If you are using Microsoft Exchange Online and you try to forward messages from a mailbox or shared mailbox to an external email address, you may run into a frustrating delivery failure. The message usually looks something like this: Remote server returned access denied. Your organisation does not allow external forwarding. Please contact your administrator for further assistance.

This is a common Microsoft 365 security setting. By default, Microsoft often blocks or controls automatic forwarding to external recipients because it can be used by attackers to quietly send company emails outside the organisation. That is good from a security point of view, but it can be confusing when you are the administrator and you intentionally want to forward a mailbox to an outside address.

In this guide, I will walk through how to enable external forwarding for Microsoft Exchange using Microsoft Defender. This is especially useful if you are working with a shared mailbox, support mailbox, accounts mailbox, booking mailbox, or any general business email account that needs to forward emails to an external address.

HOW_TO_ENABLE_MICROSOFT_EXCHANGE_FORWARDING_TO_AN_-0-00-00.png

The setting we need to change is inside the Microsoft Defender portal, under the outbound anti spam policy. Once you enable automatic forwarding there, your Exchange mailboxes can forward emails to external email addresses, provided the mailbox forwarding rule itself is also configured correctly.

A clean modern workspace with a laptop showing a Microsoft 365 admin style dashboard, white background, blue accents using the colours #3379FC and #0684CE, professional personal brand blog style, natural light, minimal desk setup, approachable technology tutorial image.

The Error Message You Might See

The problem usually appears when you have already configured forwarding in Exchange, but Microsoft 365 blocks the message from leaving your organisation.

The error may say:

Remote server returned access denied. Your organisation does not allow external forwarding. Please contact your administrator for further assistance.

HOW_TO_ENABLE_MICROSOFT_EXCHANGE_FORWARDING_TO_AN_-0-00-19.png

In simple terms, Exchange is saying that the mailbox tried to forward an email to an outside address, but the organisation policy did not allow it. The mailbox itself might be configured correctly, but the security policy is overriding the forwarding action.

This can happen with a normal user mailbox, but it is very common with shared mailboxes. For example, you may have a mailbox like info at yourdomain dot com, support at yourdomain dot com, or enquiries at yourdomain dot com. You might want those emails to forward to a Gmail address, an external contractor, a ticketing system, a CRM platform, or another business address outside your Microsoft 365 tenant.

From the user side, it looks like forwarding is broken. From the admin side, the real issue is usually the outbound spam policy in Microsoft Defender.

Why Microsoft Blocks External Forwarding

Before turning this setting on, it is worth understanding why Microsoft blocks external forwarding in the first place.

External forwarding is convenient, but it can also create a security risk. If an attacker compromises a mailbox, one of the first things they may do is create a forwarding rule. That rule can silently copy all incoming emails to an outside email address. The user might not notice anything unusual because their email still arrives in the inbox, but the attacker is receiving a copy in the background.

This is dangerous because emails can contain invoices, password reset links, client details, personal information, internal documents, supplier messages, and other sensitive business information. For this reason, Microsoft Defender treats external forwarding as something that should be controlled carefully.

That does not mean you should never enable it. It simply means you should know why you are enabling it, who needs it, and whether there is a safer alternative. In many small business situations, forwarding is still a practical solution. For example, you might be moving mail to a help desk, sending enquiries to an external sales partner, or temporarily forwarding mail during a migration.

What You Need Before You Start

To make this change, you will need access to the Microsoft Defender portal. In most cases, you need to be a Microsoft 365 administrator with the right security permissions. If you are not an admin, you may need to ask your IT provider or Microsoft 365 administrator to make the change for you.

You should also confirm that you know which mailbox is being forwarded and which external email address will receive the messages. It is a good idea to keep a simple record of this, especially if you manage multiple mailboxes for a business.

Before changing the policy, check the following:

  • You can sign in to the Microsoft 365 admin account
  • You can access the Microsoft Defender portal
  • You know the mailbox that needs external forwarding
  • You know the external email address that should receive the forwarded mail
  • You understand that enabling forwarding can affect the organisation policy

If you are working in a larger organisation, you may not want to enable forwarding globally. In that case, you may prefer to create a custom outbound spam policy for specific users or mailboxes. For a smaller business or a simple setup, changing the default outbound policy may be enough, but it should still be done with care.

