Restrict Emails to External Addresses in Microsoft 365

In Microsoft 365 environments, users send emails to external recipients for various purposes like client relationships, customer communication, project collaboration, etc. However, it can pose a significant risk to the organization’s data, especially if the external domains are suspicious or targeted by hackers for unauthorized access. To prevent such things, admins might want to restrict users from sending emails to external addresses to safeguard the organization. Admins can also implement this as one of the email security best practices to protect their organization’s data from harmful threats.

Let’s see how to block Microsoft 365 users from sending emails to external recipients.

Admins can restrict users from sending emails to external addresses using the Exchange Online mail flow rule (transport rule). The mail flow rule can be created either via Exchange admin center or PowerShell.

• Create a mail flow rule using Exchange admin center
• Create a mail flow rule using PowerShell

Note: You can also block email auto-forwarding to external domains to avoid emails being sent to external recipients.

Admins can follow the steps below to create a mail flow rule for preventing users from sending emails to external addresses using Exchange admin center.

Step 1: Sign in to the Exchange admin center.

Step 2: Navigate to Mail flow –> Rules.

Step 3: Click on ‘Add a rule’ and select the ‘Restrict messages by sender or recipient’ default template.

Step 4: Set Mail Flow Rule Conditions

• Name your rule. For ex: Restrict mails to external recipients.
• Click on the first dropdown under ‘Apply this rule if’ and select ‘The recipient’.
• Then, click on the adjacent dropdown and select ‘is external/internal’.
• A side pane appears, requiring the recipient location. Click on the dropdown and choose ‘Outside the organization’. Click ‘Save’.

• Click on the first dropdown under ‘Do the following’ and select the ‘Block the message’ option.
• Click on the adjacent dropdown and choose your desired option to either reject or delete the message.
  For testing, we opted for the first option and the rejection reason was requested. You can also choose other options based on your requirements.
• Click ‘Next’.

Tip: If admins want to exclude any specific external user or domain, they can use the ‘Except if’ option to exclude the recipient from this rule.

Step 5: Set Mail Flow Rule Settings

• By default, the rule mode is set as ‘Enforce’. If required, admins can change it to test with or without policy tips.
• Click on the Severity dropdown and choose the desired option.
• If admins want to activate and deactivate the rule on a specific date, they can use the below checkboxes and specify the date & time.

• Leave the ‘Match sender address in message’ as ‘Header’ and click ‘Next’.

• Review the policy conditions & settings and click ‘Finish’.

• Once the transport rule has been created, click Done.

After the rule is created, it will be in a disabled state. Admins need to enable the rule by clicking on the specific rule and enabling the toggle as shown below.

Tip: To verify the inbound and outbound email details efficiently, admins can use the message trace in the Exchange admin center.

To create a transport rule using Exchange PowerShell, follow the steps below.

• Connect to Exchange Online PowerShell with the desired cmdlet.
• Run the below cmdlet to create a mail flow rule for restricting users from sending emails outside the organization.

New-TransportRule -Name "Restrict Mails To External Recipients" -SentToScope NotInOrganization -RejectMessageReasonText "Not allowed to send emails to external users" -Mode Enforce -SetAuditSeverity Medium

Sample Output:

If you want to delete the message without notifying anyone, you can replace the ‘-RejectMessageReasonText’ parameter with the ‘-DeleteMessage $true’.

Note: Transport rules created using PowerShell will be enabled automatically.

After the mail flow rule is enabled, when users try to send emails to any external recipients, they will receive the following email.

I hope this blog will help admins to restrict users from sending emails to external recipients efficiently using the mail flow rule in Microsoft 365. Feel free to reach out to us in the comment section for any queries.