How To Determine Which Active Rules Impact Email Attachments

One of the requirements for the MS-220 Troubleshooting Exchange Online exam is that you should be able to determine which active mail-flow rules impact email attachments. This is useful if you are an Exchange administrator and you have users reporting to you that they are not receiving expecting mail attachments from senders. 

In the tutorial, I am going to show you how you can use both the Exchange Admin center and PowerShell to find active mail flow rules which are impacting attachments.  

Pre-requisites

To complete this task you must be a member of the Exchange Administrators group or Global Administrators group in Microsoft 365. 

Also, in order to run the necessary scripts in this tutorial, you should also have the Exchange Online PowerShell module installed. See my tutorial on how to install the Exchange Online PowerShell module.

Determine which active rules impact email attachments with the Exchange Admin Center

To find which active rules affect mail attachments using the Exchange Admin Center web UI, follow the below steps.

1. Start by logging into the Exchange Admin Center: https://admin.exchange.microsoft.com/

2. From the left-hand menu, expand Mail flow and select Rules.

Expand mailflow and select rules
Expand mailflow and select rules

3. Use the search box at the upper left and search for the word ‘attachment‘. This will also search the rule description which includes the rule conditions.

Search for attachment

4. You will now only see search results that include the term ‘attachment’ in the name or description. You can then click each rule manually to determine the conditions and actions.

Rule search results
Rule search results

Determine which active rules impact email attachments with PowerShell

To generate a report using PowerShell of rule conditions that affect email attachments, you can use the following script. The script may be a little over-engineered, but it will convert the ‘array list’ type conditions to a string, then the whole variable to a string, before extracting the data into headed columns which can be searched or exported. 

The only parameter you need to manually define is the $rulename variable, where I have used the example below as ‘Block certain messages’.

#Connect to Exchange Online
Connect-ExchangeOnline

#Store exact rule name
$rulename = "Block certain messages"

#Store rule parameters which affect attachments
$attachmentrules = get-transportrule "$rulename" | Select *attachment*

#Convert array objects to string
$string1 = $attachmentrules.AttachmentExtensionMatchesWords | out-string
$attachmentrules.AttachmentExtensionMatchesWords = $string1
$string2 = $attachmentrules.AttachmentNameMatchesPatterns | out-string
$attachmentrules.AttachmentNameMatchesPatterns = $string2
$string3 = $attachmentrules.AttachmentPropertyContainsWords | out-string
$attachmentrules.AttachmentPropertyContainsWords = $string3
$string4 = $attachmentrules.AttachmentContainsWords | out-string
$attachmentrules.AttachmentContainsWords = $string4
$string5 = $attachmentrules.AttachmentMatchesPatterns | out-string
$attachmentrules.AttachmentMatchesPatterns = $string5
$string6 = $attachmentrules.ExceptIfAttachmentNameMatchesPatterns | out-string
$attachmentrules.ExceptIfAttachmentNameMatchesPatterns = $string6
$string7 = $attachmentrules.ExceptIfAttachmentExtensionMatchesWords | out-string
$attachmentrules.ExceptIfAttachmentExtensionMatchesWords = $string7
$string8 = $attachmentrules.ExceptIfAttachmentPropertyContainsWords | out-string
$attachmentrules.ExceptIfAttachmentPropertyContainsWords = $string8
$string9 = $attachmentrules.ExceptIfAttachmentSizeOver | out-string
$attachmentrules.ExceptIfAttachmentSizeOver = $string9
$string10 = $attachmentrules.ExceptIfAttachmentContainsWords | out-string
$attachmentrules.ExceptIfAttachmentContainsWords = $string10
$string11 = $attachmentrules.ExceptIfAttachmentMatchesPatterns | out-string
$attachmentrules.ExceptIfAttachmentMatchesPatterns = $string11
$string = "$attachmentrules"

#Create Report object
$Report = [System.Collections.Generic.List[Object]]::new()

#Define regex parameters
$reg = [RegEx]"(\w+)=(\w*)"

#Create report to review
$table=@()
$table = $reg.Matches($string) | ForEach-Object {
    $rhs = if($_.Groups[2].Value){
        $_.Groups[2].Value
    }else{
        "N/A"
    }
    $obj = [PSCustomObject][ordered]@{
        "TYPE" = $_.Groups[1].Value
        "VALUE" = $rhs
    }
    $Report.Add($obj)
} | Format-Table

#Display report in session
$report

#Export report to CSV
$report | export-csv C:\temp\MailRuleAttachmentInfo.csv -NoTypeInformation

I have also expanded on the above and the below script will generate a report with PowerShell on all transport rules in Exchange Online. In this case, you do not need to specify any variable as it will loop through each rule and produce an output.

