How to Create Mail Flow Rules from Scratch Using the Microsoft 365 Exchange Admin Center and Windows PowerShell

October 31, 2023
14 min read

In this four-part series, I discuss the elements of a mail flow rule—available in the Microsoft 365 Exchange admin center (EAC)—and explain how you can implement them in your organization.

It is recommended that you read these articles in the order they have been written. 

Note: If you are not sure how to access the mail flow rules feature, refer to my previous article for more information.

For those who like to watch and learn, check out the 7-minute video at the end of this article.

Prerequisites

You need to have either a global administrator role or Exchange administrator role.

Use Case 1: Forwarding Messages to a Manager (or Someone Else) for Approval

You will need a rule like this, for example, to moderate or monitor emails from an employee about to resign, from a trainee or someone who occupies a business-critical position but is new to your work environment, and similar scenarios. This rule forwards all the emails from the marked employee to a designated moderator who can then choose to either accept or reject the mail. The mail will only go through if the moderator approves it. Otherwise, the sender gets an email-declined notification.

Figure 1 shows the conditions to set for this rule. I’ll create this rule from scratch to help you understand it better.

Note: The predefined rule Send messages to a moderator also helps you create the same rule that I am about to configure. The reason for guiding you to create the same rule from the ground up is to explain how to create a mail flow rule from scratch.

 

This screenshot shows how the Microsoft 365 mail flow rule for moderating mails can be configured using the Microsoft 365 Exchange admin center. It includes fields for name, apply this rule if, do the following, and except if.
Figure 1: Mail flow rule that forwards messages for approval. | Used with permission from Microsoft.

Note: The sender is set as an individual for demo purposes. Rules like this are usually applied to a group of individuals on a group membership basis.

Once you are on the mail flow Rules page of the Exchange admin center (EAC), do the following:

Select Add a rule > Create a new rule, as shown in Figure 2.

This screenshot shows how you can access the Microsoft 365 mail flow rule feature in the Microsoft 365 Exchange admin center. The Add a rule option and the create a new rule dropdown are both selected.
Figure 2: Accessing Microsoft 365 mail flow rules from the EAC. | Used with permission from Microsoft.

The New transport rule pane opens, as shown in Figure 3.

This screenshot shows how you can set the conditions for the Microsoft 365 mail flow rule in the Microsoft 365 Exchange admin center.
Figure 3: Configuring Microsoft 365 mail flow rule's conditions. | Used with permission from Microsoft.

Provide a name for the rule such as Forward-mail-to-manager. Ensure that you don’t leave any whitespace between when naming the rule. From the Apply this rule if dropdown, select The sender, as shown in Figure 4.

This screenshot shows how you can set the conditions for the Microsoft 365 mail flow rule in the Microsoft 365 Exchange admin center.
Figure 4: Setting the Microsoft 365 rule's condition. | Used with permission from Microsoft.

From the Select One dropdown, select the is this person option, as shown in Figure 5.

This screenshot shows how you can set the conditions for the Microsoft 365 mail flow rule in the Microsoft 365 Exchange admin center. The Is this person option is highlighted.
Figure 5: Setting the condition of the Microsoft 365 mail flow rule. | Used with permission from Microsoft.

The Select members pane opens. Select the users to whom this rule is going to apply and select Save, as shown in Figure 6.

This screenshot shows how you can set the conditions for the Microsoft 365 mail flow rule in the Microsoft 365 Exchange admin center by searching or selecting a user from the list, adding a user, and then saving it.
Figure 6: Members to whom the Microsoft 365 rule is going to apply. | Used with permission from Microsoft.

Your rule pane should look like the one shown in Figure 7 now.

This screenshot shows how you can set the actions for the Microsoft 365 mail flow rule in the Microsoft 365 Exchange admin center. The name of the rule is Forward-mail-to-manager-2. The conditions shown include: Apply this rule if the sender is this person and Forward the message for approval to these people.
Figure 7: Configuring the Microsoft 365 rule's action. | Used with permission from Microsoft.

