![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 35%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAB%3C/text%3E%3C/svg%3E)
Exchange Online
A cloud-based service included in Microsoft 365, delivering scalable messaging and collaboration features with simplified management and automatic updates.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 61%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETT%3C/text%3E%3C/svg%3E)
Dear @Andrew Bonser,
Welcome to Microsoft Q&A Forum!
Thank you for your patience, and I completely understand how confusing and frustrating this situation can be, especially when you expect journaling to apply only to a specific set of users.
After reviewing your scenario, I’d like to clarify what is happening and why this behavior is expected in Exchange Online, along with some suggestions that you may consider.
1.What is happening:
In Exchange Online, journaling rules are evaluated at the organization level, not on a strict “allowed users only” basis. When a journaling rule is scoped to a distribution group or mail‑enabled security group, Exchange journals any message where at least one participant (sender or recipient) is a member of that group. As a result, if a journaled user sends or receives an email with another internal user who is not in the allowed group, the message may still be journaled. Unfortunately, Exchange Online journaling may not support exclusion logic, such as:
- Excluding specific internal users
- Using deny lists
- Applying exceptions or conditional rules
This is an expected behavior, not a misconfiguration.
2.Why this cannot be restricted further:
Journaling in Exchange is designed for compliance capture, not granular filtering. For this reason, it may not support:
- “Journal only if both sender and recipient are in the group”
- Excluding specific mailboxes once a journaling rule applies
Therefore, here are several ideas that you may consider:
Depending on your business or compliance requirements, you may want to consider one of the following:
1.Use a tightly controlled journaling group:
Ensure only the exact mailboxes that must be journaled are members of the group (no shared mailboxes or service accounts).
2.Use mail flow (transport) rules for conditional processing:
Transport rules support conditions and exceptions based on sender/recipient and group membership.
Please note that transport rules are not a full replacement for journaling in regulated compliance scenarios.
3.Consider a third‑party archiving or compliance solution:
These solutions typically support more advanced inclusion/exclusion logic when strict scoping is required.
Note: This third suggestion is provided as a convenience to you. This idea is not controlled by Microsoft, and Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found in third-party documents. Please ensure that you fully understand the risks before using any suggestions from third-party links. I cannot provide or support further about it, please kindly research and take responsibility on your own.
Also, you may find the following Microsoft documentations helpful for further confirmation:
- Journaling in Exchange Online
- Manage journaling rules in Exchange Online
- Mail flow rules (transport rules) in Exchange Online
In these documents, you may see that journaling rules apply when either the sender or recipient matches the rule scope and that exclusions may not be supported.
Besides that, you can take a look in the answer of Q&A Assists AI to see if they can give you some insights.
I truly understand the inconvenience may cause, and I hope this explanation helps clarify why the behavior occurs and what options are available.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
