Changes to Email Forwarding in Microsoft 365

Important Update: Changes to Email Forwarding in Microsoft 365

As part of the CSU System Cyber Security Alignment initiative, our university will be disabling all automatic or bulk forwarding of emails out of the Microsoft 365 environment effective October 1, 2025.

>>> You will still be able to forward individual messages manually as usual. <<<

Why Is This Change Necessary?

Automatic email forwarding to external addresses poses several security and compliance risks. Disabling this feature helps protect university data and aligns with CSU-wide cybersecurity standards. Key concerns include:

Data Leakage: Forwarded emails may contain sensitive or confidential information that could be exposed outside the university.
Phishing & Spoofing: Attackers can exploit forwarding rules to redirect messages and impersonate university accounts.
Loss of Visibility: IT security teams lose visibility into where data is going, making it harder to detect breaches or misuse.
Compliance Risks: Forwarding may violate CSU data protection policies and regulatory requirements.

What's more, blocking rule-based or automatic email forwarding outside the System's M365 environment ensures the institution can maintain control over message data, enabling timely legal holds and efficient eDiscovery in compliance with retention and litigation requirements.

What You Need to Do

If you currently have automatic forwarding rules set up, you can remove them yourself before October 1: Remove Automatic Forwarding from your Email
If no action is taken, all automatic forwarding rules will be removed on October 1, 2025.

What Happens After October 1st?

Starting October 1st, any rule-based forwarding of email to addresses outside our Microsoft 365 environment will be removed. You will not lose any messages. All incoming email will continue to arrive in your Microsoft 365 mailbox as usual, where it will remain accessible through Outlook on the web, desktop, or mobile apps. This change simply ensures that your messages stay within the institution’s secure environment, helping us protect data and meet legal and compliance obligations.

How to read your CSU M365 email on the web

How We’re Supporting You

By August 1, 2025, the Division of IT will provide IT departments and workers, through the IT Community, a list of users who have active forwarding rules to allow them to do personalized outreach.

The Division of IT will also notify affected users directly via email on these (approximate) dates:

August 1 (two months before the change)
September 17 (two weeks before)
September 29 (two days before)

Learn More

Read about the CSU System Cybersecurity Alignment (CSA) initiative.
Read the Source Article about the forwarding change
If you have a business case requiring an exception, you may create a ticket explaining the specific needs by emailing msops_help@colostate.edu

Reminder: You can still forward individual messages manually.

If you have any questions or need help, please contact your department’s IT support or the Division of IT Help Desk.