Use Rules to Prevent Mail Flow Between Specific Groups

 

Applies to: Office 365 for enterprises, Live@edu

Topic Last Modified: 2011-11-30

 

Administrators can use transport rules to prevent e-mail communication between specific groups of users. This type of restriction is sometimes called an ethical wall.

When would you want to do this? Suppose you manage the cloud-based organization for a school district and you are required to prohibit e-mail communication between students enrolled in different schools. Just create transport rules to enforce an ethical wall that prevents students in different schools from exchanging e-mail using their school accounts.

When the specified users try to send a message to one another, you have two options:

  • Block   The message is rejected, and a non-delivery report (NDR) is returned to the sender. You can create customized text, which appears in the NDR, to explain why a message was rejected.
  • Moderate   The message is sent to a moderator for approval. If the moderator approves the message, it is sent to the recipient. If the moderator rejects the message, it isn't sent to the recipient. If you specify more than one moderator, only one of them needs to approve or reject the message.

You can use the Exchange Control Panel or Windows PowerShell to create these rules.

Identify who the ethical wall applies to

When you create an ethical wall, there are two methods for specifying affected users:

  • Create an ethical wall using distribution groups   When you have two sets of users defined by distribution groups, you can create a simple rule that prevents e-mail communication between the two groups. The groups can be distribution groups or dynamic distribution groups.
  • Create an ethical wall using user attributes   When you have groups of users defined by specific user attributes, for example, CustomAttribute1 to CustomAttribute15 values, you can compare the attributes of the sender and the recipient directly. This approach requires two separate rules: one for senders and another for recipients.
    Note   Comparing user attributes is faster and more efficient than expanding distribution groups to compare members. This is particularly true for large distribution groups. Therefore, in cloud-based organizations, we recommend comparing user attributes.

Return to top

Create an ethical wall using distribution groups

Suppose you want to enforce an ethical wall that prevents members of the marketing department and members of the finance department from exchanging e-mail.

Here are the details used in this example:

  • Groups that define the users who shouldn't communicate with each other   Marketing and Finance
  • Rule name   Marketing-Finance Prohibition
    For the Block action:
    • Rejection reason   "Industry regulations prevent direct communication between members of the marketing and finance departments. Please see your manager for details."
    For the Moderate action:
    • Moderator   Select one or more moderators. Note that you can't specify a distribution group as a moderator.
In the Exchange Control Panel

  1. Select Manage My Organization > Mail Control > Rules.
  2. Click New. Enter the following information in the New Rule window:
    1. Click "More Options...".
    2. * If...   Select "the sender and the recipient..." and "the message is between members of these groups".
    3. Click the first instance of "Select people...". In the Address Book window, select Marketing, click "To ->" and click OK.
    4. Click the second instance of "Select people...". In the Address Book window, select Finance, click "To ->" and click OK.
      Note   It doesn't matter which group you select first or second.
    5. * Do the following...   Select one of the following actions:
      Block   Select "Block the message..." and "Reject the message and include an explanation." In the Create Rejection Message dialog box, type Industry regulations prevent direct communication between members of the marketing and finance departments. Please see your manager for details., and then click OK.
      Moderate   Select "Forward the message for approval..." and "to these people". Select a moderator, and click To. When you are finished, click OK.
    6. Name of Rule   Marketing-Finance E-Mail Prohibition
  3. Click Save.

Want to do this in Windows PowerShell? See Use Windows PowerShell to create an ethical wall using distribution groups.

Return to top

Create an ethical wall using user attributes

Suppose you want to enforce an ethical wall that prevents students enrolled in different schools from exchanging e-mail.

Here are the details used in this example:

  • CustomAttribute1   This value helps define different access levels for different users. For example, you could define access levels of Class, Grade, School and District. Defining different access levels gives you flexibility for future ethical walls you may need to configure. In this example, all users who are restricted to e-mail communication with users in the same school have the CustomAttribute1 value of School.
  • CustomAttribute2   This contains the school identifier. The actual value is unimportant, other than all students in the same school have the same CustomAttribute2 value.
    For the Block action:
    • Rejection reason   "You aren't allowed to send e-mail to a person in another school. Please see your teacher for details."
    For the Moderate action:
    • Moderator   Select one or more moderators. Note that you can't specify a distribution group as a moderator.
  • Rule Names   "E-Mail Prohibition: School-Level Sender" and "E-Mail Prohibition: School-Level Recipient".
In the Exchange Control Panel

