Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Microsoft 365 / Forwarding Emails to an External Address in Microsoft 365 (Exchange Online)

January 13, 2022 ExchangeMicrosoft 365PowerShell

Forwarding Emails to an External Address in Microsoft 365 (Exchange Online)

By default, cloud-based Exchange Online (Microsoft 365) prevents automatic external email forwarding using Outlook rules or enabled mailbox forwarding.

If you create an inbox rule in an Exchange Online mailbox (using Outlook or PowerShell) to automatically forward incoming emails from your mailbox to an external email address, you will see the NDR message when trying to forward an email using the rule:

Your message wasn't delivered because the recipient's email provider rejected it.
Remote Server returned '550 5.7.520 Access denied, Your organization does not allow external forwarding. Please contact your administrator for further assistance. AS(7555)'

Access denied error message when setting up email forwarding in exchnage online ('550 5.7.520 Access denied, Your organization does not allow external forwarding)

You may see the same message when you check the message trace in Microsoft 365.

Office 365 received the message that you specified, but couldn't deliver it to the recipient (external_adress@gmail.com‎) due to the following error:
Error: ‎550 5.7.520 Access denied, Your organization does not allow external forwarding. Please contact your administrator for further assistance. AS(7555)‎

Office 365 received the message that you specified, but couldn't deliver it to the recipient (external_adress@gmail.com‎) due to the following error Error: ‎550 5.7.520 Access denied, Your organization does not allow external forwarding.

You can allow automatic email forwarding for the whole organization or specific mailboxes in the Security and Compliance settings of your Microsoft 365 tenant. Go to https://protection.office.com -> Threat Management -> Policy -> Anti-Spam Policy.

If you want to allow external forwarding for all Microsoft 365 mailboxes, edit the Anti-spam outbound policy (Default). In our example, we’ll only allow external email forwarding for the specific tenant users or groups. This option is more preferable from the security point of view.

  1. Create a new anti-spam outbound policy;
  2. Set the policy name;
  3. Then select the users and/or groups that you want to allow external forwarding;
    enable automatic external forwarding for individual mailboxes in exchange online
  4. In the Forwarding rules section, select Automatic forwarding rules -> On Forwarding is enabled;Enable External Forwarding in Microsoft 365
  5. Save your anti-spam policy.

Then all users you have specified will be able to enable automatic external forwarding rules in their Microsoft 365 mailboxes.

There is another policy in Exchange Online that allows you to configure trusted domains to send OutOfOffice replies and enable automatic email forwarding. It is the Remote Domain. However, anti-spam policy settings take precedence, you can use the Remote Domain option to create a list of trusted and untrusted external domains.

The Default policy in the Remote domain denies nothing. But you can change its settings or add your own rules for the specific domains:

  1. Open Mail flow -> Remote domains -> Add a remote domain in the Exchange Admin Center;
  2. Enter the domain name;
  3. Select what types of automatic replies you want to allow for this domain. Check Allow automatic forwarding;

MIcrosft 365: Allow automatically forwarded messages to be sent to recepients in the remote domain

You can also add trusted domains and configure remote domain allowed rules using PowerShell.

Connect to your Microsoft 365 tenant using the Exchange Online PowerShell module v2 (EXO V2). The following commands allow all types of automatic replies and forwarding for the woshub.com domain and all its subdomains:

New-RemoteDomain -Name "WOSHub and subdomains" -DomainName *.woshub.com
Set-RemoteDomain -Identity "WOSHub and subdomains" -AutoReplyEnabled $true -AutoForwardEnabled $true -AllowedOOFType InternalLegacy

You can display the full list of configured Remote Domain rules as follows:

Get-RemoteDomain Default | fl AllowedOOFType, AutoReplyEnabled, AutoForwardEnabled

You can use remote domains along with Microsoft 365 anti-spam filters for granular control over allowed domains to automatically forward messages from your tenant. For example, you can allow forwarding for the specific mailboxes in your anti-spam filter and deny automatic forwarding to free email services (gmail.com, outlook.com, etc.) using Remote Domains.

