Forum Discussion
Adding email accounts without license
parsarvin is possible in that cenario:
Suppose your company has 20 employees.
Only 5 employees will be licensed for Office 365 and will access email through Outlook 365.
The other 15 employees will use the mechanisms that already existed to send and receive emails, be it pop3, imap or whatever, pointing to their "legacy" server.
In summary: All 20 users have @yourcompany.com email, 5 will be fully managed by Exchange Online, and 15 will not.
For this you need:
1 - Carry out all the authorization of ownership of your domain normally, that is, add/modify the DNS entries on your server to use MS Exchange Online as the incoming server. Using the wizard or doing the setup exactly as suggested should suffice.
1.1 - At this time, only the 5 licensed users will receive and send email normally. It's not what we want. Let's go.
1.2 - Well, at this point, if I send external email to any of the 15 email accounts that aren't licensed, I'll get an "invalid recipient" error or something. Let's fix this.
2 - The first thing you need to do is go to the "Exchange Administration Center" and access "E-mail flow"/"Accepted Domains". It may be translated differently in your language, but it will be there.
2.1 - Select your private domain, that is, the domain you already had when you subscribed to Office 365.
2.2 - You must choose that this domain is used for "Internal Relay" and NOT "Authoritative" which is the default. In this way, we're telling Microsoft not to assume that it "owns" all of my company's email account management.
2-3 - Okay. But we still need to warn Exchange that, since it won't validate ALL email accounts in the same place, where it should validate them if they don't exist in its scope. We do this with a Connector in the next step.
3 - Still in the Exchange Administration Center", go to "E-mail flow"/"Connectors" and follow these instructions.
3.1 - Email flow scenario > From: Office 365 > To: Your organization's email server
3.2 - Name and Description > Anything that identifies your remote email server... It's just for easy identification.,
3.3 - Connector Usage > Use only for emails sent to all accepted domains in your organization.
3.4 - Routing > Put the IP or the FQN of your private email server.
3.5 - Security restrictions > I recommend using TLS issued by a trusted CA. Currently, even shared servers like Hostgator offer free SSL, so if your server has a certificate, you won't have major problems with this step. If your server doesn't have a security certificate, you need to test that without TLS the connection will work correctly. Never tested.
3.6 - Validation - I recommend testing with 1 email address that has an Office license and 1 email address of those 15 examples that only exist on your "legacy" server.
3.7 - If the connection to the server fails, it is probably the address that is wrong or the TLS security settings. Check. If validation of email accounts fails, you need to check the error that returns to take some further action. Under normal conditions, it shouldn't give an error.
If the above configuration went smoothly, at this point you have:
5 email accounts that:
A) Send/receive email via Outlook 365 or;
B) They receive via POP/IMAP from Office 365 and send via legacy SMTP (yes, this works if the email accounts are duplicated 1 on Exchange and another on the legacy server)
C) DO NOT receive via POP/IMAP from the legacy because the boxes are managed by Office 365/Exchange, ok?
15 email accounts that:
A) DON'T send/receive email via Outlook 365..in fact they don't even log into Office 365 because they don't have a license or;
B) Receive via legacy POP/IMAP and send via legacy SMTP;
C) All external/internal email sent to any of these 15 accounts will enter via Exchange but will be redirected to the mailboxes that are managed by your Legacy.
This way, all your 20 employees can use your @yourcompany.com emails, in full, but only 5 will be managed by Exchange and will need a license.
Hope this helps.
Excellent write up and many thanks as you are the first to address this properly. I can't tell you the amount of searching I've done trying to find a solution.
Now, if you could help with the final step. When validating, I get a successful connection but failed email on my non ms365 email, well it appears so to me as these test logs are much too technical. The ms365 email looks okay.
Any tips on next steps or how to find the error?
I wrote an article in Portuguese detailing this topic a little better:
https://tshooterit.com/office-365-exchange-em-modo-hibrido-para-contas-de-e-mail/Maybe the answer is there, but, in theory, the problem you report is related to the lack of authoritative CNAME in the DNS for your domain.
As I use Cloudflare as an edge CDN, instead of configuring the CNAME/TXT entries on my hosting server, I needed to configure it in Cloudflare's own DNS configuration.
Check to see if the error you receive is related to the lack of "DMARC", "enterpriseenrollment" or "_domainkey" entries in the DNS configuration or in your hosting server or CDN, if applicable.
Best regards,
NeilsonFaria , So sorry I did not see your reply until now. It appears you promptly replied. Thank you once again.
Great input but all of that stuff is above my paygrade. I think (and hope) that MS will be able to help with this. Ill give that a shot.
NeilsonFaria Hello, thank you for your detailed guide.
I have successfully done the connectors and can receive emails but when I use the non365 emails to send, I can't seem to receive it.
What could be the problem with this?
Hi, jamcosico .
I bet the email is being sent by your legacy SMTP server but is being rejected by the destination server due to reverse domain validation.
Since we configured Office 365 as the "domain manager", your "legacy" server does not have the equivalent DNS entries as Office 365 to ensure that it can also send emails through the same domain (reverse validation).
I recommend, first of all, checking whether, in fact, the emails are going out but being rejected by the destination (no configuration we have made prevents the legacy SMTP from sending emails).
Once you've verified that this is it (and you will), go to the DNS Zone Editor of your legacy server (or CDN, if you use Cloudflare or something) and include all the entries that Office 365 generated.
In the article published at https://tshooterit.com/office-365-exchange-em-modo-hibrido-para-contas-de-e-mail/, I mentioned:
"In the worst case scenario, you will need to copy the DNS entries from Office 365 and paste it into the private domain server's DNS configuration."
I believe that this step needs to be refined in your configuration.
Use the tools at https://mxtoolbox.com/ to validate:
- DMARC: https://mxtoolbox.com/dmarc.aspx (everything has to be green)
- MX: https://mxtoolbox.com/dmarc.aspx (you have to return the hostname/IP of Office 365 and your legacy server)
- PTR: https://mxtoolbox.com/dmarc.aspx (reverse DNS validation has to return your legacy server and Office 365 server).
The solution, invariably, involves correctly configuring DMARC, CNAME, TXT, PTR and other entries and domain validators on your legacy server or edge CDN (Cloudflare, for example).
Big hug.
