How to Audit Transport Rule Changes in Exchange Online

Mail flow rules (transport rules) provide you with the ability to implement various email delivery policies based on an extensive set of conditions, exceptions, and actions.

To create a transport rule in Office 365 via the Exchange admin center (EAC), follow these steps:

You can also use the “New-TransportRule” cmdlet in the Exchange Online PowerShell to create a new mail flow rule.

New-TransportRule -Name "<RuleName>" -SubjectContainsWords "<WordsInTheSubject>" -AddToRecipients “<ToAddress>” -Priority <PriorityValue>

Notes:

Transport rules in Microsoft 365 have specific limitations that organizations need to consider.

Here are some recommended practices for setting up transport rules in Exchange Online:

To understand how email activities are managed within your Microsoft 365 organization, it is essential to review all the mail flow rules in Exchange Online. Additionally, exporting these rules as an XML file assists with rule backup, migration, documentation, and easy restoration. Refer to the following sections to learn how to view and export Exchange transport rules.

To view all the transport rules using the Exchange admin center,

• Navigate to Mail flow»Rules.
• Here, you can see all the configured transport rules. You can click on the appropriate rule to view its detailed configuration.

To retrieve all the transport rules using PowerShell, run the cmdlet below:

Get-TransportRule -ResultSize Unlimited

Since the above cmdlet only shows limited configurations of Exchange Online mail flow rules, it won’t be sufficient to understand the rule's behavior. To understand each mail flow rule’s action, you can execute the following command with the rule name.

Get-TransportRule -Identity “<RuleName>” | Format-List Description

You can use the ‘Export-TransportRuleCollection’ cmdlet as described below to export the transport rules in Office 365 as an XML file.

Note: Replace <FilePath> with the appropriate file location to save the transport rule export.

$file = Export-TransportRuleCollection
[System.IO.File]::WriteAllBytes('<FilePath>', $file.FileData)

After creating a transport rule in Exchange Online, there may be situations where you need to update or delete the rule. Therefore, proper management of mail flow rules in Exchange Online is essential to meet your organization's requirements.

To modify or delete the transport rules, refer to the following sections:

By default, when you create a mail flow rule through the Exchange admin center (EAC), the rule is assigned with the lowest priority. To change the priority, disable, or update any other configuration, follow these steps:

• Select the rule you want to update and click the Edit button.
• Make the necessary changes on the Conditions and Settings page.
• Click Save to apply the changes.

To change a transport rule configuration using PowerShell, use the “Set-TransportRule” cmdlet.

Set-TransportRule -Identity “<RuleName>” -Priority <PriorityValue> -From “<SenderAddress>”

To enable or disable a Exchange Online transport rule to just stop or start the processing, use the “Enable-TransportRule” or “Disable-TransportRule” cmdlets as described here:

Enable-TransportRule -Identity “<RuleName>”

Disable-TransportRule -Identity “<RuleName>”

Note: After modifying the transport rule, it can take more than 30 minutes for the updated rule to take effect on emails in transit.

To delete an existing mail flow rule via the Exchange admin center, follow these simple steps:

• Select the appropriate rule from the list of rules on the Rules page.
• Click the Delete icon.
• Hit the Confirm button.

To delete a transport rule using PowerShell, use the “Remove-TransportRule” cmdlet.

Remove-TransportRule -Identity <RuleName>

Identifying the mail flow rule applied to an email can help resolve several issues:

To determine which transport rule was applied to an email message in Exchange Online, you can use message trace in the Exchange Online admin center. Here’s a step-by-step procedure:

In addition to message tracing, you can use the inbuilt Exchange transport rule logs to monitor how the mail flow rules are applied within your organization.

• The Transport Rule Message report gives you the daily summary of the transport rule-based mail statistics inside your organization & from the external domains.
• This report helps you to identify the number of incoming and outgoing emails affected by each mail flow rule in Exchange Online.

Pro Tip: Set up an alert with specific thresholds to receive instant notifications when a mail flow rule is triggered more than a specified number of times in a day.

Yes, transport rules differ from inbox rules based on the email delivery status in Exchange Online.

Transport rules are also known as mail flow rules because they apply a set of conditions to the emails which are in transit. These rules can be used to execute powerful actions like adding additional recipients, modifying the message properties, blocking the message, and more.

Scope of the rule: Transport rules apply at organization level and affect all emails that are in the transition stage.

Who can manage: Transport rules can be created and managed by users with the following admin privileges: Exchange Administrator, Global Administrator, and Compliance Administrator.

Example rule: Prepend the subject of the message with “Warning”, if the message sender is “Benjamin”.

The inbox rules (mailbox rules) are a set of conditions applied to a user’s mailbox to take actions such as moving a message to a specified folder, deleting a message, forwarding a message, etc., once the message is delivered.

Scope of the rule: Specifically applicable to individual mailboxes, where each rule applies to actions to be taken within their respective mailbox environments.

Who can manage: Mailbox rules can be created and applied by the respective individual users, delegated users, or administrators.

Example rule: If the body of the message contains the words ‘offer’ or ‘discount sale’, move the message to the ‘Junk Email’ folder.