Fix Your Organization does not allow External Forwarding

You try to send someone an email, but instead, you get an error that Your email couldn’t be forwarded. If you look at the error message you will see the error “Your organization does not allow external forwarding”.

This indicates that the recipient has enabled email forwarding for their account, but that their organization doesn’t allow it. As a sender you can’t do anything about it, but what if you are the person who enabled the email forwarding?

In this article, we are going to take a look at how to solve the error Your organization does not allow external forwarding in Microsoft 365.

How to Allow External Forwarding in Office 365

External email forwarding is disabled by default in Microsoft 365. Internal email forwarding is allowed, however. The reason that external forwarding is disabled, is from a security perspective. When attackers gain access to a user’s mailbox they might forward all emails to their own account so they can impersonate the victim.

your organization does not allow external forwarding

To allow external forwarding, we will need to change an Anti-Spam policy in Microsoft 365 Defender. We can enable it for all users, or create a new policy to only allow it for specific users. I recommend only allowing it for specific users, but I will show both options below:

Allow External Email Forwarding for all Users

Time needed: 5 minutes

Make sure that you have admin permission in Microsoft 365 before you proceed.

  1. Open Microsoft 365 Defender

    The anti-spam policies are located in Microsoft 365 Defender.

  2. Open the Anti-Spam outbound Policy

    In Microsoft 365 Defender, open Policies & Rules (under Email & collaboration), select Threat Policies > Anti-spam policies, and open the Anti-spam outbound policy (Default)

    allow external forwarding office 365

  3. Edit the policy

    Click on Edit Protection Settings

    Edit anti-spam policy

  4. Enable Forwarding

    Under Automatic forwarding rules, select On – Forwarding is enabled

    office 365 allow external forwarding

  5. Save and Close the Policy

    Click on Save and close the policy rule. Forwarding to External email should now be enabled.

Enable External Forwarding for Specific Users

Instead of allowing external for all users, it’s better to only allow it for specific users. This way you stay in control of which emails are being forwarded to an external system before everybody is forwarding their company mail to their private mailbox.

To do this, we are going to create a new Anti-Spam policy in Microsoft 365 Defender.

  1. Open Microsoft 365 Defender
  2. Navigate to Policies & Rules > Threat policies > Anti-Spam (the link above will take you straight to the Anti-spam policies page)
  3. Click on Create Policy and select Outbound
  1. Enter a meaning full name to the policy and click Next
  2. In the Users, groups, and domain, select the users that you want to allow external forwarding for
  1. In the Outbound Protection Setting page, scroll a bit down and change the Automatic forwarding rules to On – Forwarding is enabled
  1. Review the settings and click on Create to save the new policy

The new policy will be listed in the overview with the Anti-spam policies.

Overview of Forwarded Emails

Keeping track of emails that are being forwarded to external addresses is important, to protect your organization against potential data leaks. We could use PowerShell to export all the data out of Exchange Online, but the Exchange Admin Center already comes with a built-in report for that.

  1. Open the Exchange Admin Center (this is a direct link to the auto-forwarded report)
  2. Export Reports and click on Mail Flow
  3. Open the Auto forwarded messages report

The report will give you an overview of all mailboxes that are being forwarded and to which address. You can also add a card with an overview in the Exchange admin center dashboard (home) with all forwarded email activity.

Another good place to keep track of these kinds of alerts is in the Microsoft 365 Defender portal. Here you can also view an overview of all incidents and alerts in your tenant. The advantage of the Defender portal is that it’s not only limited to Exchange, but it will show you all security and data-related alerts in your tenant.

You can find the overview in Microsoft 365 Defender > Incidents & Alerts > Alerts

Wrapping Up

External forwarding is disabled by default for a good reason. So when you want to solve the error “your organization does not allow external forwarding”, then only allow it for users who really need it. Don’t change the policy so that everyone can forward their email to an external email address.

I hope you found this article helpful, if you have any questions, just drop a comment below.

2 thoughts on “Fix Your Organization does not allow External Forwarding”

  1. Hi Ruud, Great Article!

    Is there anyway this can be locked down any further so mail can only be forwarded to specific addresses, rather than giving one mailbox the ability to forward to anywhere?

Leave a Comment