PowerShell Basics: Audit Email Box Forwarding
A recent internal audit brought up a need to periodically review user mailbox forwarding. This can happen for a couple reason, maybe an off-board email to their manager or an email that gets sent to an external system like Zendesk. Regardless of the reason, you should review it once in a while. In some cases this can be a pain for compliance if a user gets off-boarded and they setup forwarding rules to their personal email account as an example.
There are two formats to scan for forwards. On the Exchange level, which would’v been set up by someone with Exchange admin privileges. You can use this quick script to review these types of forwards.
It prints out the following fields:
- Display Name
- UPN
- Forwarding Address (Internal)
- Forwarding Address
Make sure you run it as admin and update the export path to what’s needed.
# Connect to Exchange Online (requires prior configuration)
Connect-ExchangeOnline
# Set the output file path (modify as needed)
$outputFile = "C:\Users\dave\Desktop\MailboxForwardingReport.csv"
# Get all mailboxes and filter for those with forwarding enabled
Get-Mailbox -ResultSize unlimited | Where-Object {
$_.ForwardingAddress -ne $null -or $_.ForwardingSmtpAddress -ne $null
} | Select-Object @{Name="DisplayName";Expression={$_.DisplayName}},
ForwardingAddress,
@{Name="UserPrincipalName (UPN)";Expression={$_.UserPrincipalName}},
ForwardingSmtpAddress | Export-Csv -Path $outputFile -NoTypeInformation
# Display confirmation message
Write-Host "Mailbox forwarding report exported to: $outputFile"
Last we have a script that will dig deeper into your Exchange environment. This scans every mailbox rule to verify any external forwarding. This export is hand to review possible compliance issues.
A few this to note about running this:
- This is going to take some time, more mailboxes you have, the longer it will take.
- This scans EVERY email box rule, and if there are issues with the rule, then it will be displayed on your terminal output.
Run this script as admin, make sure you update the export path as well.
# Import the Exchange Online PowerShell module
Import-Module ExchangeOnlineManagement
# Connect to Exchange Online
Connect-ExchangeOnline
# Get all mailboxes
$mailboxes = Get-Mailbox -ResultSize Unlimited
# Create a list to hold the results
$results = @()
# Loop through each mailbox
foreach ($mailbox in $mailboxes) {
# Get mailbox user principal name
$UPN = $mailbox.UserPrincipalName
# Get the mailbox rules
$rules = Get-InboxRule -Mailbox $mailbox.Identity
# Loop through each rule
foreach ($rule in $rules) {
# Check if the rule forwards or redirects emails
if ($rule.ForwardTo -or $rule.ForwardAsAttachmentTo -or $rule.RedirectTo) {
# Create a custom object to hold the rule details
$ruleDetails = [PSCustomObject]@{
MailboxName = $mailbox.DisplayName
UPN = $UPN
RuleName = $rule.Name
ForwardTo = $rule.ForwardTo -join "; "
ForwardAsAttachmentTo = $rule.ForwardAsAttachmentTo -join "; "
RedirectTo = $rule.RedirectTo -join "; "
}
# Add the rule details to the results list
$results += $ruleDetails
}
}
}
# Export the results to a CSV file
$results | Select-Object MailboxName, UPN, RuleName, ForwardTo, ForwardAsAttachmentTo, RedirectTo | Export-Csv -Path "C:\Users\dave\Desktop\ForwardingRules.csv" -NoTypeInformation
# Disconnect from Exchange Online
Disconnect-ExchangeOnline -Confirm:$false
Write-Output "Export completed. The CSV file is saved at C:\Users\dave\Desktop\ForwardingRules.csv"
There you have it. An easy way to audit all your MS365 mailbox forwarding.
Hope you find this helpful!
