How to prevent Office 365 users from sending emails outside the organization?

There might be situations when it’s necessary to block the mail flow outside an organization for specific users or user groups. Let’s find out how you can use Exchange Online mail flow rules to prevent Office 365 users from sending emails to external recipients.

Block users from sending emails outside your Office 365 organization.

Block emails sent outside your Office 365 organization

To restrict all (or specific) users to sending only internal emails and block their emails when they’re sent to external recipients, follow the steps below:

  1. Log in to your Office 365 portal, then go to the Microsoft 365 admin center by clicking the Admin app.
    Admin app in Office 365
  2. In the Admin centers section, click Exchange.
    Admins centers - Exchange
  3. Then, in the Exchange admin center, click mail flow and then rules. Using the plus icon, add a new rule.
    Create a new rule in Exchange admin center
  4. In the new rule window, under the Apply this rule if section, select The recipient is located > Outside the organization.
    The recipient is located outside the organization
  5. If you don’t want the rule to apply to all users, you can add another condition that narrows down its scope. To do so, click More options at the bottom of the window, and then click the add condition button (the button shows up once you have enabled more options). You can, for example, add a selected user group so that only its members won’t be allowed to send emails outside the organization.
    The sender is a member of a AD group
  6. In the Do the following section, select Block the message > reject the message and include an explanation.
    Block the message and include explanation
  7. Provide a short explanation that says why the email is blocked. Users will get this explanation along with an NDR message after trying to send an email outside the organization. You can also choose not to notify anyone and simply delete the message (by selecting the delete the message without notifying anyone option).
    Reject the message with the explanation
  8. Save the changes to the rule and test whether it works as expected. Note that it may take up to 30 minutes before the changes to the rule take effect.
    NDR message

That’s it. Now, if the users included in this rule try to send emails outside the Office 365 organization, these messages will be rejected, and the senders will get the notification that their email was blocked.

What about on-premises environments?

If you’re still on an on-premises infrastructure and you’re looking for a similar solution that works with Exchange Server, try CodeTwo Exchange Rules Pro. This program works in on-premises and hybrid environments, and offers a wide range of email rule configuration settings that are not available natively in Exchange.

See also:


CodeTwo Products

8 thoughts on “How to prevent Office 365 users from sending emails outside the organization?


  1. We’re about to start the migration with your tools.

    We need to notify “external senders” that the tenant email domain is no longer available but still allow the email through. We have then setup mail forwarding for each mailbox to the users new email address.

    Transport Rules only allow me to complete block and notify sender via NDR which is not what we want. We would prefer that mail gets allowed through so that forwarding rules can apply then the external sender received the NDR.

    Any tips on how to achieve this?

    • Will this be a tenant to tenant migration? The easiest way to handle this situation is to disconnect the first (source) custom domain from the source tenant after the migration, add it to the target tenant and set up users’ former addresses as email aliases. This way, all emails sent to the pre-migration email addresses will automatically go to the new mailboxes. Then, you can set up automatic responses, notifying of the new email addresses.
      If you have any further questions, you can contact our Customer Service team. They are available 24/5 and will help you with your migration, if you need any assistance.

  2. Hi there,
    My case is restrict send email to outside organization but add exception of more than 100 of domains, is there any way to import the domain list instead of typing 1 by 1?
    Thanks

    • Sure, but you need to use PowerShell for that. Create a comma-separated array of those domains (you can import from a CSV) and use this array with the -ExceptIfRecipientDomainIs attribute while using New-TransportRule or Set-TransportRule cmdlet, depending on whether you have created the rule in EAC beforehand, or not.

    • In this case, it is an Office 365 (Microsoft 365) Group, but the condition will also accept mail-enabled security groups and distribution groups.

  3. Thanks…
    I Will test
    It is a wonderful idea… I done via restrictions and outbound spam policies but rule is better

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

*