Collaborate for free with online versions of Microsoft Word, PowerPoint, Excel, and OneNote. Save documents, spreadsheets, and presentations online, in OneDrive. For Office 365 hybrid delegation to work as expected, multiple requirements must be met. Office 365 hybrid delegation requires a specific configuration in the cloud and in the on-premises Active Directory Domain Services (AD DS) environment. The following list discusses the different permissions and how they work in a hybrid deployment. If you are synchronising your Office 365 account with your on-premises Active Directory environment, you will know that you cannot edit exchange user properties using the Office 365 administrator portal.
-->This topic helps you set up the connectors you need for the following two scenarios:
You have your own email servers (also called on-premises servers), and you subscribe to Exchange Online Protection (EOP) for email protection services.
You have (or intend to have) mailboxes in two places; some mailboxes in Microsoft 365 or Office 365, and some of your mailboxes are on your organization email servers (also called on-premises servers).
Note
Before you get started, make sure you check on your specific scenario in I have my own email servers.
How do Microsoft 365 or Office 365 connectors work with my on-premises email servers?
If you have EOP and your own email servers, or if some of your mailboxes are in Microsoft 365 or Office 365 and some are on your email servers, set up connectors to enable mail flow in both directions. You can enable mail flow between Microsoft 365 or Office 365 and any SMTP-based email server, such as Exchange or a third-party email server.
The diagram below shows how connectors in Microsoft 365 or Office 365 (including Exchange Online or EOP) work with your own email servers.
In this example, John and Bob are both employees at your company. John has a mailbox on an email server that you manage, and Bob has a mailbox in Office 365. John and Bob both exchange mail with Sun, a customer with an Internet email account:
When email is sent between John and Bob, connectors are needed.
When email is sent between John and Sun, connectors are needed. (All Internet email is delivered via Office 365.)
When email is sent between Bob and Sun, no connector is needed.
If you have your own email servers and Microsoft 365 or Office 365, you must set up connectors in Microsoft 365 or Office 365. Without connectors, email will not flow between Microsoft 365 or Office 365 and your organization's email servers.
How do connectors route mail between Microsoft 365 or Office 365 and my own email server?
You need two connectors to route email between Microsoft 365 or Office 365 and your email servers, as follows:
- A connector from Microsoft 365 or Office 365 to your own email server
When you set up Microsoft 365 or Office 365 to accept all email on behalf of your organization, you will point your domain's MX (mail exchange) record to Microsoft 365 or Office 365. To prepare for this mail delivery scenario, you must set up an alternative server (called a 'smart host') so that Microsoft 365 or Office 365 can send email to your organization's email server (also called 'on-premises server'). To complete the scenario, you might need to configure your email server to accept messages delivered by Microsoft 365 or Office 365.
- A connector from your own email server to Microsoft 365 or Office 365
When this connector is set up, Microsoft 365 or Office 365 accepts messages from your organization's email server and send the messages to recipients on your behalf. This recipient could be a mailbox for your organization in Microsoft 365 or Office 365, or it could be a recipient on the Internet. To complete this scenario, you'll also need to configure your email server to send email messages directly to Microsoft 365 or Office 365.
This connector enables Microsoft 365 or Office 365 to scan your email for spam and malware, and to enforce compliance requirements such as running data loss prevention policies. When your email server sends all email messages directly to Microsoft 365 or Office 365, your own IP addresses are shielded from being added to a spam block list. To complete the scenario, you might need to configure your email server to send messages to Microsoft 365 or Office 365.
Note
This scenario requires two connectors: one from Microsoft 365 or Office 365 to your mail servers, and one to manage mail flow in the opposite direction. Before you start, make sure you have all the information you need, and continue with the instructions until you have set up and validated both connectors.
Overview of the steps
Here is an overview of the steps:
Complete the prerequisites for your email server environment.
Part 1: Configure mail to flow from Microsoft 365 or Office 365 to your email server.
Part 2: Configure mail to flow from your email server to Microsoft 365 or Office 365.
Prerequisites for your on-premises email environment
Prepare your on-premises email server so that it's ready to connect with Microsoft 365 or Office 365. Follow these steps:
Make sure that your on-premises email server is set up and capable of sending and receiving Internet (external) email.
Check that your on-premises email server has Transport Layer Security (TLS) enabled, with a valid certification authority-signed (CA-signed) certificate. We recommend that the certificate subject name includes the domain name that matches the primary email server in your organization. Buy a CA-signed digital certificate that matches this description, if necessary.