#Connect to Exchange Online
Connect-ExchangeOnline

#Create Report object
$Report = [System.Collections.Generic.List[Object]]::new()

#Store all transport rules
$alltransportrules = get-transportrule

#Loop through all transport rules
ForEach ($Rule in $alltransportrules){

#Store rule parameters which affect attachments
$attachmentrules = get-transportrule $rule.name | Select *attachment*

#Convert array objects to string
$string1 = $attachmentrules.AttachmentExtensionMatchesWords | out-string
$attachmentrules.AttachmentExtensionMatchesWords = $string1
$string2 = $attachmentrules.AttachmentNameMatchesPatterns | out-string
$attachmentrules.AttachmentNameMatchesPatterns = $string2
$string3 = $attachmentrules.AttachmentPropertyContainsWords | out-string
$attachmentrules.AttachmentPropertyContainsWords = $string3
$string4 = $attachmentrules.AttachmentContainsWords | out-string
$attachmentrules.AttachmentContainsWords = $string4
$string5 = $attachmentrules.AttachmentMatchesPatterns | out-string
$attachmentrules.AttachmentMatchesPatterns = $string5
$string6 = $attachmentrules.ExceptIfAttachmentNameMatchesPatterns | out-string
$attachmentrules.ExceptIfAttachmentNameMatchesPatterns = $string6
$string7 = $attachmentrules.ExceptIfAttachmentExtensionMatchesWords | out-string
$attachmentrules.ExceptIfAttachmentExtensionMatchesWords = $string7
$string8 = $attachmentrules.ExceptIfAttachmentPropertyContainsWords | out-string
$attachmentrules.ExceptIfAttachmentPropertyContainsWords = $string8
$string9 = $attachmentrules.ExceptIfAttachmentSizeOver | out-string
$attachmentrules.ExceptIfAttachmentSizeOver = $string9
$string10 = $attachmentrules.ExceptIfAttachmentContainsWords | out-string
$attachmentrules.ExceptIfAttachmentContainsWords = $string10
$string11 = $attachmentrules.ExceptIfAttachmentMatchesPatterns | out-string
$attachmentrules.ExceptIfAttachmentMatchesPatterns = $string11
$string = "$attachmentrules"

#Define regex parameters
$reg = [RegEx]"(\w+)=(\w*)"

#Create report to review
$table=@()
$table = $reg.Matches($string) | ForEach-Object {
    $rhs = if($_.Groups[2].Value){
        $_.Groups[2].Value
    }else{
        "N/A"
    }
    $obj = [PSCustomObject][ordered]@{
        "RULE NAME" = $Rule.name
        "TYPE" = $_.Groups[1].Value
        "VALUE" = $rhs
    }
    $Report.Add($obj)
} | Format-Table
}

#Display report in session
$report

#Export report to csv 
$report | export-csv C:\temp\AllMailRuleAttachmentInfo.csv -NoTypeInformation

If you have a lot of rules, the output will be quite large. You should use the ‘filter’ feature in Excel to reduce your results appropriately.

  1. Navigate to C:\temp and open the CSV file.

2. Adjust the width of the columns, then select the Value column, click the data tab at the top and click filter.

Select the Value column and click Filter
Select the Value column and click Filter

3. Click the drop-down arrow next to Value and uncheck N/A and False.

Uncheck N\A and False
Uncheck N\A and False

4. You will now only be left with meaningful information.

Excel filter results
Excel filter results

Disable impacting rules

Once you have determined which rules are affecting email attachments, you can disable the rule while you further resolve the root cause of the issue. 

To disable rules through the Exchange Admin Center

1. While logged into the Exchange Admin Center, expand mail flow and select rules.

2. Identify the rule you wish to disable in the list and click on the rule name.

Click on the rule name
Click on the rule name

3. Click the Enable or disable rule slider to disable the rule.

Click the enable or disable slider
Click the enable or disable slider

To disable rules with PowerShell

Firstly, to view all rules which are enabled, you can run the following:

Get-TransportRule | Where-Object {$_.State -eq "Enabled"}

You can then use the below script to target a specific rule, ensure you change the rule identity to the name of the rule that matches your target rule.

$Rule = Get-TransportRule -Identity "Block .exe attachments"

If ($rule.state -eq "Enabled") {
   Disable-TransportRule -Identity $Rule.Name -confirm:$false
    Write-host $rule.name ": has been disabled" -ForegroundColor black -BackgroundColor green
} Else {
    Write-host $rule.name ": is already disabled" -ForegroundColor black -BackgroundColor yellow
}

You can also view all of the above scripts on my GitHub here.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply