In this article, you will learn how to find all mailboxes with forwarding enabled using PowerShell and the 365 Admin Center.
Reasons to Check for Mailbox Forwarding Rules
Checking for mailbox forwarding rules in Microsoft 365 is essential for security, compliance, and to identity compromised accounts. Here are more details:
- Prevent Data Loss: When a mailbox has forwarding enabled all emails to that mailbox can be forwarding to and external address. This could send sensitive data outside of your network which you would no longer have control.
- Identify Malicious Activity: Forwarding rules can be enabled by a phishing email or another type of virus. This is a sure sign that the user account associated with the mailbox has been compromised.
- Ensure Compliance: You may have data that must comply with compliance or an audit such as PCI, HIPAA, CJIS, FBI data and so on. Ensuring company emails are not being forwarding to external users will help you stay in compliance.
- Phishing Emails: I’ve already mention phishing emails but it’s worth mentioning again. If you have mailboxes that unexpectedly enabled forwarding, then it’s a strong indicator of compromised accounts. Running regular audits on mailboxes with forwarding enabled can help mitigate data loss and further attacks on your network.
Find Mailboxes with Forwarding Enabled Using PowerShell
For a bulk view, PowerShell is best. It allows you to list all mailboxes with internal or external forwarding configured.
First, you need to have the Online Exchange installed and be connected.
Install
Install-Module ExchangeOnlineManagementConnect
Connect-ExchangeOnline -UserPrincipalName youradmin@yourdomain.comFind Forwarding Enabled for a Single User
Get-Mailbox user@yourdomain.com | Select-Object DisplayName, ForwardingAddress, ForwardingSmtpAddress, DeliverToMailboxAndForward
Find Forwarding Enabled for All Users.
Get-Mailbox -ResultSize Unlimited | Where-Object {
$_.ForwardingSmtpAddress -ne $null -or $_.ForwardingAddress -ne $null
} | Select-Object DisplayName, UserPrincipalName, ForwardingAddress, ForwardingSmtpAddress, DeliverToMailboxAndForward
Find Mailboxes with Forwarding Enabled in Microsoft 365 Admin Center
In the Admin Center, you can check individual users by opening their profile and looking under Mail settings for forwarding. The user must be licensed to view email forwarding.
Step 1: Log into Microsoft 365 Admin Center
Step 2: On the left side, go to Users > Active users.
Step 3: Search for the user you want to check for mail forwarding.
Step 4: In the mail settings, click Manage Email Forwarding under Email Forwarding.
Step 5: If email forwarding was enabled, it will show the destination address.
- Your company might have requirements to restrict or control automatically forwarded messages to external recipients.
- Forwarding emails to people outside your organization can be a security risk. If you still want to allow it, you can set up an outbound policy to allow it only for specific users who need it.
Conclusion
In this article, I showed you two options for finding mailboxes that have forwarding enabled. Mailboxes that have external forwarding enabled can be a security concern and can lead to data loss. Running a regular audit for mailbox forwarding rules can ensure you meet compliance and minimize data loss.