In order to audit enabled automatic forwarding rules in Office 365, you may use the PowerShell script below that will find and display all Outlook forwarding rules in all tenant mailboxes:

$mailboxes=get-mailbox –resultSize unlimited
$rules = $mailboxes | foreach { get-inboxRule –mailbox $_.alias }
$rules | where { ( $_.forwardAsAttachmentTo –ne $NULL ) –or ( $_.forwardTo –ne $NULL ) –or ( $_.redirectTo –ne $NULL ) }  | ft name, MailboxOwnerId, ForwardTo, Description

Remember that an administrator can also enable external forwarding rules on the entire mailbox level:

Set-Mailbox maxbak -ForwardingsmtpAddress maxmaster@outlook.com -DeliverToMailboxAndForward $true

You can find users with the enabled mail forwarding as shown below:

Get-Mailbox -ResultSize Unlimited -Filter "ForwardingAddress -like '*' -or ForwardingSmtpAddress -like '*'" | Select-Object Name,ForwardingAddress,ForwardingSmtpAddress

In on-premises Exchange Servers, you could create an AD contact or a mail-enabled user with an external email address and set configure external forwarding for it. Such a contact will be trusted for the entire Exchange organization.

This method doesn’t work in Exchange Online. However, you will be able to create a contact using the EAC (https://admin.exchange.microsoft.com/ -> Recipients -> Contacts -> Add a contact) or PowerShell (New-MailContact -Name "ext-Andy.Thompson" -ExternalEmailAddress andy.th@gmail.com). When you send an email to it, the NDR “’550 5.7.520” will still appear.

0 comment
2
Facebook Twitter Google + Pinterest
previous post
Updating List of Trusted Root Certificates in Windows
next post
Fix: Microsoft Outlook Search Not Working on Windows 10/11

Related Reading

Create Organizational Units (OU) Structure in Active Directory...

May 17, 2022

Windows Security Won’t Open or Shows a Blank...

May 17, 2022

How to Manually Install Windows Updates from CAB...

May 16, 2022

Enable or Disable MFA for Users in Azure/Microsoft...

April 27, 2022

Fix: You’ll Need a New App to Open...

April 27, 2022

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows 7
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • PowerShell
  • VMWare
  • Hyper-V
  • MS Office

Recent Posts

  • Create Organizational Units (OU) Structure in Active Directory with PowerShell

    May 17, 2022
  • Windows Security Won’t Open or Shows a Blank Screen on Windows 10/ 11

    May 17, 2022
  • How to Manually Install Windows Updates from CAB and MSU Files?

    May 16, 2022
  • RDS and RemoteApp Performance Issues on Windows Server 2019/2016

    May 16, 2022
  • Deploying Software (MSI Packages) Using Group Policy

    May 12, 2022
  • Updating VMware ESXi Host from the Command Line

    May 11, 2022
  • Enable or Disable MFA for Users in Azure/Microsoft 365

    April 27, 2022
  • Fix: You’ll Need a New App to Open This Windows Defender Link

    April 27, 2022
  • How to Reset an Active Directory User Password with PowerShell and ADUC?

    April 27, 2022
  • How to Completely Uninstall Previous Versions of Office with Removal Scripts?

    April 26, 2022

Follow us

woshub.com

ad

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Whitelist Domains and Email Addresses on Exchange Server and Microsoft 365
  • How to Cleanup, Truncate or Move Log Files in Exchange Server 2013/2016/2019?
  • Moving Exchange Mailboxes to Different Database
  • Fix: Microsoft Outlook Search Not Working on Windows 10/11
  • How to Delete or Rename Default Mailbox Database in Exchange Server?
  • Export Exchange or Office 365 Global Address List (GAL) to CSV
  • Search and Delete Emails from User Mailboxes on Exchange Server (Microsoft 365) with PowerShell
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top