How to fix 550 5.7.520 Access denied, Your organization does not allow external forwarding.
By default, Microsoft 365 Defender sets up an Anti-Spam outbound policy. And the policy default sets Automatic Forwarding to “Automatic: System Controlled.”
Error: “Remote Server returned ‘550 5.7.520 Access denied. Your organization does not allow external forwarding. Please contact your administrator for further assistance. AS(7555)”
Since we do not want to modify this default policy, we can create a policy (with a higher priority) that defines certain users or groups to allow forwarding.
- Go to www.office.com and log into the tenant. (do not log into the destination email address tenant)
- Open the Admin Center
- Next, click Show All (admin centres) and then click Security.
5. Next, in the Security / Microsoft 365 Defender Admin Center, under Email & Collaboration, click on Policies & rules.
6. Here, click on Threat Policies
7. Under Threat policies, click Anti-Spam.
8. Under the Default Anti-Spam outbound policy (Default), we will probably find Automatic Forwarding is set to Automatic – System-Controlled
9. Close the Default Policy and then at the top of the screen, click the + Create Policy drop-down and choose Outbound
10. In the new Outbound policy, edit the description to something like “Custom Outbound Mail Forward“, and add the Users or Groups to the policy (whom you want to give the ability to forward.)
11. At the bottom of the new custom policy change Automatic Forwarding to: On – Forwarding is enabled
12. Save and close the new policy, and that should do it. Try sending some test messages to see if the forward works correctly. We may need to change the new policy’s Priority to 0 if something still isn’t working. Also, don’t forget to double-check the Automatic Forwarding on the mailbox itself.