The initial hurdle in our connection stemmed from security measures enforced by Outlook, particularly a default policy that blocked legacy authentication lacking Multi-Factor Authentication (MFA) support. To resolve this, we had to disable this policy for the targeted account ('BIK'). It's important to note that not all organisations have access to "Conditional Access," a feature requiring a specific license. In the absence of this access, organisations default to "Security Defaults," a preset set of security policies. However, if an organisation lacks access to Conditional Access by default, they are protected by Security Defaults, which cannot be customized for individual accounts. While these defaults can be turned on or off for the entire organization, doing so is generally discouraged. Through "Conditional Access," we can selectively disable specific policies for individual email IDs, providing a more personalised and secure approach compared to the broader actions offered by Security Defaults.

Please share the below link with the client and check whether the organisation is protected by “Security Defaults” or “Conditional access”. (Have to login and check using admin account. Admin account doesn’t have to the the account that is going to be connected)

https://entra.microsoft.com/#view/Microsoft_AAD_IAM/TenantOverview.ReactView and click Properties.

​

If the organisation is protected by security defaults, we can see a message something like this.

If the organisation is protected by conditional access, we can see a message something like this.

Incase the organisation is protected by Conditional access we can move forward with next issue. If incase its protected by security defaults we have to check if organisation has access to conditional access. To check that please ask the client to click the below link (As a admin). https://portal.azure.com/#view/Microsoft_AAD_ConditionalAccess/PoliciesList

If they don’t have access to this feature they will see a message something like this. In this case we have to ask the client to check with their microsoft POC and get the required license for admin user to access the “Conditional access” feature.

In case if they have access to this page and they don’t have any policies they have to first disable the security default and import the following policies from templates.

After importing both the above policy templates they have to edit the Block legacy authentication policy by excluding the mail id which is about to be connected with Bik. Incase if the policies are already available check for a policy similar to Block legacy authentication and exclude the mail id which is about to be connected with bik.

Sample error messages for this issue.

"535 5.7.139 Authentication unsuccessful, the request did not meet the criteria to be authenticated successfully. Contact your administrator. [PN2PR01CA0103.INDPRD01.PROD.OUTLOOK.COM 2023-12-06T12:28:43.971Z 08DBF5399D073450]"

"535 5.7.139 Authentication unsuccessful, user is locked by your organization's security defaults policy. Contact your administrator. [PN3PR01CA0044.INDPRD01.PROD.OUTLOOK.COM 2023-11-20T12:32:32.644Z 08DBE94FB31F4A43]"

Sample error message for this issue.

"535 5.7.139 Authentication unsuccessful, SmtpClientAuthentication is disabled for the Tenant. Visit <https://aka.ms/smtp_auth_disabled> for more information. [PN2PR01CA0197.INDPRD01.PROD.OUTLOOK.COM 2023-12-07T05:37:43.623Z 08DBF622A7C7BC1B]"

Steps to fix this.

While setting up forwarding if the client sees any error similar to the below error. Please follow the link provided along with this.

https://jasoncoltrin.com/2021/12/20/how-to-fix-550-5-7-520-access-denied-your-organization-does-not-allow-external-forwarding/