none
Blocking automatic forwarding in Outlook Web Access (OWA) RRS feed

  • Question

  • I'm having trouble removing the Forwarding setting from OWA for our users. I followed the two guides at the links below, but the Forwarding option is still available in OWA. I created the new management role and new role assignment policy, removed the forwarding parameters (see PowerShell commands below), and have assigned the role assignment policy to my user mailbox, but the Forwarding option is still available to me within OWA after waiting 36 hours. We also modified the Default Remote Domain and unchecked "Allow automatic forwarding" although I don't believe this is required for removing the Forwarding option for OWA. Am I missing something here?

    # Create a new management role called "MyBaseOptions-DisableForwarding", copying the the "MyBaseOptions" management role
    PS C:\> New-ManagementRole -Name "MyBaseOptions-DisableForwarding" -Parent "MyBaseOptions"
    
    # Remove the forwarding parameters from the "MyBaseOptions-DisableForwarding" management role
    PS C:\> Set-ManagementRoleEntry -Identity "MyBaseOptions-DisableForwarding\Set-Mailbox" -Parameters "DeliverToMailboxAndForward","ForwardingAddress","ForwardingSmtpAddress" -RemoveParameter
    
    # Verify the parameters are removed
    PS C:\> (Get-ManagementRoleEntry -Identity "MyBaseOptions-DisableForwarding\Set-Mailbox").parameters
    AcceptMessagesOnlyFrom
    AcceptMessagesOnlyFromDLMembers
    AcceptMessagesOnlyFromSendersOrMembers
    ErrorAction
    ErrorVariable
    ExternalOofOptions
    GrantSendOnBehalfTo
    Identity
    Languages
    MailTip
    MailTipTranslations
    MessageCopyForSendOnBehalfEnabled
    MessageCopyForSentAsEnabled
    MessageRecallProcessingEnabled
    OutBuffer
    OutVariable
    Password
    RejectMessagesFrom
    RejectMessagesFromDLMembers
    RejectMessagesFromSendersOrMembers
    RequireSenderAuthenticationEnabled
    UserCertificate
    UserSMimeCertificate
    WarningAction
    WarningVariable
    
    # Create the new role assignment policy called "Default Role Assignment Policy - Disable Forwarding" 
    PS C:\> New-RoleAssignmentPolicy -Name "Default Role Assignment Policy - Disable Forwarding" -Description "This policy grants end users the permission to set their options in Outlook on the web and perform other self-administration tasks." -Roles "MyContactInformation","MyProfileInformation","My ReadWriteMailbox Apps","My Custom Apps","MyTextMessaging","MyVoiceMail","MyMailSubscriptions","MyBaseOptions-DisableForwarding","My Marketplace Apps","MyRetentionPolicies"

    Links:

    https://blogs.technet.microsoft.com/exovoice/2017/12/07/disable-automatic-forwarding-in-office-365-and-exchange-server-to-prevent-information-leakage/

    https://techcommunity.microsoft.com/t5/Exchange-Team-Blog/The-many-ways-to-block-automatic-email-forwarding-in-Exchange/ba-p/607579

    Friday, July 19, 2019 5:27 PM

Answers

  • I'm having trouble removing the Forwarding setting from OWA for our users. I followed the two guides at the links below, but the Forwarding option is still available in OWA. I created the new management role and new role assignment policy, removed the forwarding parameters (see PowerShell commands below), and have assigned the role assignment policy to my user mailbox, but the Forwarding option is still available to me within OWA after waiting 36 hours. We also modified the Default Remote Domain and unchecked "Allow automatic forwarding" although I don't believe this is required for removing the Forwarding option for OWA. Am I missing something here?

    # Create a new management role called "MyBaseOptions-DisableForwarding", copying the the "MyBaseOptions" management role
    PS C:\> New-ManagementRole -Name "MyBaseOptions-DisableForwarding" -Parent "MyBaseOptions"
    
    # Remove the forwarding parameters from the "MyBaseOptions-DisableForwarding" management role
    PS C:\> Set-ManagementRoleEntry -Identity "MyBaseOptions-DisableForwarding\Set-Mailbox" -Parameters "DeliverToMailboxAndForward","ForwardingAddress","ForwardingSmtpAddress" -RemoveParameter
    
    # Verify the parameters are removed
    PS C:\> (Get-ManagementRoleEntry -Identity "MyBaseOptions-DisableForwarding\Set-Mailbox").parameters
    AcceptMessagesOnlyFrom
    AcceptMessagesOnlyFromDLMembers
    AcceptMessagesOnlyFromSendersOrMembers
    ErrorAction
    ErrorVariable
    ExternalOofOptions
    GrantSendOnBehalfTo
    Identity
    Languages
    MailTip
    MailTipTranslations
    MessageCopyForSendOnBehalfEnabled
    MessageCopyForSentAsEnabled
    MessageRecallProcessingEnabled
    OutBuffer
    OutVariable
    Password
    RejectMessagesFrom
    RejectMessagesFromDLMembers
    RejectMessagesFromSendersOrMembers
    RequireSenderAuthenticationEnabled
    UserCertificate
    UserSMimeCertificate
    WarningAction
    WarningVariable
    