From the Do the following dropdown, select Forward the message for approval, as shown in Figure 8.

This screenshot shows how you can set the actions for the Microsoft 365 mail flow rule in the Microsoft 365 Exchange admin center. Forward the message for approval is highlighted.
Figure 8: Setting the Microsoft 365 rule's action. | Used with permission from Microsoft.

From the Select one dropdown, select to these people, as shown in Figure 9.

Note: You can also select to the sender’s manager if you have already marked the senders to their respective managers in your system.

This screenshot shows how you can set the actions for the Microsoft 365 mail flow rule in the Microsoft 365 Exchange admin center. The action highlighted is Forward the message for approval to these people.
Figure 9: Setting the Microsoft 365 rule's action. | Used with permission from Microsoft.

The Select members pane opens. Select the users responsible for approving the sender’s message, and then select Save, as shown in Figure 10.

This screenshot shows how you can set the actions for the Microsoft 365 mail flow rule in the Microsoft 365 Exchange admin center. To select approvers, search for the user, select from the list, or enter their email address. Two names are selected as the display name, and Save is highlighted.
Figure 10: Approvers for the Microsoft 365 rule are displayed. | Used with permission from Microsoft.

Your rule pane should look like the one shown in Figure 11.

This screenshot shows how a configured Microsoft 365 mail flow rule looks like in the Microsoft 365 Exchange admin center.
Figure 11: Microsoft 365 mail rule with the configured conditions and actions. | Used with permission from Microsoft.

To proceed further, select Save, since we are not going to set any exceptions for this rule.

The rule settings pane opens, as shown in Figure 12. I’ll configure the rule settings with the bare minimum requirements for now.

This screenshot shows how you can configure the settings for the Microsoft 365 mail flow rule in the Microsoft 365 Exchange admin center. It shows the Set rule settings pane, and rule mode set to Enforce, high severity, and the Stop processing more rules checkbox enabled..
Figure 12: Configuring the Microsoft 365 rule's settings. | Used with permission from Microsoft.

Set the rule mode. You have three different options:

  • Enforce: This enforces the rule immediately.
  • Test with Policy Tips: Test runs the rule with policy tips.
  • Test without Policy Tips: Test runs the rule without policy tips.

Note: Since this is a demo lesson, I am going to enforce the rule without any testing. Please note that this is not recommended for practical deployment.

Set the severity for the rule. You have five options:

  • Low: For rules that demand low priority.
  • Medium: For rules that demand medium priority.
  • High: For rules that demand high priority.
  • Not audit: For rules that you don’t want to audit.
  • Not specified: For rules that don’t demand any kind of priority.

Note: Remember that rules with high priority are run first. So, let’s give our rule a “high” priority.

Enable the Activate this rule on checkbox, and then select the date and time at which the rule gets enforced.

Note: You also have the option of deactivating a rule by specifying a date and time for it.

Enable the Stop processing more rules checkbox for now. This ensures the rules that follow are ignored. Whether to enable/disable this rule depends on how important the rule is that you are configuring. To proceed to the Review and Finish section, select Next.

Note: Leave the Match sender address in message as Header for now. You don’t have to worry about this.

After reviewing your newly configured mail flow rule and confirming everything is right, select Finish. The mail flow or transport rule gets created successfully. To close the pane, select Done.

Testing Whether the Mail Flow Rule Works

To test whether the configured mail flow rule works:

Sign in with one of the sender accounts (those you added as senders in the mail flow rule) and send a mail using Outlook on the web. You will notice that the message gets listed in the Sent Items folder.

Now sign out and sign in as one of the approver accounts (those you added in the Forward the message for approval to list). The mail that you just sent using the sender account will be available in the inbox, as shown in Figure 13.

