Auto-Forwarding Report
Lists all mailboxes with automatic forwarding configured across your managed tenants. This report is critical for security as external forwarding can indicate account compromise or data exfiltration.
Overview
The Auto-Forwarding Report identifies mailboxes that have inbox rules or forwarding settings configured to redirect mail to other addresses. External forwarding is a common technique used by attackers after compromising an account.
Warning: External forwards should be reviewed immediately. Unauthorized external forwarding is a common indicator of compromise and may violate compliance policies.
Report Columns
| Column | Description |
|---|---|
| User | The mailbox owner display name and email address |
| Forwarding Type | Inbox Rule, SMTP Forwarding, or Transport Rule |
| Forward To | The destination address receiving forwarded mail |
| Direction | Internal (within tenant) or External (outside organization) |
| Status | Active or Disabled |
| Created Date | When the forwarding rule was configured |
| Created By | Whether the rule was created by the user or an admin |
Forwarding Types
The report distinguishes between three types of forwarding:
- Inbox Rules — User-created rules that forward or redirect messages
- SMTP Forwarding — Mailbox-level forwarding configured via ForwardingSMTPAddress
- Transport Rules — Organization-wide mail flow rules that redirect messages
Security Risk Assessment
Each forwarding rule is assessed for risk:
- High Risk — External forwarding to personal email domains (gmail.com, outlook.com, etc.)
- Medium Risk — External forwarding to business partner domains
- Low Risk — Internal forwarding within the organization
- Informational — Forwarding to shared mailboxes or distribution lists
Filters
- Direction — All, External only, Internal only
- Forwarding Type — Inbox Rule, SMTP, Transport Rule
- Status — Active, Disabled
- Risk Level — High, Medium, Low
- Date Range — Filter by when forwarding was configured
Recommended Actions
- Review all external forwards and confirm they are legitimate
- Disable unauthorized forwarding rules immediately
- Enable transport rules to block external auto-forwarding
- Set up alerts for new external forwarding rules
Graph API Data Sources
GET /reports/getEmailActivityUserDetailGET /users/{id}/mailboxSettings
API Reference
GET /api/reports/exchange/auto-forwards— Get auto-forwarding rules reportPOST /api/reports/exchange/auto-forwards/export— Export report dataDELETE /api/reports/exchange/auto-forwards/{ruleId}— Disable a forwarding rule
Last updated on