Exchange Online – Microsoft Defender – The Remote server returned ‘550 5.7.520 Access denied, Your organization does not allow external forwarding. Please contact your administrator for further assistance. AS(7555)

To enable sending passwords in a secure way via email one of the requirements was to be enable a user to send mail to other users in the organization using SMTP.

Exchange Online requires at least two (sometimes three) checks to enable this

  1. Enable or disable authenticated client SMTP submission (SMTP AUTH) in Exchange Online

On a user level this is done from the “Microsoft 365 admin center”, opening “Active users” and selecting the user. Click on Mail and then select “Manage email apps” (see the following image)

The ” Authenticated SMTP” flag must be selected (see the following image)

Note: to enable SMTP AUTH at the organization level, read the Microsoft post Enable or disable SMTP AUTH in Exchange Online | Microsoft Learn

2. Enable Automatic forwarding in Defender

The “Anti-spam outbound policy (Default)” in Defender has “Automatic forwarding” set to “Automatic – System-controlled”. You must create a new rule for the user that will send email using SMT.

Open and under “Email & collaboration” select “Policies & riles” (as shown in the following image)

Select “Threat policies” and then “Anti-spam policies”. Click on “Create policy” and select “Outbound” (see the next image)

Name the policy as you prefer and add the required users. In the “Outbound Protection Settings” change the “Forwarding rules” “Automatic forwarding rules” to On-Forwarding is enabled (see the following image)

Complete the creation of the policy. A new policy with a priority higher than the default one will be created

3. Bypass SPAM Filtering

This step could be required if the step 2. does not work or to replace the step 2 completely.

Open the Exchange Online admin portal and select “Mail flow”, then Rules. Click on “Add a rule” and select “Bypass spam filtering” (see the following image)

Name the policy and select “Apply this rule if the sender is this person”, then select the user you want to enable as sender.

Leave all the remaining parameters with the default values and create the new transport rule