When you send an email in Outlook and receive a Non-Delivery Report with code 5.2.121 Sender Restricted, your account has been blocked from sending messages by your Exchange Online tenant. This restriction usually occurs because the account was compromised, violated anti-spam policies, or exceeded sending limits. This article explains why the 5.2.121 error appears and provides step-by-step instructions to lift the restriction in the Microsoft 365 admin center or Exchange admin center.
Key Takeaways: Lifting the 5.2.121 Sender Restriction in Exchange Online
- Exchange admin center > Recipients > Mailboxes > Restricted Users: Lists all sender-restricted accounts and allows you to unblock them in one click.
- Microsoft 365 admin center > Users > Active Users > Manage Contact: Alternative path to unblock a restricted sender without using Exchange admin tools.
- Set-MailUser -RestrictSenderOverride:$false (Exchange Online PowerShell): Command to lift the restriction programmatically for bulk or automated unblocking.
Why Exchange Online Returns the 5.2.121 Sender Restricted Error
The 5.2.121 NDR is generated by Exchange Online Protection when a user account is placed in a restricted sender state. This restriction is automatic and triggered by specific security events:
Account Compromise Detected
If Microsoft detects unusual login patterns or large volumes of outbound email from your account, it flags the account as potentially compromised. The system then restricts the sender to prevent further abuse.
Anti-Spam Policy Violations
Sending messages that exceed the outbound spam policy thresholds triggers a restriction. Exchange Online evaluates each message for spam score, and repeated high-score messages cause the sender to be blocked.
Sending Limits Exceeded
Exchange Online has default sending limits: 10,000 recipients per day for most tenants. If your account exceeds this limit, the system restricts further outbound mail until the restriction is manually lifted.
Steps to Lift the Sender Restriction in the Exchange Admin Center
Use the Exchange admin center to unblock a restricted sender. This method works for most Microsoft 365 business subscriptions.
- Open the Exchange admin center
Go to https://admin.exchange.microsoft.com and sign in with a Global Admin or Exchange Admin account. - Navigate to Restricted Users
In the left menu, select Recipients then Mailboxes. Click the Restricted Users tab at the top of the mailboxes list. - Select the restricted account
Find the sender who received the 5.2.121 NDR. The account appears in the list with the status Restricted. - Unblock the sender
Click the account name to open the details panel. Select Unblock and confirm the action. - Verify the restriction is lifted
Wait 5 minutes for the change to propagate. Ask the user to send a test email to confirm the NDR no longer appears.
Steps to Lift the Restriction Using Microsoft 365 Admin Center
If you prefer the Microsoft 365 admin center, use this alternative method.
- Open the Microsoft 365 admin center
Go to https://admin.microsoft.com and sign in with a Global Admin account. - Go to Active Users
Select Users then Active Users from the left navigation. - Open the user details
Click the restricted user’s display name to open the details pane. - Manage contact and unblock
In the details pane, click Manage contact. Look for the section labeled Sending restrictions. Click Unblock sender and confirm. - Test the fix
Wait 5 to 10 minutes. Have the user send a message to an external address to verify the restriction is removed.
Steps to Lift the Restriction Using Exchange Online PowerShell
For administrators managing multiple restricted users or automating the unblock process, PowerShell provides a direct method.
- Connect to Exchange Online PowerShell
Open Windows PowerShell as Administrator and run:Connect-ExchangeOnline -UserPrincipalName admin@yourdomain.com
Enter your admin credentials when prompted. - Identify the restricted user
Run:Get-MailUser -Identity user@yourdomain.com | fl RestrictSenderOverride
If the value is $true, the account is restricted. - Remove the restriction
Run:Set-MailUser -Identity user@yourdomain.com -RestrictSenderOverride:$false - Verify the change
Run the Get-MailUser command again to confirm RestrictSenderOverride is now $false. - Disconnect the session
RunDisconnect-ExchangeOnlineto close the remote session.
If the Restriction Returns or Other Issues Appear
Account Gets Restricted Again Immediately After Unblocking
If the account is re-restricted within minutes, the underlying compromise or policy violation has not been resolved. Change the user password immediately, revoke any suspicious app permissions, and review sign-in logs. Run Microsoft 365 Defender > Reports > Email & collaboration > Users reported as compromised to check for active threats.
User Cannot Send to External Recipients After Unblock
The 5.2.121 restriction only blocks outbound mail. If the user still cannot send externally, check if an outbound spam policy is still applied. Go to Exchange admin center > Mail flow > Connectors and verify no custom connectors are blocking external delivery. Also check if the user has an Exchange Online license assigned.
5.2.121 Error Persists After Unblocking
If the NDR continues after unblocking, the restriction may be cached in Exchange Online. Wait 30 minutes for full propagation. If the issue persists, run the PowerShell command again to ensure the restriction was applied correctly. Contact Microsoft Support if the error remains after one hour.
Sender Restriction Methods Compared
| Item | Exchange Admin Center | PowerShell |
|---|---|---|
| Interface | Graphical web UI | Command line |
| Permissions required | Exchange Admin or Global Admin | Exchange Admin or Global Admin |
| Best for | Single user unblock | Bulk unblock or automation |
| Time to complete | 5 minutes | 2 minutes |
| Propagation delay | 5 to 10 minutes | 5 to 10 minutes |
The 5.2.121 Sender Restricted NDR indicates a security block that you can lift using the Exchange admin center, Microsoft 365 admin center, or Exchange Online PowerShell. After unblocking, immediately secure the account by changing the password and reviewing sign-in activity. For ongoing protection, enable multi-factor authentication and monitor outbound mail flow in the Exchange admin center.