How to you restrict external email forwarding in 2025.1?

Question

Now that version 2025.1 allows you to type in an external email address in the "Forward to" field, how can you restrict that? We only allow our admins to set forwarders to other user accounts, groups or contacts (pre-created by Exchange admins). But forwarding to random external email addresses is restricted to Exchange admins.

I tried locking it down with a Property Pattern, but that still thinks the "Forward to" field is a DN. And from what I can see, Adaxes isn't even updating the "Forward to" field on the user account, but just goes out to Exchange Online to set the external forwarding.

We have a Hybrid environment with the user accounts being in AD, the mailboxes in Exchange Online, and an Exchange SE server + EntraID Connect to sync the Exchange attributes.

Answer 1

Hello Felix,

As a solution, you can use a business rule triggering Before updating a user like below and a PowerShell script. The script will validate the newly set forwarding address and cancel the operation in case the address is not valid. Unfortunately, we do not have anything like that in our repository.

Comments

ok thanks

This is the code I ended up using:

$Context.ConditionIsMet = $False $forwardTo = $context.GetModifiedPropertyValue("altRecipient") if($forwardto -notlike "guid:{*}"){ $Context.ConditionIsMet = $true }

From what I found in my tests, selecting an object from the directory results in a value like this: guid:{<object-guid>}

.. and putting in an email address would generate something like this: unknown:<someguid>