Our organization cannot send email. 550 5.1.8 bad outbound sender. Admin unavailable.

Hi @Estimating, 

I’m really sorry for the trouble this issue has caused, and I appreciate you reaching out. I understand how important outbound email is for your business. 

Based on the symptoms, your mailbox is being blocked with the error “550 5.1.8 - Access denied, bad outbound sender,” which occurs when Microsoft 365 temporarily restricts outbound sending due to suspected spam or sending‑limit violations. When this happens, the account is placed in the Restricted entities list in the Microsoft 365 Defender portal, and only an admin can remove it.  

Normally, the fix is simple: an admin signs in, goes to Email & Collaboration > Review > Restricted entities, selects the blocked user, and unblocks them. Outbound sending usually resumes within about an hour. 

However, since your organization has only one admin and that account is currently unavailable due to MFA and the admin being out for surgery no one can log in to perform the unblock. Given the business impact and lack of admin access, the best next step is to contact Microsoft’s Data Protection team. They have the tools and authority to verify tenant ownership and help restore admin access when no admin can sign in.  

Once you reach support, a live agent will call you, run verification, and if successful, assist in either restoring admin access or directly resolving the Restricted entities block. 

To help Microsoft verify your tenant smoothly, please have your company’s legal name, primary Microsoft 365 domain, an alternate email and phone number for PIN verification, recent billing details, the affected user’s email with a sample bounce message, and proof of domain ownership ready. 

To move toward a resolution, I suggest the following steps: 

Option 1 - Contact Microsoft Data Protection Support by phone 

• You can try reaching out to our Global Customer Service phone to raise a request for resetting your tenant admin account method here: Customer service phone numbers - Microsoft Support.  

Please note that forum moderators do not have access to user account settings and cannot assist with logging in, resetting passwords, or changing access rights. While we do not have access to internal systems or administrative tools required to resolve account-specific or backend-related issues but we’ll continue doing our best to support you within the scope of our responsibilities.       

Here are some tips and an example of a prompt to help you navigate the IVR more effectively:        

IVR: What kind of problem are you concerned about?   You: Authenticator.    

A: What products do you use?   You: Office 365 for business. 

Verification: Education or company account?   You: For companies 

IVR: Are you an administrator?    You: Yes. 

IVR: Are there any other administrators in your organization?    You: No. 

IVR: Do you need a... Service request?    You: Yes. I need to create a ticket. Please send me directly to the Data Protection Team. 

+ If you cannot reach a live agent, there is still a workaround, you might consider registering for a new tenant by signing up for a trial subscription and submit your request from there.      

To set up a new tenant, please follow these steps below: 

Visit Microsoft 365 Business Plans and Pricing | Microsoft 365. This would allow you to create a new tenant following the prompts provided. Once set up, you can access the admin console of the new tenant and submit a support ticket requesting to speak with the Data Protection team on behalf of your previous tenant.       

Follow the guided setup process to create a new account for a new tenant.   

Once your tenant is created, you should be able to access the support portal and submit your ticket referencing your locked account without further issues 

In your ticket description, you'll need to clearly explain that you're trying to regain access to your previous Microsoft 365 tenant and need help from the Data Protection team. Here's a message you can use or adapt:   

"Hello, I am currently unable to access our Microsoft 365 admin account because the only global admin is unavailable and their multi‑factor authentication (MFA) device cannot be used at this time. Since no other admin exists in our tenant, we are unable to receive the required MFA verification code, which prevents us from signing in and managing our Microsoft 365 environment. 

Although the account credentials are still valid, the sign‑in process cannot be completed without MFA approval, so our organization is effectively locked out of the admin portal. As a result, we cannot unblock our users from the Restricted entities list, and outbound email is currently being blocked, which is impacting our business operations. 

We kindly request assistance with resetting or updating the admin account’s MFA method so that we can regain access to the tenant. This is an urgent matter, and we are ready to provide any information necessary to verify ownership of the tenant and complete the recovery process."   

Ticket Support: In the Microsoft 365 Admin Center > Support > Help & Support. You can raise support ticket at https://admin.microsoft.com/#/support/requests     

Please remember to cancel the trial subscription after your issue is resolved, as this will help you avoid any accidental billing. You may prefer the following resource for detailed instructions: Cancel your Microsoft business subscription in the Microsoft 365 admin center | Microsoft Learn 

Additionally, in case your tenant was purchased through a CSP/partner, they may be able to assist more quickly through Delegated Admin access, so please contact them for further assistance. 

I hope this helps you regain access to your account quickly. I'm glad to assist and truly hope the information provided has been useful. Please feel free to reach out anytime if you need further assistance.  

If you find my post helpful, kindly consider marking it as the accepted answer. Doing so can assist others in the community who may have similar questions in finding solutions more quickly.  

Thank you for your kindness and contributions to the forum.  

If you have any extra questions about this answer, please click "Comment".   

Note: Follow the steps in our documentation to enable email notifications if you want to receive email notifications related to this topic.  

The error 550 5.1.8 “Access denied, bad outbound sender” means the sending account has been blocked for outbound spam after exceeding Exchange Online sending limits. Only an email administrator can remove this block.

Because the only admin is unavailable and protected by MFA, the practical options are:

1. Confirm the account is not compromised

• Ask the affected user(s) to review recent Sent Items and mailbox rules/forwarding to ensure the account has not been sending spam or was not hacked.
• If anything looks suspicious, treat the account as compromised and do not attempt to reuse it until an admin can secure it.

2. When an admin is available again: unblock the account The admin will need to:

1. Secure the account if compromised:
   • Follow the guidance in “Secure a compromised email account in Exchange Online” to reset password, sign out sessions, and review rules/connectors.
2. Remove the outbound block:
   • Go to the Microsoft 365 Defender portal → Restricted entities page (https://security.microsoft.com/restrictedusers).
   • Unblock the affected user account.
   • Restrictions are usually removed within about one hour after unblocking so the user can send mail again.

3. If the issue is with a device/app using SMTP If a printer, scanner, or LOB app is sending mail and shows 550 5.1.8 Bad outbound sender, that mailbox is also on the spam blocklist. It must be unblocked the same way via the Restricted entities page.
4. If no admin can sign in at all If no one with admin rights can currently access the tenant (for example, because of MFA issues), the organization must work with Microsoft Support/Data Protection to restore admin access first. Once an admin can sign in, they can perform the unblock steps above.

Until an admin can act, outbound mail from the blocked account(s) cannot be restored.

References:

• NDR error code "550 5.1.8 Access denied, bad outbound sender"
• Fix issues with printers, scanners, and LOB apps that send email using Microsoft 365