Step 1, Open The Microsoft Defender Portal

The first step is to open Microsoft Defender. Go to the following address in your browser:

security.microsoft.com

Sign in with your Microsoft 365 administrator account. If you manage more than one tenant, make sure you are signed in to the correct organisation before changing anything.

HOW_TO_ENABLE_MICROSOFT_EXCHANGE_FORWARDING_TO_AN_-0-00-34.png

Once you are inside the Defender portal, you will see a dashboard with navigation options on the left. Depending on your screen size or portal layout, some menu items may be hidden. If you do not see the full menu, click Show navigation on the left hand side.

This is one of those small details that can slow you down if you are following a tutorial. Microsoft changes their admin portals from time to time, and sometimes menu items are collapsed or renamed slightly. If you cannot see the exact option straight away, look for the broader section called Email and collaboration.

A professional tutorial illustration of a Microsoft Defender style security dashboard on a laptop screen, with a blue highlighted left navigation menu, clean white interface, subtle grey dividers, modern business workspace, personal blog style, no logos.

Step 2, Go To Email And Collaboration

In the left navigation menu, find and select Email and collaboration. This is where Microsoft Defender groups many of the security settings related to Exchange Online, email protection, spam filtering, phishing protection, and mail flow protection.

External forwarding is not managed directly from the mailbox forwarding screen in this case. The mailbox forwarding setting might be in Exchange admin centre, but the policy that allows or blocks outbound automatic forwarding is in Defender.

That is why this problem can be confusing. You may look at the mailbox settings and everything appears correct. The forwarding address is entered, the option is enabled, and the mailbox looks ready. But when the email tries to leave your organisation, Defender blocks it because the outbound anti spam policy does not allow automatic forwarding.

Step 3, Open Policies And Rules

Under Email and collaboration, click Policies and rules. This section contains many important controls for how Microsoft 365 handles email threats and filtering.

Inside this area, you will find settings for threat policies, spam filtering, anti phishing, safe links, safe attachments, quarantine, and related options. For this tutorial, the main area we need is Threat policies.

Click Threat policies to continue.

It is worth taking your time here. The Defender portal has many settings that can affect email behaviour across the organisation. If you are not familiar with the portal, do not randomly change other options. Stick with the outbound anti spam policy setting for automatic forwarding.

Step 4, Go To Anti Spam Policies

Once you are in Threat policies, look for Anti spam. Click into the anti spam settings.

Anti spam policies control how Microsoft 365 handles incoming and outgoing spam related behaviour. In this case, we are interested in outbound spam protection because forwarded messages are being sent out from your Microsoft 365 organisation to an external destination.

Inside the anti spam page, look for the policy called Anti spam outbound policy. In many tenants, you will see a default outbound policy. This is the policy that controls automatic forwarding behaviour unless you have created custom policies.

HOW_TO_ENABLE_MICROSOFT_EXCHANGE_FORWARDING_TO_AN_-0-01-23.png

Click on the outbound policy to open the settings.

Step 5, Change Automatic Forwarding To On

Inside the outbound anti spam policy, look for the setting called Automatic forwarding.

By default, this may be set to Automatic system controlled. This means Microsoft decides whether automatic forwarding is allowed based on the current security defaults and policy behaviour. In many cases, this results in external forwarding being blocked.

To allow forwarding, change the setting to:

On, forwarding is enabled

Then click Save.

Once saved, Microsoft Defender should allow automatic forwarding from mailboxes to external email addresses, depending on the rest of your configuration.

This is the key change. If you were receiving the access denied message, this is usually the setting that fixes it.

HOW_TO_ENABLE_MICROSOFT_EXCHANGE_FORWARDING_TO_AN_-0-01-31.png

After saving, you should see that forwarding is enabled in the policy. It may take a little while for the setting to fully apply across Microsoft 365, so if it does not work instantly, give it a few minutes and test again.

Step 6, Confirm The Mailbox Forwarding Setting

Enabling the Defender policy allows external forwarding, but you still need to make sure the mailbox itself is configured to forward messages.

For a shared mailbox or user mailbox, you can usually check this in the Exchange admin centre. Go to the mailbox, open the mail flow or forwarding settings, then confirm that the external forwarding address is correct.

Depending on your setup, you may have one of these configurations:

  • Forward all messages to another email address
  • Forward messages and keep a copy in the original mailbox
  • Use an inbox rule to forward or redirect messages
  • Use a mail flow rule to send copies to another address

If you want to keep a record inside Microsoft 365, make sure you choose the option to keep a copy in the mailbox. This can be useful for auditing, troubleshooting, and general business continuity.

