How to view users' mailbox rules in Exchange Online
Last updated on:In this page
- Graph PowerShell
- M365 Manager Plus
Why audit mailbox rules in Microsoft 365?
When a user's account is compromised, attackers often create inbox rules to hide their tracks or exfiltrate data. These rules can automatically forward emails to an external address, delete specific messages, or move them to other folders.
For administrators, manually checking the rules for every user is an impossible task, especially in large organizations. Without a centralized way to list them, it's difficult to identify suspicious forwarding rules, ensure compliance with company policies, and troubleshoot delivery problems effectively.
Method 1: How to get a list of mailbox rules using Exchange Online PowerShell
Note: The option to view and manage inbox rules for other users in the Exchange Admin Center (EAC) is deprecated. Exchange Online PowerShell is now the only native method for running this audit organization-wide.
Prerequisites
Before using Exchange Online PowerShell, please verify that:
- The ExchangeOnlineManagement PowerShell module is installed. If not, install it using this script:
Install-Module ExchangeOnlineManagement -Scope CurrentUser Update-Module ExchangeOnlineManagement
- Connect to the Exchange Online module using this script:
Connect-ExchangeOnline
- You have the Exchange Administrator role assigned. This role is required to run the Get-InboxRule cmdlet across mailboxes.
Use the Get-InboxRule to export a list of inbox rules in Exchange Online
The Get-InboxRule cmdlet can be used with Get-Mailbox to retrieve all inbox rules for all users in your organization. The script first retrieves all mailboxes and then loops through each one to collect its associated rules. The syntax for retrieving a list of all inbox rules is given below:
Get-Mailbox -ResultSizeUnlimited |
ForEach-Object {
Get-InboxRule -Mailbox $_.PrimarySmtpAddress |
Select-Object @{Name="Mailbox";Expression={$_.MailboxOwnerId}},
Name, Enabled, Priority, Description
} | Export-Csv "C:\Reports\InboxRules_AllMailboxes.csv" -NoTypeInformation -Encoding UTF8
Use the new Get-EXOMailbox cmdlet with Get-InboxRule per Microsoft's recommendation
Microsoft recommends using Get-EXOMailbox instead of Get-Mailbox in Exchange Online. The EXO cmdlets are optimized for the cloud service, offer better throttling management, and will continue to be updated, whereas the older cmdlets are maintained mainly for backward compatibility.
Get-EXOMailbox -ResultSizeUnlimited |
ForEach-Object {
Get-InboxRule -Mailbox $_.UserPrincipalName |
Select-Object @{Name="Mailbox"; Expression={$_.MailboxOwnerId}},
Name, Enabled, Priority, Description
} | Export-Csv "C:\Reports\InboxRules_AllMailboxes_EXO.csv" -NoTypeInformation -Encoding UTF8
Supported parameters
The following table contains some parameters that can be used with the Get-InboxRule cmdlet to provide details on users' inbox rules.
| Parameter | Description |
|---|---|
| Name | The name of the inbox rule. |
| Identity | Unique identifier of the rule. |
| Enabled | Boolean flag indicating whether the rule is active. |
| Priority | The order in which the rule is applied to incoming messages. |
| Description | Text summary of the conditions and actions associated with the rule. |
| MailboxOwnerId | The mailbox to which the rule belongs. |
An example use case for the Get-InboxRule cmdlet: Internal audits
Scenario: An IT administrator needs to conduct a quarterly audit of all inbox rules that forward emails to external addresses to ensure they comply with company data security policies.
This is the cmdlet you will have to run to generate a report of all inbox rules with external forwarding actions.
Get-EXOMailbox -ResultSizeUnlimited |
ForEach-Object {
Get-InboxRule -Mailbox $_. UserPrincipalName |
Where-Object { $_.ForwardTo -ne $null -or $_.RedirectTo -ne $null } |
Select-Object @{Name="Mailbox";Expression={$_.MailboxOwnerId}},
Name, Enabled, Priority, Description
} | Export-Csv"C:\Reports\InboxRules_ExternalForwarding.csv" -NoTypeInformation -EncodingUTF8
Method 2: How to get a list of mailbox rules using M365 Manager Plus
- Log in to M365 Manager Plus and click the Reports tab.
- Navigate to Exchange Online > Mailbox Content Reports.
- Select the Inbox Rules report to view and export inbox rules across all users in your organization.
Monitor inbox rules with M365 Manager Plus
Centralized inbox rule tracking
M365 Manager Plus enables administrators to easily view and monitor inbox rules across all user mailboxes. Instead of running scripts with individual parameters, you can centrally track rules that forward, redirect, or delete emails, helping you quickly identify risky or unauthorized configurations, replacing a functionality that was previously available in the Exchange Admin Center.
Real-time alerts on inbox rule changes
Assign or update retention policies for multiple mailboxes in one action using CSV imports or intuitive GUI options, eliminating the need for repetitive, one-by-one updates.
Eliminate PowerShell complexity
With M365 Manager Plus, you don’t need to rely on complex cmdlets like Get-InboxRule, Get-Mailbox, or Get-EXOMailbox for your mailbox audits. All inbox rule monitoring and reporting can be accomplished through M365 Manager Plus' user-friendly interface, reducing dependency on scripts and minimizing errors.
Important tips
Regularly audit inbox rule changes: Periodically review users' inbox rules and any changes to them outside of business hours. This can help identify unauthorized data forwarding or other security risks.
Educate users on inbox rule security: Inform users about the appropriate use of inbox rules and the security implications of certain actions, such as forwarding sensitive information.
Track and manage forwarding rules: Forwarding rules can pose a security risk if not properly managed, as they can be used to exfiltrate sensitive data. Be sure to audit these rules regularly to ensure they are configured correctly and are not forwarding data to unauthorized recipients.
Frequently asked questions
Neither the Microsoft 365 admin center nor the Exchange Admin Center supports viewing or managing users’ inbox rules for admins. You can use Exchange Online PowerShell to export a list of Exchange Online inbox rules, or view all inbox rules in one click with M365 Manager Plus' centralized report.
You can specify a user's identity with the Get-InboxRule cmdlet to view their specific rules:
Get-InboxRule -Mailbox <email id>.
With the Exchange Administrator role, you can query rules using Get-InboxRule -Mailbox <user> without having each mailbox delegated to them.
Inbox rules run in the user’s mailbox after delivery. Transport rules (mail flow rules) run at the organization level on messages in transit.