToMailboxAndForward and the related AD attribute is deliverAndRedirect.

It can be a security issue for a company if users are able to automatically forward their mails to an external mailbox. Therefore, very often Exchange administrators have to restrict this feature to enforce the security policy of the company.

An Exchange administrator can use the Remote Domain configuration to control message forwarding. You can use the AutoForwardEnabled parameter of the Set-RemoteDomain cmdlet to control this feature.

In customer projects I have frequently the requirement that end users should not be able to automatically forward emails. Only in exceptional cases an Exchange administrator should configure forwarding for a specific mailbox.

Based on the information provided in the previous table, it looks like an administrator can effectively achieve this requirement by setting AutoForwardEnabled = False and configure a ForwardingAddress for the specific mailbox using EMC or EMS.

End users are not able to modify the ForwardingAddress using an ECP menu option and they do not have access to the EMC.

However, end users are able to modify the ForwardingAddress using Remote PowerShell!

The default management role assignment policy assigned to a mailbox includes the Set-Mailbox cmdlet with the ForwardingSmtpAddress and the ForwardingAddress parameter. Luckily users have to specify an existing recipient object in the GAL with the ForwardingAddress parameter. It is unlikely that a mail contact exists in the GAL for their private mailbox. An option to prevent users from bypassing the remote domain configuration is to modify the management role assignment policy of regular mailboxes. You can remove the ForwardingAddress parameter from the Set-Mailbox cmdlet assigned to their mailbox.