Microsoft 365 Tenant-Wide Email Auto Forwarding Setup Guide
This guide explains how to set up tenant-wide email forwarding in Microsoft 365 using PowerShell. This configuration forwards all incoming emails to a CRM or external system while keeping copies in users' original mailboxes.
Prerequisites
Required Permissions
- Exchange Administrator or Global Administrator role in Microsoft 365
- Access to Azure Cloud Shell or Windows PowerShell
Important Notes
- This affects ALL mailboxes in your tenant
- External forwarding must be enabled at the tenant level first
- The forwarding email address should be verified and functional
Step 1: Enable External Forwarding (REQUIRED)
Before configuring forwarding, you must enable external forwarding in your tenant:
- Go to Microsoft 365 Defender Portal: https://security.microsoft.com
- Navigate to Email & collaboration > Policies & rules > Threat policies
- Click Anti-spam policies
- Select Anti-spam outbound policy (Default)
- Click Edit protection settings
- Change Automatic forwarding from "Automatic - System-controlled" to "On - Forwarding is enabled"
- Click Save
⚠️ Critical: Without this step, forwarding will not work and you'll get "Access denied" errors.
Step 2: Access PowerShell Environment
Option A: Azure Cloud Shell (Recommended)
- Go to https://shell.azure.com
- Choose PowerShell when prompted
- Wait for initialization to complete
Option B: Windows PowerShell
- Right-click Start button > Windows PowerShell (Admin)
- Install Exchange module (if not already installed):
Install-Module -Name ExchangeOnlineManagement -Force
Step 3: Connect to Exchange Online
Connect-ExchangeOnline
- You'll be prompted to sign in with your Microsoft 365 admin credentials
- Complete any multi-factor authentication if required
- Wait for "Connected to Exchange Online" confirmation
Step 4: Check Current Configuration (Optional)
# See how many mailboxes you have
Get-Mailbox -ResultSize Unlimited | Measure-Object
# Check current forwarding status
Get-Mailbox -ResultSize Unlimited | Select-Object DisplayName, ForwardingSmtpAddress, DeliverToMailboxAndForward | Format-Table -AutoSize
Step 5: Apply Tenant-Wide Forwarding
Replace your-crm-email@domain.com with your actual forwarding destination:
Get-Mailbox -ResultSize Unlimited | Set-Mailbox -ForwardingSmtpAddress "your-crm-email@domain.com" -DeliverToMailboxAndForward $true
What This Command Does:
- Applies to ALL mailboxes in your tenant
- ForwardingSmtpAddress: Sets the external email to forward to
- DeliverToMailboxAndForward $true: Keeps emails in original inboxes AND forwards copies
Step 6: Verify Configuration
Get-Mailbox -ResultSize Unlimited | Select-Object DisplayName, ForwardingSmtpAddress, DeliverToMailboxAndForward | Format-Table -AutoSize
Expected Results:
- ForwardingSmtpAddress: smtp:your-crm-email@domain.com
- DeliverToMailboxAndForward: True
Step 7: Test the Setup
- Send a test email from an external account to any user in your tenant
- Verify two things happen:
- Email appears in the user's inbox normally
- Forwarded copy arrives at your CRM/forwarding address
Troubleshooting
Issue: Emails forward but don't stay in original inboxes
Solution - Reset the configuration:
# Step 1: Clear all forwarding
Get-Mailbox -ResultSize Unlimited | Set-Mailbox -ForwardingSmtpAddress $null -DeliverToMailboxAndForward $false
# Step 2: Wait for processing
Start-Sleep -Seconds 10
# Step 3: Reapply forwarding
Get-Mailbox -ResultSize Unlimited | Set-Mailbox -ForwardingSmtpAddress "your-crm-email@domain.com" -DeliverToMailboxAndForward $true
# Step 4: Verify
Get-Mailbox -ResultSize Unlimited | Select-Object DisplayName, ForwardingSmtpAddress, DeliverToMailboxAndForward | Format-Table -AutoSize
Issue: "Access denied" or "5.7.520" errors
- Cause: External forwarding not enabled at tenant level
- Solution: Complete Step 1 (Enable External Forwarding) first
Issue: CRM not logging forwarded emails
- Cause: CRM may require proper forwarding headers
- Solution: This PowerShell method creates proper forwarded emails that most CRMs recognize
Issue: Command appears stuck
- Press Ctrl+C to cancel
- Try processing smaller batches:
# Process first 10 mailboxes as test
Get-Mailbox -ResultSize 10 | Set-Mailbox -ForwardingSmtpAddress "your-crm-email@domain.com" -DeliverToMailboxAndForward $true
Managing New Users
For newly created mailboxes, run this command:
Set-Mailbox -Identity "newuser@yourdomain.com" -ForwardingSmtpAddress "your-crm-email@domain.com" -DeliverToMailboxAndForward $true
Removing Forwarding (If Needed)
To remove forwarding from all mailboxes:
Get-Mailbox -ResultSize Unlimited | Set-Mailbox -ForwardingSmtpAddress $null -DeliverToMailboxAndForward $false
Security Considerations
- Data Privacy: All emails will be sent to the forwarding address
- Compliance: Ensure forwarding complies with your organization's data policies
- Access Control: Limit who has access to the forwarding destination
- Monitoring: Regularly audit forwarding configurations
Common Use Cases
- CRM Integration: Forward all customer communications to CRM systems
- Compliance Archiving: Send copies to compliance/archival systems
- Backup Systems: Create redundant copies of all communications
- Monitoring: Forward emails to security monitoring systems
Important Notes
- Tenant-wide Impact: This affects every mailbox in your organization
- Immediate Effect: Changes typically take effect within minutes
- No User Notification: Users won't be notified about forwarding
- Mail Flow: Original mail flow to users remains unchanged
- Performance: Minimal impact on email delivery performance
Support
If you encounter issues:
- Verify external forwarding is enabled (Step 1)
- Check admin permissions
- Test with a single mailbox first
- Contact your CRM vendor about email processing requirements