Receive Connector from Office 365 Best Practice?

%3CLINGO-SUB%20id%3D%22lingo-sub-1170594%22%20slang%3D%22en-US%22%3EReceive%20Connector%20from%20Office%20365%20Best%20Practice%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1170594%22%20slang%3D%22en-US%22%3E%3CP%3EWe're%20looking%20to%20setup%20Exchange%20Hybrid%20with%20centralized%20transport.%20I%20seem%20to%20have%20incorrectly%20assumed%20the%20Hybrid%20Configuration%20Wizard%20would%20create%20the%20receive%20connector%20for%20my%20on-prem%20servers.%20I%20can%20obviously%20do%20this%20manually%2C%20but%20there's%20concern%20that%20with%20allowing%20all%20the%20required%20IP%20ranges%20in%20Exchange%20Online%20that%20someone%20else%20from%20a%20different%20tenant%20could%20send%20email%20directly%20to%20our%20on-prem%20Exchange%20servers.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20are%20the%20best%20practices%20for%20receive%20connector%20Inbound%20from%20Office%20365%20and%20how%20can%20I%20ensure%20it%20will%20only%20allow%20mail%20from%20our%20Exchange%20Online%20tenant%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1170594%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1171121%22%20slang%3D%22en-US%22%3ERe%3A%20Receive%20Connector%20from%20Office%20365%20Best%20Practice%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1171121%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F390877%22%20target%3D%22_blank%22%3E%40geek2point0%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20you%20setup%20Exchange%20Hybrid%20in%20your%20scenario%2C%20you%20need%20to%20allow%20all%20IP%20Ranges%20from%20EOP%20(Exchange%20Online%20Protection)%20to%20your%20Exchange%20On-Premises%2C%20because%20your%20Tenant%20can%20send%20email%20from%20any%20IP%20from%20that%20range%20more%20information%20here%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fenterprise%2Foffice-365-ip-web-service%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fenterprise%2Foffice-365-ip-web-service%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIs%20not%20possible%20to%20block%20a%20different%20Tenant%20to%20send%20email%20directly%2C%20but%20they%20need%20to%20know%20your%20IP%20address%2C%20if%20you%20want%20to%20control%20more%2C%20please%20use%20another%20IP%20and%20name%20dedicated%20to%20your%20connector.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20regards%2C%3C%2FP%3E%0A%3CP%3ENuno%20%C3%81rias%20Silva%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

We're looking to setup Exchange Hybrid with centralized transport. I seem to have incorrectly assumed the Hybrid Configuration Wizard would create the receive connector for my on-prem servers. I can obviously do this manually, but there's concern that with allowing all the required IP ranges in Exchange Online that someone else from a different tenant could send email directly to our on-prem Exchange servers.

 

What are the best practices for receive connector Inbound from Office 365 and how can I ensure it will only allow mail from our Exchange Online tenant?

1 Reply
Highlighted

Hi @geek2point0,

 

When you setup Exchange Hybrid in your scenario, you need to allow all IP Ranges from EOP (Exchange Online Protection) to your Exchange On-Premises, because your Tenant can send email from any IP from that range more information here https://docs.microsoft.com/en-us/office365/enterprise/office-365-ip-web-service

Is not possible to block a different Tenant to send email directly, but they need to know your IP address, if you want to control more, please use another IP and name dedicated to your connector.

 

Best regards,

Nuno Árias Silva