I have often seen this error in scenarios with either multiple tenants or if an organization, has a need to do automatic forwarding of e-mails to specific recipients outside the organization (tenant).
The error can be found during troubleshooting the message logs, on why a specific e-mail did not arrive at its destination, or if the end users got the error when their e-mail bounces.
Remote Server returned ‘550 5.7.520 Access denied, Your organization does not allow external forwarding. Please contact your administrator for further assistance. AS(7555)’
How to Search for it in Message Trace
Go into the Exchange Admin Center (admin.exchange.microsoft.com), and click Mail flow – Message trace from here start a message trace for your e-mail that you expect to have been forwarded and might have arrived at its destination:
Dive into the e-mail by clicking it and locate the error under Message events:
Here you will see the same error, confirming that forwarding is not allowed within your tenant to external recipients.
To fix this, you will need to allow automatic forwarding to external recipients.
Microsoft has a great article on how to control this:
I will also try to highlight it in steps below.
Here is what needs to be done, to allow the automatic forwarding. In my scenario below, we have an Invoice Mailbox in our tenant, that also needs to do automatic forwarding of e-mails to an external recipient (which is an external cloud service, for scanning invoices).
How to Enable and Allow Automatic Forwarding
To enable and allow this, we need to update or add a new Policy to allow this.
Go to the Security Portal (security.microsoft.com)
First, let’s have a look at why we cannot forward and what policies restrict this.
Expand E-mail & Collaboration and click Policies & rules:
Click Threat policies:
Click the Anti-spam Policy:
Click the Anti-spam outbound policy (Default):
Here you can see the default outbound settings, which is set to Automatic – System-controlled for Automatic forwarding:
Automatic – System-controlled: This is the default setting. This setting is now the same as Off. When this setting was originally introduced, it was equivalent to On. Over time, thanks to the principles of secure by default, this setting was gradually changed to Off for all Microsoft 365 customers. For more information, see this Microsoft blog post.
Reference: Control automatic external email forwarding in Microsoft 365
The recommended way to allow automatic forwarding is to create a new custom outbound policy and not update the Default Policy. By creating a new custom policy, it is easier to control, who can actually forward and not allow it for the entire tenant.
To create a new Policy, click Create Policy and select Outbound:
Give the new Policy a name and description, that makes sense within your organization:
In my scenario, I will only allow the Invoice Mailbox to automatically forward e-mail to an external recipient:
In some multi-tenant and tenant-to-tenant migration scenarios, you can come into a need, where you would allow all of your migrated users, to be able to automatically forward to a new tenant. It depends on your scenario. In that, case you either allow per user, groups or even on the mail domain level.
Next, select Automatic forwarding rules and set it to On – Forwarding is enabled, this will now allow automatic forwarding for the selected group of users:
Lastly, click Create to save the new Policy:
Now we are done with our new Policy to allow mail being sent to external recipients:
Now we just need to test our scenario. Send some test emails to the mailbox(es) that is configured to forward e-mails to external recipients and confirm that the e-mails are being sent out of your tenant. Use the Message trace to confirm this.
Hope this was useful.