If you do not keep a copy, emails may leave the mailbox and only exist in the external destination. That might be fine for some workflows, but it is not always ideal.

Step 7, Send A Test Email

Once the policy is enabled and the mailbox forwarding address is configured, send a test email to the mailbox.

For example, if you are forwarding a shared mailbox called support at yourdomain dot com, send a message to that address from another account. Then check whether the email arrives at the external forwarding address.

If you selected the option to keep a copy, also check the original mailbox and confirm that the message is still there.

If the test works, you are done. If the test does not work, wait a little longer and try again. Microsoft 365 settings sometimes need time to apply.

A clean instructional graphic showing an email message flowing from a Microsoft Exchange mailbox to an external inbox, with blue arrows, white background, subtle grey lines, professional technology blog aesthetic, simple and trustworthy.

What To Do If It Still Does Not Work

If you changed the outbound anti spam policy but forwarding still fails, there are a few things to check.

Check That The Policy Saved Correctly

Go back to the Microsoft Defender portal and open the outbound anti spam policy again. Confirm that automatic forwarding still shows as On, forwarding is enabled. If it reverted or was not saved, change it again and save.

Check For Custom Policies

If your organisation has custom outbound spam policies, one of those policies may apply before the default policy. Microsoft 365 policies can have priority order, and a custom policy may override the behaviour for certain users or groups.

If that is the case, you may need to update the specific policy that applies to the mailbox rather than the default policy.

Check The Forwarding Address

Make sure the external email address is correct. A simple spelling mistake can make it look like forwarding is broken when the real problem is an incorrect destination.

Also check whether the receiving mailbox has its own filtering rules. Sometimes the forwarded message is delivered, but it lands in junk mail or quarantine on the external side.

Check Exchange Mail Flow Rules

Your organisation may have mail flow rules that block forwarding or redirecting to external recipients. If you have rules in Exchange admin centre that restrict certain types of outbound mail, check whether one of those rules is affecting the forwarded message.

Check Message Trace

Message trace is very useful for troubleshooting. In the Exchange admin centre, you can run a message trace to see what happened to the email. It can show whether the message was delivered, blocked, failed, or redirected.

If you see a policy related failure, that can point you back to Defender or mail flow rules. If you see delivery to the external address, then the issue may be on the receiving side.

Should You Enable External Forwarding For Everyone?

This depends on your organisation.

For a small business, enabling forwarding globally may be acceptable if you understand the risk and monitor your mailboxes. For a larger business, it is usually better to limit forwarding to specific mailboxes that actually need it.

A more controlled approach is to create a custom outbound spam policy that only applies to selected users, shared mailboxes, or groups. That way, you can allow forwarding for a support mailbox while still blocking unexpected forwarding from normal staff mailboxes.

This is a better security practice because it reduces the chance of an attacker setting up forwarding on a compromised account. If only selected accounts are allowed to forward externally, there is less exposure across the organisation.

Good Security Habits When Using External Forwarding

If you enable external forwarding, it is worth adding a few basic security checks to your routine.

  • Review forwarding rules regularly
  • Keep multi factor authentication enabled for all admin accounts
  • Use strong passwords and conditional access where possible
  • Check sign in logs for unusual activity
  • Monitor mail flow for unexpected forwarding patterns
  • Keep a list of approved external forwarding addresses

These simple steps can help you use forwarding without leaving the door open to unnecessary risk.

One practical habit is to review mailbox rules whenever someone leaves the business or changes role. Old forwarding rules can easily be forgotten, especially in shared mailboxes that have been used for years.

Shared Mailbox Forwarding Tips

Shared mailboxes are commonly used for business addresses like admin, sales, support, bookings, and accounts. They are useful because multiple people can access the same mailbox without needing a separate licensed user in many scenarios.

When forwarding a shared mailbox externally, think about the purpose of the mailbox. If it receives customer enquiries, forwarding to an external CRM or help desk might make sense. If it receives invoices or sensitive documents, you may want to keep a copy in Microsoft 365 as well.

Also consider whether forwarding is the best long term option. Sometimes it is better to add users to the shared mailbox, connect the mailbox directly to another platform, or use a proper integration. Forwarding is simple and quick, but it is not always the most robust workflow.