This screenshot shows how you can test the configured Microsoft 365 mail flow rule using the Outlook web app (OWA). It shows the mail that has just been sent and a request to approve the attached message for delivery.
Figure 13: A mail sent to an approver, based on a Microsoft 365 mail flow rule. | Used with permission from Microsoft.

You can choose to approve or reject the mail. If you reject the mail, a notification gets sent to the sender stating that the message was rejected, as shown in Figure 14.

This screenshot shows how you can test the configured Microsoft 365 mail flow rule using the Outlook web app (OWA). It shows a notification that says Your message was rejected by a moderator for these recipients.
Figure 14: A mail that has been rejected, based on a Microsoft 365 mail flow rule. | Used with permission from Microsoft.

Creating the Same Mail Flow Rule Using PowerShell

To create the same mail flow rule using PowerShell:

  1. Run your Windows PowerShell as an administrator. 
  2. Connect to Microsoft 365 Exchange Online using the Connect-Exchange cmdlet. Read How to Install and Connect to Microsoft 365 Exchange Online using PowerShell for more info.
  3. Run the following, as shown in Figure 15: New-TransportRule "test_rule_using_ps" -From amit@contoso.com -ModerateMessageByUser tks@contoso.com 
This screenshot shows how you can configure the Microsoft 365 mail flow rule using Windows PowerShell.
Figure 15: Creating a Microsoft 365 mail flow rule using PowerShell. | Used with permission from Microsoft.

How Does the Script Work?

Let’s break down the script:

  1. To create the mail flow rule, use the New-TransportRule cmdlet.
  2. Pass in the name of the rule within double quotes, as shown in Figure 15.
  3. Set the -From parameter value to amit@contoso.com.
  4. Set the -ModerateMessageByUser parameter value to tks@contoso.com. To find out whether the rule has been successfully created, run the following command: 
    Get-TransportRule "test_rule_using_ps" 

Note: (3) is the condition and (4) is the action. This rule does not have any exceptions.

Use Case 2: Preventing a User from Sending Mail Outside the Organization

Another common rule you may have to implement is preventing trainees from sending mail outside the organization. Since you now know the makings of a mail flow rule, I’ll just show you a snapshot of the conditions and action needed to create such a rule using Figure 16.

This screenshot shows how you can configure a Microsoft 365 mail flow rule that prevents users from sending mails outside of the organization. Apply this rule if the sender is this person is highlighted.
Figure 16: Preventing emails outside of the organization mail flow rule. | Used with permission from Microsoft.

Note: I am targeting a single user only for demo purposes. You probably will have to add all your trainees into a separate group and create a rule that prevents the entire group from sending mail outside the organization.

As you can see, the rule prevents a user named Ben from sending emails to users of popular mail services like Gmail and Hotmail. The rule uses two conditions (the sender has to be Ben and the recipient has to be a Gmail or Hotmail user) and one action (that of blocking the mail and including the reason for blocking the mail to its sender) without any exceptions.

Testing Whether the Mail Flow Rule Works

Once you are done configuring the rule and enabling it, you can test it:

Sign in with the sender account and try sending a mail using Outlook on the web to a Gmail or Hotmail user. Wait for a while. The user should get an auto-generated mail stating that Trainees are not allowed to mail outside of the organization, as shown in Figure 17.

This screenshot shows how you can test the configured Microsoft 365 mail flow rule using the Outlook web app (OWA). It displays a notification that says “A custom mail flow rule created by an admin has blocked your message. Trainees are not allowed to mail outside of the organization” and tells how to fix the issue.
Figure 17: Microsoft 365 mail flow rule prevents the user from sending mail outside of the organization. | Used with permission from Microsoft.