    # Create the new role assignment policy called "Default Role Assignment Policy - Disable Forwarding" 
    PS C:\> New-RoleAssignmentPolicy -Name "Default Role Assignment Policy - Disable Forwarding" -Description "This policy grants end users the permission to set their options in Outlook on the web and perform other self-administration tasks." -Roles "MyContactInformation","MyProfileInformation","My ReadWriteMailbox Apps","My Custom Apps","MyTextMessaging","MyVoiceMail","MyMailSubscriptions","MyBaseOptions-DisableForwarding","My Marketplace Apps","MyRetentionPolicies"

    Links:

    https://blogs.technet.microsoft.com/exovoice/2017/12/07/disable-automatic-forwarding-in-office-365-and-exchange-server-to-prevent-information-leakage/

    https://techcommunity.microsoft.com/t5/Exchange-Team-Blog/The-many-ways-to-block-automatic-email-forwarding-in-Exchange/ba-p/607579

    Are you also an Exchange admin role holder? If so, RBAC is a cumulative permissions model so you would still see that option. Try testing with a regular or test user.

    Friday, July 19, 2019 6:40 PM
    Moderator

All replies

  • I'm having trouble removing the Forwarding setting from OWA for our users. I followed the two guides at the links below, but the Forwarding option is still available in OWA. I created the new management role and new role assignment policy, removed the forwarding parameters (see PowerShell commands below), and have assigned the role assignment policy to my user mailbox, but the Forwarding option is still available to me within OWA after waiting 36 hours. We also modified the Default Remote Domain and unchecked "Allow automatic forwarding" although I don't believe this is required for removing the Forwarding option for OWA. Am I missing something here?

    # Create a new management role called "MyBaseOptions-DisableForwarding", copying the the "MyBaseOptions" management role
    PS C:\> New-ManagementRole -Name "MyBaseOptions-DisableForwarding" -Parent "MyBaseOptions"
    
    # Remove the forwarding parameters from the "MyBaseOptions-DisableForwarding" management role
    PS C:\> Set-ManagementRoleEntry -Identity "MyBaseOptions-DisableForwarding\Set-Mailbox" -Parameters "DeliverToMailboxAndForward","ForwardingAddress","ForwardingSmtpAddress" -RemoveParameter
    
    # Verify the parameters are removed
    PS C:\> (Get-ManagementRoleEntry -Identity "MyBaseOptions-DisableForwarding\Set-Mailbox").parameters
    AcceptMessagesOnlyFrom
    AcceptMessagesOnlyFromDLMembers
    AcceptMessagesOnlyFromSendersOrMembers
    ErrorAction
    ErrorVariable
    ExternalOofOptions
    GrantSendOnBehalfTo
    Identity
    Languages
    MailTip
    MailTipTranslations
    MessageCopyForSendOnBehalfEnabled
    MessageCopyForSentAsEnabled
    MessageRecallProcessingEnabled
    OutBuffer
    OutVariable
    Password
    RejectMessagesFrom
    RejectMessagesFromDLMembers
    RejectMessagesFromSendersOrMembers
    RequireSenderAuthenticationEnabled
    UserCertificate
    UserSMimeCertificate
    WarningAction
    WarningVariable
    
    # Create the new role assignment policy called "Default Role Assignment Policy - Disable Forwarding" 
    PS C:\> New-RoleAssignmentPolicy -Name "Default Role Assignment Policy - Disable Forwarding" -Description "This policy grants end users the permission to set their options in Outlook on the web and perform other self-administration tasks." -Roles "MyContactInformation","MyProfileInformation","My ReadWriteMailbox Apps","My Custom Apps","MyTextMessaging","MyVoiceMail","MyMailSubscriptions","MyBaseOptions-DisableForwarding","My Marketplace Apps","MyRetentionPolicies"

    Links:

    https://blogs.technet.microsoft.com/exovoice/2017/12/07/disable-automatic-forwarding-in-office-365-and-exchange-server-to-prevent-information-leakage/

    https://techcommunity.microsoft.com/t5/Exchange-Team-Blog/The-many-ways-to-block-automatic-email-forwarding-in-Exchange/ba-p/607579

    Are you also an Exchange admin role holder? If so, RBAC is a cumulative permissions model so you would still see that option. Try testing with a regular or test user.

    Friday, July 19, 2019 6:40 PM
    Moderator
  • Hi Andy,

    Thanks for your response. I am a Global administrator in our Office 365 tenant, so this would likely explain why I still have the Forwarding option. I will have to read up on RBAC in Exchange and test this with a regular user mailbox.



    Friday, July 19, 2019 6:56 PM
  • Hi David,

    How about the result when testing with a regular user mailbox? 

    If you have any questions or needed further help on this issue, please feel free to post back. If the issue has been resolved, please mark the helpful replies as answers, this will make answer searching in the forum easier and be beneficial to other community members as well.

    Thanks for your understanding.

    Best Regards,
    Niko Cheng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com

    Monday, July 22, 2019 7:30 AM
    Moderator
  • Hi Neko,

    I was testing this today with a regular user mailbox and have confirmed this was the issue. I will mark Andy's reply as the answer.

    Thank you,
    David

    Monday, July 22, 2019 5:32 PM