  1. Select Manage My Organization > Mail Control > Rules.
  2. Click New. Enter the following information in the New Rule window:
    1. Click "More Options...".
    2. * If...   Select "the sender..." and "has specific properties including any of these words".
    3. In the Select User Properties window, click Add.
    4. In the Specify the User Property Value dialog box, select CustomAttribute1, type School, and then click OK.
    5. Click OK in the Select User Properties window.
    6. Click Add Condition.
    7. * If...   Select "the sender and the recipient..." and "the sender and recipient property compares as".
    8. Click on the first instance of "* Select one...". In the Specify the User Property dialog box, select CustomAttribute2, and click OK.
    9. Click on the remaining instance of "* Select one...". In the Specify the Evaluation dialog box, select "Not Equal", and then click OK.
    10. * Do the following...   Select one of the following actions:
      Block   Select "Block the message..." and "Reject the message and include an explanation". In the Create Rejection Message dialog box, type You aren't allowed to send e-mail to a person in another school. Please see your teacher for details., and then click OK.
      Moderate   Select "Forward the message for approval..." and "to these people". Select a moderator, and click To. When you are finished, click OK.
    11. Name of Rule   E-Mail Prohibition: School-Level Sender
  3. Click Save.
  4. On the Rules tab, click New. Enter the following information in the New Rule window:
    1. * If...   Select "the recipient..." and "has specific properties including any of these words".
    2. In the Select User Properties window, click Add.
    3. In the Specify the User Property Value dialog box, select CustomAttribute1, type School, and then click OK.
    4. Click OK in the Select User Properties window.
    5. Click Add Condition.
    6. * If...   Select "the sender and the recipient..." and "the sender and recipient property compares as".
    7. Click on the first instance of "* Select one...". In the Specify the User Property dialog box, select CustomAttribute2, and click OK.
    8. Click on the remaining instance of "* Select one...". In the Specify the Evaluation dialog box, select "Not Equal", and then click OK.
    9. * Do the following...   Select one of the following actions:
      Block   Select "Block the message..." and "Reject the message and include an explanation." In the Create Rejection Message dialog box, type You aren't allowed to send e-mail to a person in another school. Please see your teacher for details., and then click OK.
      Moderate   Select "Forward the message for approval..." and "to these people". Select a moderator, and click To. When you are finished, click OK.
    10. Name of Rule   E-Mail Prohibition: School-Level Recipient
  5. Click Save.

Want to do this in Windows PowerShell? See Use Windows PowerShell to create an ethical wall using user attributes.

Return to top

Use Windows PowerShell to create an ethical wall using distribution groups

Before you begin   To learn how to install and configure Windows PowerShell and connect to the service, see Use Windows PowerShell in Exchange Online.

Block   Run the following command:

New-TransportRule -Name "Marketing-Finance E-Mail Prohibition" -BetweenMemberOf1 "Marketing" -BetweenMemberOf2 "Finance" -RejectMessageReasonText "Industry regulations prevent direct communication between members of the marketing and finance departments. Please see your manager for details."

Moderate   Run the following command:

New-TransportRule -Name "Marketing-Finance E-Mail Prohibition" -BetweenMemberOf1 "Marketing" -BetweenMemberOf2 "Finance" -ModerateMessageByUser <"moderator1","moderator2"...>

Return to top

Use Windows PowerShell to create an ethical wall using user attributes

Block   Run the following commands:

New-TransportRule -Name "E-Mail Prohibition: School-Level Sender" -SenderADAttributeContainsWords 'CustomAttribute1:School' -ADComparisonAttribute 'CustomAttribute2' -ADComparisonOperator 'NotEqual' -RejectMessageReasonText "You aren't allowed to send e-mail to a person in another school. Please see your teacher for details."
New-TransportRule -Name "E-Mail Prohibition: School-Level Recipient" -RecipientADAttributeContainsWords 'CustomAttribute1:School' -ADComparisonAttribute 'CustomAttribute2' -ADComparisonOperator 'NotEqual' -RejectMessageReasonText "You aren't allowed to send e-mail to a person in another school. Please see your teacher for details."

Moderate   Run the following commands:

New-TransportRule -Name "E-Mail Prohibition: School-Level Sender" -SenderADAttributeContainsWords 'CustomAttribute1:School' -ADComparisonAttribute 'CustomAttribute2' -ADComparisonOperator 'NotEqual' -ModerateMessageByUser <"moderator1","moderator2"...>
New-TransportRule -Name "E-Mail Prohibition: School-Level Recipient" -RecipientADAttributeContainsWords 'CustomAttribute1:School' -ADComparisonAttribute 'CustomAttribute2' -ADComparisonOperator 'NotEqual' -ModerateMessageByUser <"moderator1","moderator2"...>

Return to top

 
Related help topics
Loading...
No resources were found.