How to Create a Shared Mailbox in Exchange Online
Step-by-step guide to creating a shared mailbox in Microsoft 365 — from the admin center, the Exchange admin center, or PowerShell — plus permissions and licensing rules.
How to Configure a Mail Flow Rule in Exchange Online
TL;DR: In the Exchange admin center at https://admin.exchange.microsoft.com, go to Mail flow > Rules > + Add a rule > Create a new rule. Set conditions (“Apply this rule if…”), actions (“Do the following…”), optional exceptions, name it descriptively, and save. New or modified rules can take up to 30 minutes to take effect.
Mail flow rules — formerly called transport rules — are how you intercept and act on email as it moves through Exchange Online. They run on every message (other than NDRs and a handful of system messages) and can rewrite, redirect, block, encrypt, or stamp messages based on dozens of conditions.
What this does
A mail flow rule has three parts:
- Conditions — when should the rule fire? (sender, recipient, subject text, attachment type, classification, etc.)
- Actions — what should it do? (apply a disclaimer, redirect to another mailbox, block, encrypt, set spam confidence level, prepend the subject…)
- Exceptions — unless what? (skip the rule for specific senders, recipients, message types)
When a message matches all conditions and none of the exceptions, every action listed runs. You can chain rules with the Stop processing more rules action, or let the priority order decide.
When you’d want this
- Add a disclaimer to outbound messages from your organization
- Mark inbound external messages with a
[EXTERNAL]subject prefix - Block messages with certain attachment types
- Reroute messages to a specific domain through a connector (smart host, third-party security gateway)
- Bypass spam filtering for a trusted sender (sparingly)
- Encrypt messages that match a pattern (e.g., contain a credit card number) using Microsoft Purview Message Encryption
- Reroute messages to journaling for compliance
Prerequisites
- Exchange Administrator or Exchange Recipient Administrator role
- Exchange Online — these rules don’t apply to mailboxes hosted on-premises in a hybrid tenant
- A clear understanding of what you want to match. Vague conditions are how mail flow rules turn into outages.
Steps
We’ll build the most common rule: prefix [EXTERNAL] to the subject of inbound messages from outside the organization. This is one of the highest-leverage anti-phishing controls a tenant can deploy.
1. Open the Rules page
- Sign in to the Exchange admin center at https://admin.exchange.microsoft.com as an Exchange Administrator.
- Go to Mail flow > Rules. Or jump directly to https://admin.exchange.microsoft.com/#/transportrules.
2. Create a new rule
Select + Add a rule > Create a new rule.
You can also pick a template from the Add a rule dropdown for common scenarios — disclaimers, encryption, classification — and tweak from there.
3. Name and conditions
On the Set rule conditions page:
- Name:
External email subject prefix(be specific so it’s obvious in the rule list later). - Apply this rule if…: Select The sender > is external/internal > Outside the organization.
This matches every message originating from outside your verified domains.
4. Action
- Do the following…: Select Modify the message properties > Prepend the subject of the message with.
- In the flyout, type:
[EXTERNAL](include the trailing space).
5. Exceptions (optional but recommended)
For this rule, exclude messages where the prefix is already present, so replies don’t end up with [EXTERNAL] [EXTERNAL] [EXTERNAL] Re: … after a few rounds:
- Select Add exception.
- Except if… > The subject or body > Subject includes any of these words >
[EXTERNAL].
Optional second exception: skip messages from trusted partner domains where the prefix would be noise:
- Except if… > The sender’s domain is > add the trusted domains.
6. Set audit and priority
- Audit this rule with severity level: keep at Low for rules with low blast radius, Medium for actions that might trigger user reports, High for blocks and redirects.
- Mode: Choose Test with Policy Tips or Test without Policy Tips if you want to try the rule before making it live. Enforce is the live setting.
- Activation/expiration dates: optional time bounds on when the rule applies.
7. Review and save
Review the summary; select Finish to save.
The new rule appears in the Rules list. Rules run in priority order (lowest number first); to reorder, drag rules in the list or set Priority explicitly. It can take up to 30 minutes for a new or modified rule to start applying to messages.
8. Test
From an external account (a personal Gmail, your phone), send a test message to a mailbox in your tenant. The subject should arrive as [EXTERNAL] <original subject>. Reply from the internal mailbox; the reply should land back at Gmail without the prefix being doubled.
Common rule patterns
| Goal | Condition | Action |
|---|---|---|
| Prefix external mail | Sender is outside the organization | Prepend subject with [EXTERNAL] |
| Block executable attachments | Attachment file extension matches exe, scr, bat, ps1, vbs, js |
Reject the message with explanation |
| Bypass spam filtering for a trusted vendor (rare) | Sender’s domain is trusted-partner.com AND IP is in 198.51.100.0/24 |
Set the SCL to -1 |
| Force encryption on PII | Message contains pattern matching SSN regex | Apply Microsoft Purview Message Encryption |
| Route to journal for retention | Recipient is in the legal-hold group | Bcc to journal mailbox |
| Disclaimer on outbound | Sender is internal | Append disclaimer (HTML) |
When matching SCL or sender IP, scope tightly — wide rules with Set the SCL to -1 are how phishing actors bypass anti-spam.
PowerShell
For scripted or repeatable rule creation:
Connect-ExchangeOnline
# The same [EXTERNAL] subject prefix rule
New-TransportRule `
-Name "External email subject prefix" `
-FromScope "NotInOrganization" `
-ExceptIfSubjectContainsWords "[EXTERNAL]" `
-PrependSubject "[EXTERNAL] " `
-Mode Enforce
To list all rules:
Get-TransportRule | Format-Table Name, State, Priority, Mode -AutoSize
To export every rule for backup or migration:
Get-TransportRule |
Export-Clixml -Path .\transport-rules-backup.xml
Notes and gotchas
- Up to 30 minutes lag — rule changes are eventually-consistent across the Exchange Online infrastructure. Don’t troubleshoot a rule you just saved 30 seconds ago.
- Rules don’t process system-generated messages — NDRs created by Exchange, journal reports, and approval-request notifications. Don’t expect a rule on the subject line to catch a bounce.
- Encrypted messages. Rules can always inspect envelope headers, but to inspect the body of a Microsoft Purview-encrypted message you need transport decryption enabled. S/MIME messages can only be evaluated on header conditions; their bodies are opaque to rules.
- Bypass spam filtering ≠ allow phishing. Setting SCL to -1 bypasses the spam filter but not high-confidence phishing or malware detection. Use the Tenant Allow Block List for explicit overrides; don’t whitelist whole domains via transport rules.
- History isn’t versioned. Modifications to a rule overwrite the previous state — there’s no undo. Export to XML before significant changes.
- Multiple actions all run. Some actions (delete the message, forward the message) prevent later actions or rules from running on that message. Read the documentation on each action’s downstream effects.
- Priority and Stop processing more rules. Priority controls evaluation order. The Stop processing more rules action prevents lower-priority rules from running on a matched message — useful for one-shot exceptions ahead of broader rules.
- Test, test, test. The Exchange admin center has a Test mode that runs a rule and reports what it would have done without taking action. Use it for any rule that blocks, redirects, or modifies content.