I had a customer recently ask me about removing forwarding. There are two steps to do this the first is to remove the UI settings and the other to change the mailbox settings. The original article written for Live@edu was a little different as the rule set has changed in Office 365. I owe my efforts to the original article here.
Please use the following instructions to disable forwarding in Office 365:
1. Create new role which parent is “MyBaseOptions”
New-ManagementRole -Parent MyBaseOptions -Name NewMyBaseOptions
2. Remove some options related “forwarding” in “Set-Mailbox”
Set-ManagementRoleEntry NewMyBaseOptions\Set-Mailbox -Parameters DeliverToMailboxAndForward,ForwardingAddress,ForwardingSmtpAddress -RemoveParameter
3.Create new role assignment policy which contains “NewMyBaseOptions”
New-RoleAssignmentPolicy -Name DenyForwardingRoleAssignmentPolicy -Roles NewMyBaseOptions,MyContactInformation, MyRetentionPolicies,MyMailSubscriptions,MyTextMessaging,MyVoiceMail,MyDistributionGroupMembership,
4. Assign the new policy to the appropriate mailbox.
Set-Mailbox –Identity XXX -RoleAssignmentPolicy DenyForwardingRoleAssignmentPolicy
Of course if you have multiple user sets then create different policies and assign. For example if you want some to forward and some not to create two policies.
Thanks Greg! Could you also add to this Policy one that disables users from adding other email accounts to their cloud account?
Great post Greg - you really helped me out. Thanks!
Something additional for anyone else is looking to do this - I implemented the new RoleAssignmentPolicy as detailed above which removes the "Forward" button in OWA, but it is still possible to create rules to forward or redirect messages using InboxRules. If you wanted to remove this ability as well, consider removing the following parameters from "Set-InboxRule" variable: ForwardTo,ForwardAsAttachmentTo,RedirectTo,
i.e. run the cmd below.
Set-ManagementRoleEntry NewMyBaseOptions\Set-InboxRule -Parameters ForwardTo,ForwardAsAttachmentTo,RedirectTo -RemoveParameter
GregK's info seemed to work pretty well (my test mailbox, through OWA, no longer has the section for Forwarding on the Options (all options) -> Account => Connected Accounts page...(I have not yet tested whether this restricts an Outlook client install)...
JC's info almost worked also - it did removed (in OWA) the options in creating a rule for "ForwardTo" and "ForwardAsAttachmentTo" ....but, I can still create a rule that has an action of "Redirect" (although in PowerShell, there does not seem to be a parameter for "RedirectTo" any longer....but, it is still an option in the OWA Rule actions, and does still function......My assumption is that there is another parameter related to redirection, but I haven't figured out a way to get an actual list that is completely readable, from a PowerShell prompt (it gets truncated after displaying the first 3 parameter names...)...documentation online does not list any other redirection parameters besides "RedirectTo".
(by the way - an overlooked on many posts regarding O365, and PowerShell management of it.....there is a "Microsoft Online Services Module for PowerShell"....which allows some functionality for management (runs with a black-background window).....and a direct Windows PowerShell method (runs with a blue-background window)...the blue background is what is needed for this topic (allows server-side session - see help.outlook.com/.../cc952755.aspx, or search for "Office 365 Connect Windows PowerShell to the Service")).
I got a Microsoft 365 forum person to respond with an alternate command that removed the Redirect to that was not being removed with the other command.
Set-ManagementRoleEntry NewMyBaseOptions\New-InboxRule -Parameters ForwardTo,ForwardAsAttachmentTo,RedirectTo –RemoveParameter
This has allowed us to effectively remove any ability to set a rule now to forward mail on an Exchange 2013 tenet on Office 365