Skip to content
English
return to brokerkit
  • There are no suggestions because the search field is empty.

Microsoft 365 Tenant-Wide Email Auto-BCC Setup Guide

This guide provides step-by-step instructions for setting up automatic BCC (blind carbon copy) functionality at the Microsoft 365 tenant level using the Exchange Admin Center web interface. 

What This Accomplishes

  • Automatically BCC every outgoing email from all users in your Microsoft 365 tenant to a specified email address
  • Preserves sent items in users' mailboxes (no impact on normal email flow)
  • Prevents mail loops when used alongside existing auto-forwarding rules
  • Works tenant-wide - covers all users automatically
  • Invisible to users - they won't see the BCC recipient in their emails

Prerequisites

  • Administrator Access: Global Administrator or Exchange Administrator permissions
  • Destination Email: The email address where BCC copies should be sent (e.g., your CRM system)
  • Browser Access: Any modern web browser
  • Time Required: 10-15 minutes setup + 30 minutes propagation time

 

Step 1: Enable External Forwarding (REQUIRED)

Before configuring forwarding, you must enable external forwarding in your tenant:

  1. Go to Microsoft 365 Defender Portal: https://security.microsoft.com
  2. Navigate to Email & collaboration > Policies & rules > Threat policies
  3. Click Anti-spam policies
  4. Select Anti-spam outbound policy (Default)
  5. Click Edit protection settings
  6. Change Automatic forwarding from "Automatic - System-controlled" to "On - Forwarding is enabled"
  7. Click Save

⚠️ Critical: Without this step, BCC functionality will not work and you may get "Access denied" errors. BCC operations use the same underlying mechanism as email forwarding.


Step 2: Access Exchange Admin Center

  1. Sign in to Microsoft 365
    • Go to https://admin.microsoft.com
    • Sign in with your administrator account
  2. Navigate to Exchange Admin Center
    • Click "Admin centers" in the left menu
    • Select "Exchange" from the dropdown
    • Or go directly to: https://admin.exchange.microsoft.com

 

Step 3: Create the Mail Flow Rule

  1. Go to Rules Section
    • In Exchange Admin Center, click "Mail flow" in the left navigation
    • Click "Rules"
    • Direct link: https://admin.exchange.microsoft.com/#/transportrules
  2. Start New Rule Creation
    • Click the "+" button (Add a rule)
    • Select "Create a new rule" from the dropdown

 

Step 4: Configure Basic Rule Settings

You'll see a form with several sections. Fill them out as follows:

Name Field:

Auto BCC Tenant Level

(Or any descriptive name you prefer)

Apply this rule if:

  1. First dropdown: Select "The sender"
  2. Second dropdown: Select "is external/internal"
  3. Location popup: Select "Inside the organization"
  4. You should see: "The sender is located 'InOrganization'"

This ensures the rule applies to all emails sent by users in your tenant.

Do the following:

  1. First dropdown: Select "Add recipients"
  2. Second dropdown: Select "to the Bcc box"
  3. Email address field: Enter your destination email (e.g., your-email@bcc.system.com)

You should see: "Blind carbon copy (bcc) the message to [your-email-address]"

 

Step 5: Add Loop Prevention (Critical for Existing Auto-Forwarding)

This step prevents conflicts with existing auto-forwarding rules:

Except if Section:

  1. First dropdown: Select "The message headers..."
  2. Second dropdown: Select "includes any of these words"
  3. Header name field: Enter: X-MS-Exchange-Inbox-Rules-Loop
  4. Words field: Enter: *

You should see: "'X-MS-Exchange-Inbox-Rules-Loop' message header includes '*'"

Add Second Exception (Optional but Recommended):

  1. Click the "+" button next to the first exception
  2. First dropdown: Select "The message headers..."
  3. Second dropdown: Select "includes any of these words"
  4. Header name field: Enter: X-MS-Exchange-Transport-Rules-Loop
  5. Words field: Enter: *

Note: If the second exception interface becomes unresponsive, you can proceed with just the first exception - it provides the primary protection needed.

 

 

Step 6: Save the Rule

  1. Click "Next" to proceed to rule settings
  2. Set rule mode:
    • Select "Enforce"
  3. Set priority: Enter 10 (higher priority)
  4. Add comments: "Auto-BCC tenant emails with loop prevention"
  5. Click "Save" to create the rule

Note: Saving the rule creates it but does not enable it - you must enable it separately in the next step.

 

Step 7: Enable the Rule (Critical Step!)

After saving, the rule is created but not automatically enabled:

  1. You'll be returned to the Rules list page
  2. Find your newly created rule in the list
  3. Click on the rule name - a right-side modal will appear
  4. Click the "Enable" button in the modal
  5. Wait for confirmation that the rule is enabled
  6. Verify status shows as "Enabled" in the rules list

 

This step is crucial - the rule won't work until you manually enable it after creation.

 

Testing and Verification

Wait for Propagation

  • Rule activation: Can work immediately but may take up to 30 minutes across all Exchange Online servers
  • Test immediately: You can try testing right away - it often works within minutes

Test the Setup

  1. Send Test Email
    • Have a user send an email to any external recipient
    • Use a distinctive subject line like "BCC Test Email"
  2. Verify Results
    • ✅ Check that the BCC destination receives the email copy
    • ✅ Confirm the original email appears in the sender's Sent Items
    • ✅ Verify any existing auto-forwarding still works (if set up)
    • ✅ Ensure no duplicate messages or loops occur

 

Troubleshooting Common Issues

BCC Emails Not Appearing

  • Verify external forwarding is enabled (Step 1)
  • Check if rule is enabled: Most common issue - ensure you clicked "Enable" after saving
  • Test immediately: Rules often work right away, but can take up to 30 minutes for full propagation
  • Verify destination: Confirm the BCC email address can receive messages
  • Check rule status: Ensure rule shows as "Enabled" in Exchange Admin Center