If you have previously, or recently, added a forward to an external address on one of your 365 hosted mailboxes you may receive an NDR in the forwarding mailbox along the lines of ‘550 5.7.520 Access Denied. Your organization does not allow external forwarding’. The primary reason for this is a change introduced – quite rightly I’d suggest – by Micrsosoft to their outbound mail policy primarily to try and prevent malicious 3rd parties from forwarding a compromised user’s mailbox to an external address, usually without the knowledge of the user.
You can re-enable the option of forwarding either for the entire tenant, or specific users/groups as required:
Login to 365 Admin Center
Go to the Security Admin Center
Expand the Email & collaboration heading
Select Policies & rules
Select Threat policies
Select Anti-spam
To enable forwarding for any mailbox in the tenant:
Select Anti-spam outbound policy (Default)
Scroll to bottom of pop-out window and click Edit protection settings
Change Automatic forwarding rules to On – Forwarding is enabled
Click Save
To enable forwarding for individual user(s):
Click Create Policy | Outbound
Enter a suitable name, click Next
Add user(s) to the list, click Next
Change Automatic forwarding rules to On – Forwarding is enabled
Click Next
Click Create
Click Done
You’re all set! [NOTE: If this is the first customisation for the tenant, you may receive a prompt suggesting the organisation settings need to be updated. Click OK to continue, and then you must wait some indeterminate time (usually up to 1 hour) for some additional processing to complete, before you can finally create your new policy.]