Error 550 5.7.705 access denied, tenant has exceeded threshold
Solved Email & Outlook
AJ
Andrew Jackson
May 18, 2021
2 replies
8,240 views
Reviewed by moderators

Our Office 365 tenant started bouncing outbound mail with 550 5.7.705 access denied, tenant has exceeded threshold for sending. What threshold and how do we recover?

This is affecting business mail going out.

Accepted Answer
Verified by Edwin J. Hoffer, Email Systems Specialist ยท Reviewed May 2021

This is Microsoft 365's outbound spam protection triggering, the tenant hitting a sending limit that Microsoft enforces and the recovery is both immediate relief and finding why the limit was hit, since it is usually a symptom of a compromised account or a runaway process:

What the threshold is: Microsoft 365 limits how much mail a tenant can send in a period, and exceeding it, whether by legitimate bulk sending or, far more commonly, a compromised account or misconfigured application blasting mail, trips this block to protect Microsoft's sending reputation and other tenants. The 5.7.705 specifically is the tenant level threshold, a stronger signal than a single mailbox limit, meaning the tenant as a whole sent too much.

The urgent investigation, because the cause matters more than the symptom: check whether an account is compromised, since a hijacked mailbox sending spam is the most common reason a tenant suddenly exceeds its threshold. Review the message trace and the mail flow reports in the admin center for a mailbox sending unusual volume, check for suspicious sign ins and if found, that account is the cause, secured immediately by resetting its password, revoking sessions and enabling MFA. A restricted user entry in the admin center often already flags the offending mailbox that Microsoft blocked from sending.

The recovery steps: for a flagged restricted user, once the underlying compromise or misconfiguration is fixed, the Microsoft 365 admin center's restricted users area lets you remove the sending restriction, or it lifts automatically after Microsoft's assessment period once the abnormal sending stops. For a genuine legitimate bulk need that hit the limit, the answer is proper bulk sending infrastructure rather than the tenant's transactional mail path, since 365 is not built for mass sending and will keep blocking it.

The order that fixes it properly: find and stop the cause, a compromised account secured or a runaway application halted, before or alongside lifting the restriction, since removing the restriction while the cause continues just trips it again and risks the tenant's broader sending reputation. The 5.7.705 is Microsoft protecting everyone including you from your tenant's abnormal sending, so treating the cause, almost always a compromised mailbox, is the real fix rather than just clearing the block.

Message trace showed one mailbox blasting thousands of spam messages, clearly compromised. Reset its password, revoked sessions, enabled MFA and it appeared in restricted users which I cleared once secured. Outbound mail recovered. The find the cause before lifting the block order was exactly right, clearing it first would have just let the spam resume.