If you want to use certificates for secure communication between Microsoft 365 or Office 365 and your email server, update the connector your email server uses to receive mail. This connector must recognize the right certificate when Microsoft 365 or Office 365 attempts a connection with your server. If you're using Exchange, see Receive Connectors for more information. On the Edge Transport Server or Client Access Server (CAS), configure the default certificate for the Receive connector. Update the TlsCertificateName parameter on the Set-ReceiveConnector cmdlet in the Exchange Management Shell. To learn how to open the Exchange Management Shell in your on-premises Exchange organization, see Open the Exchange Management Shell.
Make a note of the name or IP address of your external-facing email server. If you're using Exchange, this is the Fully Qualified Domain Name (FQDN) of your Edge Transport server or CAS that will receive email from Microsoft 365 or Office 365.
Open port 25 on your firewall so that Microsoft 365 or Office 365 can connect to your email servers.
Make sure that your firewall accepts connections from all Microsoft 365 or Office 365 IP addresses. See Exchange Online IP addresses and URLs for the published IP address ranges.
Make a note of an email address for each domain in your organization. You'll need this later to test that your connector is working properly.
Part 1: Configure mail to flow from Microsoft 365 or Office 365 to your on-premises email server
There are three steps for this:
Configure your Microsoft 365 or Office 365 environment.
Set up a connector from Microsoft 365 or Office 365 to your email server.
Change your MX record to redirect your mail flow from the Internet to Microsoft 365 or Office 365.
1. Configure your Microsoft 365 or Office 365 environment
Make sure you have completed the following in Microsoft 365 or Office 365:
To set up connectors, you need permissions assigned before you can begin. To check what permissions you need, see the Microsoft 365 and Office 365 connectors entry in the Feature permissions in EOP topic.
If you want EOP or Exchange Online to relay email from your email servers to the Internet, either:
- Use a certificate configured with a subject name that matches an accepted domain in Microsoft 365 or Office 365. We recommend that your certificate's common name or subject alternative name matches the primary SMTP domain for your organization. For details, see Prerequisites for your on-premises email environment.
-OR-
- Make sure that all your organization sender domains and subdomains are configured as accepted domains in Microsoft 365 or Office 365.
For more information about defining accepted domains, see Manage accepted domains in Exchange Online and Enable mail flow for subdomains in Exchange Online.
Decide whether you want to use mail flow rules (also known as transport rules) or domain names to deliver mail from Microsoft 365 or Office 365 to your email servers. Most businesses choose to deliver mail for all accepted domains. For more information, see Scenario: Conditional mail routing in Exchange Online.
Note
You can set up mail flow rules as described in Mail flow rule actions in Exchange Online. For example, you might want to use mail flow rules with connectors if your mail is currently directed via distribution lists to multiple sites.
2. Set up a connector from Microsoft 365 or Office 365 to your email server
To create a connector in Microsoft 365 or Office 365, click Admin, and then click Exchange to go to the Exchange admin center. Next, click mail flow, and click connectors.
If any connectors already exist for your organization, you can see them listed here.
Office 365 On Premise Gateway
Before you set up a new connector, check any connectors that are already listed here for your organization. For example, if you ran the Exchange Hybrid Configuration wizard, connectors that deliver mail between Microsoft 365 or Office 365 and Exchange Server will be set up already and listed here. You don't need to set them up again, but you can edit them here if you need to. If you don't plan to use the hybrid configuration wizard, or if you're running Exchange Server 2007 or earlier, or if you're running a non-Microsoft SMTP mail server, set up connectors using the wizard.
To start the wizard, click the plus symbol +. On the first screen, choose the options that are depicted in the following screenshot:
Click Next, and follow the instructions in the wizard. Click the Help or Learn More links if you need more information. The wizard will guide you through setup. At the end, make sure your connector validates. If the connector does not validate, double-click the message displayed to get more information, and see Validate connectors for help resolving issues.
3. Change your MX record to redirect your mail flow from the Internet to Microsoft 365 or Office 365
To redirect email flow to Microsoft 365 or Office 365, change the MX (mail exchange) record for your domain. For instructions on how to do this, see Add MX record to route email.
Part 2: Configure mail to flow from your email server to Microsoft 365 or Office 365
There are two steps for this:
Set up a connector from your email server to Microsoft 365 or Office 365.