Automatic Forwarding Versus Redirecting

There is a small but important difference between forwarding and redirecting.

Forwarding usually sends the message on from the mailbox, and the forwarded email may show that it came through the original mailbox. Redirecting tries to send the message to another recipient while preserving more of the original sender information.

In practice, both can be affected by external forwarding restrictions. If Microsoft 365 sees the action as automatic forwarding to an outside recipient, the outbound anti spam policy can block it.

If you are using inbox rules and still receiving the access denied error, the same Defender setting may still be the fix.

Why This Setting Is In Microsoft Defender

At first, it may feel strange that a forwarding issue is fixed in Microsoft Defender rather than only in Exchange admin centre. But when you think about it from Microsoft security perspective, it makes sense.

Exchange controls the mailbox and mail flow settings. Defender controls protection against threats, spam, phishing, and risky outbound behaviour. External forwarding sits across both areas because it is both a mail flow action and a security concern.

That is why the solution involves Microsoft Defender. You are not just telling the mailbox where to send mail. You are telling Microsoft 365 that your organisation policy allows automatic forwarding outside the tenant.

Quick Summary Of The Steps

Here is the short version of the process:

  1. Go to security.microsoft.com
  2. Sign in with your Microsoft 365 administrator account
  3. Click Show navigation if the menu is hidden
  4. Go to Email and collaboration
  5. Open Policies and rules
  6. Select Threat policies
  7. Open Anti spam
  8. Click Anti spam outbound policy
  9. Change Automatic forwarding to On, forwarding is enabled
  10. Save the policy
  11. Test forwarding from the mailbox to the external email address

If you are seeing the message that your organisation does not allow external forwarding, the fix is usually not inside the mailbox itself. The setting you need is in Microsoft Defender under the outbound anti spam policy.

Once you change automatic forwarding from system controlled to enabled, your Exchange mailbox or shared mailbox should be able to forward emails to an external email address.

Just remember that this is a security related setting. Use it carefully, test it properly, and review forwarding rules from time to time. For small business workflows, it can be a very practical solution. For larger environments, consider limiting it to specific mailboxes rather than enabling it broadly across the whole organisation.

Hopefully this guide helps you get your Microsoft Exchange forwarding working again without wasting time digging through the wrong admin screens.

Infographic

Subscribe to my newsletter where I will share my journey in affiliate marketing, business, technology, fitness and life in general. Hopefully, this motivates you to also change your journey in life.

This field is required.

Subscribe to my newsletter where I will share my journey in affiliate marketing, business, technology, fitness and life in general. Hopefully, this motivates you to also change your journey in life.

This field is required.

If this article helped you in any way and you want to show your appreciation, I am more than happy to receive donations through PayPal. This will help me maintain and improve this website so I can help more people out there. Thank you for your help.

HELP OTHERS AND SHARE THIS ARTICLE


0Shares

LEAVE A COMMENT


Other articles you may find interesting

TESTING MEDICAL LLMS IN OPENWEBUI IS LOCAL AI GOOD header
TESTING MEDICAL LLMS IN OPENWEBUI: IS LOCAL AI GOOD ENOUGH ON AZURE?

Running local AI models has become a lot more practical than
THESE REUSABLE CABLE TIES ARE A GAME CHANGER FOR O header
THESE REUSABLE CABLE TIES ARE A GAME-CHANGER FOR ORGANISING CABLES

This was one of those simple little products that immediate
UNBOXING AND TESTING THE TOOCKI USB C RIGHT ANGLE header
UNBOXING AND TESTING THE TOOCKI USB-C RIGHT ANGLE 1.2M CABLE

There is something quite satisfying about testing a simple

HOW TO CHANGE THE MAX SELL POWER TO LESS THAN 500W header
HOW TO CHANGE THE MAX SELL POWER TO LESS THAN 500W ON THE DEYE INVERTER

If you are using a DEYE hybrid inverter and you have opened

HOW TO FIX DEGRADING RUBBER THATS GONE STICKY header
HOW TO FIX DEGRADING RUBBER THAT’S GONE STICKY

If you have ever opened a drawer, found an old gadget, tool,
THIS IS THE ONLY TOOL YOU NEED FOR REMOTE SUPPORT header
THIS IS THE ONLY TOOL YOU NEED FOR REMOTE SUPPORT – GETSCREEN.ME

Remote support tools are one of those things that seem simp