Categories
MS Office 365

How to set up Forced TLS for O365 Exchange Online

Create these connectors in the Exchange admin center in Microsoft 365:

  • Outbound connector
  • Inbound connector

Step 1. Create outbound connector

To encrypt each email message sent by an Exchange Online (Microsoft 365) organization to an external mail server representing the partner domain name, it needs to fulfill the following requirements:

  • The mail communication needs to be implemented using encrypted connection (TLS)
  • The internal and external mail server must support TLS
  • The internal mail server must identify itself using a trusted public certificate

To create an outbound connector in Exchange admin center, follow these steps:

  1. Sign in to Exchange admin center
  2. Click Mail flow > Connectors
  3. Click Add a connector
Set Up Forced TLS for Exchange Online in Microsoft 365 add a new outbound connector
  1. Select Office 365
  2. Select Partner organization
  3. Click Next
Connection from Office 365 to partner organization
  1. Type the inbound connector Name
  2. Select Turn it on
  3. Click Next
Inbound connector name
  1. Select Only when email messages are sent to these domains
  2. Type the domain (alitajran.com)
  3. Click on + to add it
Only when email messages are sent to these domains
  1. Select Use the MX record associated with the partner’s domain
  2. Click Next
Use the MX record associated with the partner's domain
  1. Select Always use Transport Layer Security (TLS) to secure the connection (recommended)
  2. Select Issued by a trusted certificate authority (CA)
  3. Select Add the subject name or subject alternative name (SAN) matches this domain name
  4. Fill in the partner domain
  5. Click Next

Important: You must select the Add the subject name or subject alternative name (SAN) matches this domain name. Type the domain name (mail.alitajran.com) that’s included in the certificate, or use a wildcard domain name (*.alitajran.com).

Always use Transport Layer Security (TLS) to secure the connection (recommended)
  1. Type the email address of your partner domain
  2. Click on + to add it
  3. Click Validate
Set Up Forced TLS for Exchange Online in Microsoft 365 validate email of partner domain
  1. Check that the Validation successful message appears in green
  2. Click Next
Validation successful
  1. test email for connector validation is sent to the email address you provided
Test email for connector validation
  1. Click Create connector
Set Up Forced TLS for Exchange Online in Microsoft 365 review outbound connector
  1. Click Done
Set Up Forced TLS for Exchange Online in Microsoft 365 outbound connector created
  1. Check that the connector shows the status On
Verify outbound connector status

The outbound connector is added. In the next step, you will create an inbound connector.

Step 2. Create inbound connector

To encrypt each email message sent by an external mail server that represents the partner domain name to the Exchange Online (Microsoft 365) organization, it needs to fulfill the following requirements:

  • The mail communication needs to be implemented using encrypted connection (TLS)
  • The internal and external mail server must support TLS
  • The external mail server must identify itself using a trusted public certificate

To create an inbound connector in Exchange admin center, follow these steps:

  1. Click Add a connector
Add a new inbound connector
  1. Select Partner organization
  2. Click Next
Set Up Forced TLS for Exchange Online in Microsoft 365 connection from partner organization to Office 365
  1. Type the outbound connector Name
  2. Select Turn it on
  3. Click Next
Outbound connector name
  1. Select By verifying that the sender domain matches one of the following domains
  2. Type the sender domain
  3. Click on the + to add it
  4. Click Next
By verifying that the sender domain matches one of the following domains
  1. Select Reject email messages if they aren’t sent over TLS
  2. Select And require that the subject name on the certificate that the partner uses to authenticate with Office 365 matches this domain name
  3. Fill in the partner domain
  4. Click Next

Important: You must select the And require that the subject name on the certificate that the partner uses to authenticate with Office 365 matches this domain name. Type the domain name (mail.alitajran.com) that’s included in the certificate, or use a wildcard domain name (*.alitajran.com)

Reject email messages if they aren't sent over TLS
  1. Click Create connector
Set Up Forced TLS for Exchange Online in Microsoft 365 review inbound connector
  1. Click Done
Inbound connector created
  1. Check the inbound connector shows Status On
Set Up Forced TLS for Exchange Online in Microsoft 365 verify inbound connector status
  1. Create a new email and send it from your partner organization to a mailbox in your domain
Send email from organization to mailbox in your domain
  1. The partner organization needs to open the mail
  2. Click File
Message file
  1. Click Info
  2. Select Properties
Message properties
  1. Select the text and copy the message header
Copy message headers
  1. Go to Message Header Analyzer
  2. Paste the message header
  3. Click Analyze headers
Set Up Forced TLS for Exchange Online in Microsoft 365 analyze headers
  1. Check the Type column and verify it shows TLS
Set Up Forced TLS for Exchange Online in Microsoft 365 message header analyzer type

That’s it!