For a discussion about whether you should restrict external forwarding, read . If you've decided to go ahead, read on.
To restrict external auto-forwarding in Exchange Online, it's best to use outbound spam filters. Although there are other approaches available, using outbound spam filters means users can still create external auto-forwarding rules, but they receive a mail delivery failure when the rule is used. This allows you to continue to monitor for malicious rules being created, which is a high fidelity alert for account compromise, whilst preventing the impact of the attack.
Before you start
Before starting, make sure the change won't negatively impact your users by checking if there are any external auto-forwarding rules already in place.
Configure your spam filter policy
Use spam filters to make external forwarding rules ineffective. Keep the detection of account compromise but remove the impact.
Select "Anti-spam outbound policy" and "Edit protection settings"
Select "Automatic forwarding rules" and then "Off - Forwarding is disabled"