Creating the Same Mail Flow Rule Using PowerShell

To create the same mail flow rule using Windows PowerShell:

  1. Run your Windows PowerShell as an administrator.
  2. Connect to Microsoft 365 Exchange Online using the Connect-Exchange cmdlet. For more information, Read How to Install and Connect to Microsoft 365 Exchange Online using PowerShell.
  3. Run the New-TransportRule "Prevents users from mailing outsiders" -From samantha@contoso.com -RecipientDomainIs “gmail.com”, “hotmail.com” -RejectMessageReasonText “Trainees are not allowed to mail outside of the org” as shown in Figure 18.
This screenshot shows how you can configure a mail flow rule using Windows PowerShell. I
Figure 18: Configuring a Microsoft 365 mail flow rule using Windows PowerShell. | Used with permission from Microsoft.

How Does the Script Work?

Let’s break down the script:

  1. To create the mail flow rule, use the New-TransportRule cmdlet 
  2. Pass in the name of the rule within double quotes.
  3. Set the -From parameter value to samantha@contoso.com.
  4. Set the -RecipientDomainIs parameter values to "gmail.com", "hotmail.com"
  5. Set the -RejectMessageReasonText parameter value to "Trainees are not allowed to mail outside of the org".
  6. You can run the Get-TransportRule "Prevents user from mailing outsiders" command to find out whether the rule has been successfully created.

Note: (3) and (4) are the conditions and (5) is the action. This rule does not have any exceptions.

Possible Errors You Might Face

Here are some possible errors you might face and ways to rectify them:

  • Whitespace in your mail flow rule’s name: Ensure you name your mail rules without any whitespace between them, since this can throw errors. Remember that whitespace causes errors only when you are creating your rules using the EAC, not when you are using PowerShell.
  • Typos in your message header and message header value: Ensure you get the message header and its value right. You should enter them exactly as indicated in this article. If not, you won’t be able to save/run your rule successfully.
  • Not running your shell as administrator: Select the PowerShell program from the Windows start menu and choose Run as administrator, as shown in Figure 19.
This screenshot shows how you can run your Windows PowerShell in the administrator mode.
Figure 19: Running PowerShell as Administrator. | Used with permission from Microsoft.
  • Execution Policy set to restricted mode: Execution policy setting determines the script execution rights for the current user. If you are signing in for the first time, chances are this is set to ‘restricted’ mode. Ensure the execution policy is set to RemoteSigned (which allows you to execute your scripts) by running the Set-ExecutionPolicy RemoteSigned command.

          Note: To check your current script execution rights, run the Get-ExecutionPolicy command.   

  • Typos in your PowerShell script: You can run into typos even while copying/pasting scripts. So, it’s best to save your scripts in separate .ps1 files and run them. This not only saves time but also prevents your script from running into unnecessary errors.

Conclusion

I have explained how to create mail flow rules from scratch and given two use cases. In the next article, I’ll dive deep into mail flow rules and explore a few more use cases to help you manage your user emails efficiently. These include directly sending meeting details to attendee calendars and setting a meeting response as accepted by default to avoid unnecessary meeting-related notifications.

For Those Who Like to Watch and Learn 

The following is a 7-minute video version of this article. It shows you how to create mail flow rules from scratch using the Microsoft 365 Exchange admin center and PowerShell.

Thilak Kumar Singh

Thilak Kumar Singh

Thilak Kumar Singh is a trainer who believes in teaching about IT in the simplest possible way with more emphasis on visual mode of learning. He firmly believes in democratizing IT knowledge, especially of Microsoft solutions, in which he specializes as a trainer and consultant.

He observes that in this era dominated by cloud computing and collaboration, where IT has reached users unimaginable hitherto, IT knowledge must not be an obscure science, but rather be available to anyone who wishes to engage with IT. 

Login to comment

Recent Content

Creating an Effective Microsoft 365 Copilot Plugin: A Comprehensive Guide

Stripe Card Payment Features in Power Pages

Delegation and Least Privilege in Entra ID, Part 1

SharePoint Premium: What Is It?

OneDrive: Use Files On-Demand - with Convenience Options

Enhancing Microsoft 365 Security with Conditional Access and Multifactor Authentication