Receive Connector from Office 365 Best Practice?

%3CLINGO-SUB%20id%3D%22lingo-sub-1170594%22%20slang%3D%22en-US%22%3EReceive%20Connector%20from%20Office%20365%20Best%20Practice%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1170594%22%20slang%3D%22en-US%22%3E%3CP%3EWe're%20looking%20to%20setup%20Exchange%20Hybrid%20with%20centralized%20transport.%20I%20seem%20to%20have%20incorrectly%20assumed%20the%20Hybrid%20Configuration%20Wizard%20would%20create%20the%20receive%20connector%20for%20my%20on-prem%20servers.%20I%20can%20obviously%20do%20this%20manually%2C%20but%20there's%20concern%20that%20with%20allowing%20all%20the%20required%20IP%20ranges%20in%20Exchange%20Online%20that%20someone%20else%20from%20a%20different%20tenant%20could%20send%20email%20directly%20to%20our%20on-prem%20Exchange%20servers.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20are%20the%20best%20practices%20for%20receive%20connector%20Inbound%20from%20Office%20365%20and%20how%20can%20I%20ensure%20it%20will%20only%20allow%20mail%20from%20our%20Exchange%20Online%20tenant%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1170594%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1171121%22%20slang%3D%22en-US%22%3ERe%3A%20Receive%20Connector%20from%20Office%20365%20Best%20Practice%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1171121%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F390877%22%20target%3D%22_blank%22%3E%40geek2point0%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20you%20setup%20Exchange%20Hybrid%20in%20your%20scenario%2C%20you%20need%20to%20allow%20all%20IP%20Ranges%20from%20EOP%20(Exchange%20Online%20Protection)%20to%20your%20Exchange%20On-Premises%2C%20because%20your%20Tenant%20can%20send%20email%20from%20any%20IP%20from%20that%20range%20more%20information%20here%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fenterprise%2Foffice-365-ip-web-service%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fenterprise%2Foffice-365-ip-web-service%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIs%20not%20possible%20to%20block%20a%20different%20Tenant%20to%20send%20email%20directly%2C%20but%20they%20need%20to%20know%20your%20IP%20address%2C%20if%20you%20want%20to%20control%20more%2C%20please%20use%20another%20IP%20and%20name%20dedicated%20to%20your%20connector.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20regards%2C%3C%2FP%3E%0A%3CP%3ENuno%20%C3%81rias%20Silva%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

We're looking to setup Exchange Hybrid with centralized transport. I seem to have incorrectly assumed the Hybrid Configuration Wizard would create the receive connector for my on-prem servers. I can obviously do this manually, but there's concern that with allowing all the required IP ranges in Exchange Online that someone else from a different tenant could send email directly to our on-prem Exchange servers.

 

What are the best practices for receive connector Inbound from Office 365 and how can I ensure it will only allow mail from our Exchange Online tenant?

2 Replies

Hi @geek2point0,

 

When you setup Exchange Hybrid in your scenario, you need to allow all IP Ranges from EOP (Exchange Online Protection) to your Exchange On-Premises, because your Tenant can send email from any IP from that range more information here https://docs.microsoft.com/en-us/office365/enterprise/office-365-ip-web-service

Is not possible to block a different Tenant to send email directly, but they need to know your IP address, if you want to control more, please use another IP and name dedicated to your connector.

 

Best regards,

Nuno Árias Silva 

@Nuno Silva 

 

Other Office 365 tenants attempting to connect directly to your on-prem Exchange using this connector will be considered "Outside the Organization" and "Anonymous" and not have the proper domain in the X-Org header. 

 

This is a great article explaining how you can create Transport rules to block emails from other Office 365 tenants that don't go through your MX record:
https://techcommunity.microsoft.com/t5/exchange-team-blog/advanced-office-365-routing-locking-down-e...