Set up your email server to relay mail to the Internet via Microsoft 365 or Office 365.
Once you have completed Part 2, see the instructions at the end to check that your configuration works.
1. Set up a connector from your email server to Microsoft 365 or Office 365
To create a connector in Microsoft 365 or Office 365, click Admin, click Exchange, and then to go to the Exchange admin center. Next, click mail flow, and click connectors. If any connectors already exist for your organization, you can see them listed here.
To start the wizard, click the plus symbol +. On the first screen, choose the options that are depicted in the following screenshot:
Click Next, and follow the instructions in the wizard. Click the Help or Learn More links if you need more information. In particular, see Identifying email from your email server for help configuring certificate or IP address settings for this connector. The wizard will guide you through setup. At the end, save your connector.
2. Set up your email server to relay mail to the Internet via Microsoft 365 or Office 365
Next, you must prepare your email server to send mail to Microsoft 365 or Office 365. This enables mail flow from your email servers to the Internet via Microsoft 365 or Office 365.
If your on-premises email environment is Microsoft Exchange, you create a Send connector that uses smart host routing to send messages to Microsoft 365 or Office 365. For more information, see Create a Send connector to route outbound email through a smart host.
To create the Send connector in Exchange Server, use the following syntax in the Exchange Management Shell. To learn how to open the Exchange Management Shell in your on-premises Exchange organization, see Open the Exchange Management Shell.
Note
In the following procedures, the CloudServicesMailEnabled parameter is available in Exchange 2013 or later.
This example creates a new Send Connector with the following properties:
Name: My company to Office 365
FQDN: mail.contoso.com
SmartHosts: contoso-com.mail.protection.outlook.com
How do I know connectors will route my organization mail correctly?
If you have completed all of these steps correctly, all your mail will now be delivered via Microsoft 365 or Office 365.
To check that this is working:
Send email from a mailbox on your email server to an external (Internet) recipient.
Send email from an Internet mailbox to a mailbox on your email server.
Make sure both emails are received.
Change a connector that Microsoft 365 or Office 365 is using for mail flow
To change settings for a connector, select the connector you want to edit and then select the edit icon as shown in the following screen shot.
The connector wizard opens, and you can make changes to the existing connector settings. While you change the connector settings, Microsoft 365 or Office 365 continues to use the existing connector settings for mail flow. When you save changes to the connector, Microsoft 365 or Office 365 starts using the new settings.
What happens when I have multiple connectors for the same scenario?
Most customers don't need to set up connectors. For those that do, one connector per single mail flow direction is usually enough. But you can also create multiple connectors for a single mail flow direction, such as from Microsoft 365 or Office 365 to your email server (also called on-premises server).
When there are multiple connectors, the first step to resolving mail flow issues is to know which connector Microsoft 365 or Office 365 is using. Microsoft 365 or Office 365 uses the following order to choose a connector to apply to an email:
Use a connector that exactly matches the recipient domain.
Use a connector that applies to all accepted domains.
Use wildcard pattern matching. For example, *.contoso.com would match mail.contoso.com as well as sales.contoso.com.
Example of how Microsoft 365 or Office 365 applies multiple connectors
In this example, your organization has four accepted domains, contoso.com, sales.contoso.com, fabrikam.com, and contoso.onmicrosoft.com. You have three connectors configured from Microsoft 365 or Office 365 to your organization's email server. For this example, these connectors are known as Connector 1, Connector 2, and Connector 3.
Connector 1 is configured for all accepted domains in your organization. The following screen shot shows the connectors wizard screen where you define which domains the connector applies to. In this case, the setting chosen is For email messages sent to all accepted domains in your organization.
Connector 2 is set up specifically for your company domain Contoso.com. The following screen shot shows the connectors wizard screen where you define which domains the connector applies to. In this case, the setting chosen is Only when email messages are sent to these domains. For Connector 2, your company domain Contoso.com is specified.
Office 365 On Premise Licensing
Connector 3 is also set up by using the option Only when email messages are sent to these domains. But, instead of the specific domain Contoso.com, the connector uses a wildcard: *.Contoso.com as shown in the following screen shot.
For each email sent from Microsoft 365 or Office 365 to mailboxes on your email server, Microsoft 365 or Office 365 selects the most specific connector possible. For email sent to:
john@fabrikam.com, Microsoft 365 or Office 365 selects Connector 1.
john@contoso.com, Microsoft 365 or Office 365 selects Connector 2.
john@sales.contoso.com, Microsoft 365 or Office 365 selects Connector 3.
