Block Outbound Email for Specific Users

Overview

There are a few situations where you may need to restrict certain users from sending email to external users.  For example, you may have part time employees that only need to send email to internal users OR you might have an employee who’s about to get terminated and don’t want them emailing clients.  Fortunately, in Office 365 Exchange you can create a Mail Flow Rule to accomplish this.

Create Distribution Group to Define Users to Block Outbound Email

In order for the mail flow rule to see the group, it must be a distribution group.  However, you can easily hide it from the GAL so your users don’t see it.  Many organizations use CustomAttribute15 to define what displays in there GAL.  If that’s your case, simply do not define CustomAttribute15 or define it to a value so it does not show in your GAL; otherwise, set the attribute to Hide group from Exchange Address Lists.

  1. Create a new distribution group
    1. Name: Block Outbound Email
    2. Email: blockoutboundemail@<company>.onmicrosoft.com
    3. Members: Add any user you want to block from sending outbound emails to external recipients (They will only be able to send to internal recipients)
  2. If you are using Office 365 in a Hybrid Deployment, make sure you use dirsync to synchronizes your new group

Create Mail Flow Rule

In this example, we will prevent a user from sending emails to any external recipients, but they will still be able to send to internal recipients.

  1. Login to the Office 365 Admin Portal https://portal.microsoftonline.com
  2. Click Admin then click Exchange to open the Exchange Admin CenterOpen Exchange Admin Center
  3. Click mail flow then click on the Rules tab
  4. Click the + symbol and click Create a new rule       Create New Rule
  5. Name the rule Block Outbound Emails to External Recipients
  6. Under Apply this rule if, click the recipient is located
    1. Select Outside the organization and click OK
  7. Click More Options to add another condition
  8. Click Add Condition
  9. On the new condition, select the sender is a member of this group
    1. Search and select the group Block Outbound Emails and click OK
    2. Note: Despite the wording stating “member of this group”, you can select a user instead of a group.  However, it’s easier to manage and you do not need to wait for the mail flow rule to propagate on 365, which can take up to an hour in my testing.
  10. Under Do the following, select Block the message then click delete the message without notifying anyone, and click OK
  11. Click Save

IMPORTANT NOTE:  It can take up to 45 minutes for Microsoft’s back end to fully synchronize rules!  This means any new or modified rules can take up to 45 minutes to take effect!

Block Outbound Email

 

 

 

10 thoughts on “Block Outbound Email for Specific Users

  1. Hello Dears
    i do all of steps but i can send mail to any one outside my office
    what should i do to block
    Help my please

    • Make sure you wait 1 hour after creating the rule, the 365 back end can be slow to replicate to make the rule active

    • On step 6 in the example, it adds a condition that matches the recipient being located “Outside the organization”. Simply, add another condition but select “Inside the organization”. This creates a condition that will block emails send inside or outside of the organization.

  2. In the picture say’s *Apply this rule if…
    The recipient is located… Outside the organization
    and
    The recipient is a member of… ‘Brian Steinmeyer’

    should it not say
    The sender is a member of… ‘Brian Steinmeyer’

    Like it says in
    9. On the new condition, select the sender is a member of this group
    Search and select the group Block Outbound Email and click OK

    • I had the wrong screenshot up there but the text in the directions was correct. I’ve updated it with the appropriate image that reflects the directions

  3. i successfully stopped the sender from sending emails to external domains. however, if the sender tried to send email to someone inside the organization and added in CC an email with external domain. the email will be delivered successfully. this is stupid from Microsoft.

Leave a Reply

Your email address will not be published. Required fields are marked *