Allowing external email forwarding in Office 365

November 16, 2021 

We use Zimbra as our main email server. We also have Office 365 subscription to make working with our clients a bit easier. The challenge is that when customers send us, say, Teams meeting invites, they typically use autofill and the email gets sent to our Office 365 mailboxes which nobody really looks at.

It is possible to fix this by configuring email forwarding. That is theoretically possible out of the box on a per-user basis in https://outlook.office.com/mail/options/mail/forwarding. However, when you actually try it out you will get an error message in your Office 365 inbox because forwarding is disabled on the organizational level by default:

Remote Server returned '550 5.7.520 Access denied, Your organization does not allow external forwarding. Please contact your administrator for further assistance. AS(7555)'

Most of the solution is described in this blog post, but we'll go through the steps in here as well.

The solution is to set up a new outbound antispam policy in Microsoft 365 Defender. You can select to allow forwarding for individual users, groups or the entire domain. Keeping the scope minimal is the best option security-vise. That said, when you try to add the anti-spam policy you may get blocked because your Office 365 organization does not allow customization, with the hint to run the Enable-OrganizationCustomization Cmdlet to fix the issue. Doing that is easier said than done, so the steps are outlined below. Windows Powershell is assumed, though the commands might work on Powershell Core as well.

First you need to connect to Exchange Online. Doing that is a multi-step process. First you install a custom Powershell module:

Install-Module -Name ExchangeOnlineManagement -RequiredVersion 2.0.5

Then you import it:

Import-Module ExchangeOnlineManagement

Finally you can actually connect to your Office 365 "Exchange Online" organization, e.g.

Connect-ExchangeOnline -UserPrincipalName [email protected]

Finally you can enable organization changes:

Enable-OrganizationCustomization

Now you should be able to create the outbound spam policy, which in turn allows users to enable email forwarding and expect it to work.

Samuli Seppänen
Samuli Seppänen
Author archive
menucross-circle