See also
So, let’s say you moved your organization to Office 365.
You’re tired of shelling out a ton of money every three years to buy the next version of Office. (Okay, more realistically every six years as you leap-frogged over a version.) So, you decide to switch to monthly subscriptions instead. Out with the old and in with the new!
However, you’re not quite ready to give up your Exchange Server. And you’re even less ready to give up that nice new Lync server you invested in last year, or that SharePoint server that has been serving you faithfully for the last five years. So you’re really not interested in using the online versions of Exchange, Lync, and SharePoint that is included in many of the Office 365 bundles. You probably think to yourself, “Someday we might, but not now.”
But does that mean you now need to keep paying for monthly Office 365 subscriptions and keep buying CALs for all your users whenever you do an upgrade or hire more employees?
With the advent of Office 365, things are shifting in the Microsoft world. In many ways, Microsoft is moving away from on-premise solutions (where you install their software on hardware you own) and is moving toward cloud solutions (where Microsoft installs their software on their own hardware and lets you access it remotely).
Fortunately, they seem to bending over backwards to help bring their clients along the same path. For example, did you know that Microsoft is allowing certain Office 365 users to access on-premise instances of Exchange, Lync, and SharePoint without a User CAL?
This was first brought to my attention by one of our Mirazon engineers who was confused about what CALs and server licenses came with the E3 bundle of Office 365. I decided to set him straight so I firmly told him, “There are no on-prem server or CAL licenses that come with Office 365 E3” … and to some degree I was correct.
But what I didn’t know (and what this engineer brought to my attention) was that Microsoft includes certain on-premise use rights with some of the Office 365 bundles. I first read about it in this blog post on the Microsoft Volume Licensing Blog. The key statement in that post is this:
While the applicable application server CALs are not included in the Office 365 User subscription License, a CAL equivalency use right is included to access the on premises application server.
In other words, Office 365 doesn’t give you a CAL, but some of the Office 365 plans give you the same rights that you get from a CAL.
But I didn’t stop there. The volume licensing blog team at Microsoft was a pretty high authority, but also I wanted more than just a blog post as my point of reference when recommending a solution to our clients. So, I went straight for the highest authority: the Microsoft Product Use Rights (PUR) document. The “PUR” may sound cute and cuddly, but it is dry reading. However, it is the final authority when you have a question about Microsoft licensing. And sure enough, there it was in black and white….
In the screenshot below, you can see the section in the PUR that discusses the proper way to license Exchange Server. (You can click on the image for a higher resolution.) Notice that for a base CAL, you can either use an “Exchange Server 2013 Standard CAL” or you can use an “Office 365 Enterprise E1, E3 or E4 User SL [Subscription License].” And for the Additive CAL, you can either use an “Exchange Server 2013 Enterprise CAL” or you can use an “Office 365 Enterprise E3-E4 User SL.”
So although it is correct to say that an Office 365 subscription does not provide you with an actual CAL, it is also correct to say that certain Office 365 subscriptions do provide you with the same rights as a CAL.
This is an important point for a company that is moving their users to Office 365. For example, if you hire new employees and you sign those employees up for an Office 365 bundle, then you don’t necessarily need to purchase Exchange CALs for them (or Lync CALs or SharePoint CALs). Just make sure you purchase one of the Office 365 bundles that includes the on-premise access rights. Depending on your size and situation, this could save you a significant amount of money.
However, please note that Office 365 by itself does not give you the right to install the server software and run it on premise. It only provides the user with the right to access the server software, so you will need to bring your own Exchange/Lync/SharePoint Server license to the table. Also, it does not give you the right to access the Windows Server or the SQL Server that may be sitting in the background providing functionality to that Exchange, Lync, or SharePoint server (see my previous post here about needing a SQL CAL for every SharePoint CAL you use). You will still need the appropriate Window Server CALs and SQL Server CALs to be properly licensed. However, certain Office 365 subscriptions can get you part of the way there by providing access rights for Exchange, Lync, and SharePoint.
For full details on which Office 365 plans include these on-premise access rights, check out the latest PUR document.
Or you can check out the Microsoft blog post for a list of what the equivalents are (or at least what they were in October 2013).
Office 365 On Premise Mail Relay
And as always, Mirazon is here to help answer any of your Microsoft licensing questions. Just give us a call at 502-240-0404 or send us an email.