Exchange Server 2016 and Microsoft Cloud (Part 7)

by [Published on 21 July 2016 / Last Updated on 21 July 2016]

Introducing Exchange Online Protection (EOP) in the environment.

If you would like to read the other parts in this article series please go to:


In the previous section we configured all mail flow from the Internet to go straight to the site where Exchange resides and that solution would work just fine, however the spammers are getting smarter and faster and leaving an Exchange on the Internet to receive Emails is a guarantee that your users will receive spam and virus from all over the world.

The recommendation is to use a Cloud Provider to clean up your messages and just forward the messages that are valid for your company, and Microsoft offers that with Exchange Online Protection (EOP) which is part of the Office 365 solution.

The first step is to sign up on Office 365, and the service offers several plans. In this article we will be signing up for E5 (Office 365 Enterprise E5). Find the plan that meets your requirement and look for a free trial, as shown in the image below.


The first step to set it up Office365/EOP is to configure the domain in the Office365, and these steps can be used:

  1. Logged on Exchange Admin Center.
  2. Click on settings and on the new page, click on Add Domain button. A new wizard will pop up.
  3. In the Add a domain page. Type in the domain name ( in our case) and click Next.
  4. In the Verify domain page. Here is where we start interaction between both platforms. In order to verify the domain in Office365 we need to create either a TXT or an MX record on the Public DNS. Using the information provided we will go to Microsoft Azure and enter the information, as shown below. Wait a little bit (at least 10 minutes to be safe) and click on Verify.


  1. In the Set up your online services page. Select I’ll manage my own DNS records and we will continue using Microsoft Azure for that. Click Next.
  2. In the Update DNS settings page. A list of all entries required by Office 365 will be displayed and the wizard compares with the current values and points out where a change is required. We will be working as we move forward on the series.
  3. In order to complete the wizard, select the option Skip this step – I have custom DNS records, so I’ll add the records I need later and then click on Skip.
  4. In the final page of the wizard, click on Finish.

After validating the domain in Office 365 Admin Center, this process creates the valid domain automatically as an accepted domain on the Exchange side of Office 365. Our next step is going to move the mail flow from on-premise to Office 365, as depicted below.

In order to do that, we need to create connectors on Office 365 to allow incoming traffic from the Internet to be received and forwarded to the on-premise server, and also all traffic from on-premise to be routed to the Internet through Office365. All configuration is done on the Exchange side of Office 365 and it can be done under the Mail Flow item on the Exchange Admin Center.


The first connector is going to be responsible to accept all traffic from our on-premise Exchange Server(s) and then route them to the Internet. These are the steps that can be used to create such connector:

  1. Logged on the Admin Center, click on Admin Centers item located on the left side.
  2. Click on Exchange.
  3. In the new page, click on mail flow and then connectors.
  4. Click on + to create the first connector.
  5. In the Select your mail flow scenario page. Select From: Your Organization’s mail server and To: Office365 as shown below.


  1. In the New Connector page. Label the new connector and click Next.
  2. In the next page, select By verifying that the IP address… and add the Public IP address which your Exchange Server(s) are going to use, and click Next.


  1. In the summary page that is displayed, just click Save.

The second connector will be responsible to receive all traffic from the Internet and then forward the valid messages to the on-premise Exchange Server(s), as follows:

  1. Logged on the Admin Center, click on Admin Centers item located on the left side.
  2. Click on Exchange.
  3. In the new page, click on mail flow and then connectors.
  4. Click on + to create the first connector.
  5. In the Select your mail flow scenario page. Select From: Office365 and To: Your Organization’s mail server..


  1. In the New Connector page. Label the new connector, leave default settings and click Next.
  2. In the next page, select For email messages sent to all accepted domains in your organization, and click Next.


  1. In the next page, add the server on-premise that is able to receive emails from the Internet which was properly published on the firewall. In our series, we will be using the


  1. In the How should Office 365 connect to your email server? page. Select Any digital certificate, including self-signed if you want to be more relaxed, or the administrator can tighten the security by requiring a certificate from a trusted certificate author, and on top of that specify the subject name or subject alternative names (SAN) on the certificate.
  2. In the Confirm your settings page. Just review the settings and click on Next.
  3. In the Validate this connector page. Click on add (+) and type in an email address that already exists on Exchange Server and click on Validate. A small test validating the relay and if the message is delivered is going to be performed. If everything looks okay, click on save.

At this point, the on-premise users are not being synchronized with Office365 and the administrator has to check the Accepted Domains in Exchange Admin Center in Office365. If the domain is configured as Internal Relay, then all messages from that domain will be forward to on-premise and the synchronization of the objects are not required. If the option Authoritative is the one selected, then the user must be synchronized with Office365, if it is not there then the incoming message from the Internet will not be accepted.

The ideal is to change to Authoritative after having the synchronization properly configured, and that will avoid messages sent to non-existent users to go to the on-premise environment. These are the steps required to configure the accepted domain as Internal Relay:

  1. Logged on Office 365 Admin Center.
  2. Click on Admin Centers and then Exchange.
  3. In the new page, click on mail flow (1), accepted domains (2).
  4. Double click on the desired domain (3) and then select Internal Relay (4), as shown in the image below.


Configuring Exchange Server outbound traffic using EOP…

In order to change the flow from your organization to the Internet through Exchange Online Protection, the administrator needs to get the DNS host that was provisioned for the tenant. These following steps can be used to gather such information:

  1. Open Office 365 Admin Center.
  2. Click on Settings, and then click Domains.
  3. Double click on the domain (in our case
  4. In the new page, all DNS required is being displayed. Let’s copy the information on the MX record.


On the Exchange Server side, we need to configure all outbound traffic to use that same host that we copied in the previous step. These following steps can be used:

  1. Logged on the Exchange Admin Center (EAC).
  2. Click on Mail Flow, and then on send connectors.
  3. Double click on the connector (if you don’t have one, create a new one using Internet profile. If you are not sure, just check the creation from the previous article).
  4. Click on Delivery, select Route mail through smart hosts and click on + and add the host that we gathered from the previous step.


The simplest test that the administrator can perform is to send a message from Exchange to an external email address. If everything works well, the message will be received, if not then you can open Exchange Toolbox, and then Queue Viewer.

After testing the mail flow using EOP, a good security practice is to lockdown the communication on 25 port between on-premise and EOP at the firewall level. Microsoft provides a list of all Public IPs in use by EOP and the firewall administrator can use that information to create the proper security.

Changing the inbound mail flow…

The last configuration is to allow all Internet traffic to go to Office365 instead of the on-premise server. The process is simple, just update the MX record and point to the name that we gathered in the previous step.


A simple test to validate the changes that we have just performed is to send a message from the Internet to a user located in the domain. The administrator can check the headers of the message to validate it.

The best way to test it is to wait for the DNS to change, and then try to send a message from the Internet and the result should be a message being received by the end-user on the on-premise server. The message’s header is able to provide the path performed by the message, and we can check if it has been through Office365 servers.

Putting it all together

In this article, we subscribed to Office365, and started configuring EOP in the simplest way possible where all message inbound is received in Office365 and then forwarded to the servers located on-premise, at the same time we configured the outbound traffic from on-premises through Office365. 

If you would like to read the other parts in this article series please go to:

See Also

The Author — Anderson Patricio

Anderson Patricio avatar

Anderson Patricio is a Canadian MVP in Cloud and Datacenter Management, and Office Server and Services, besides of the Microsoft Award he also holds a Solutions Master (MCSM) in Exchange and several other certifications. Anderson contributes to the Microsoft Community with articles, tutorials, blog posts, twitter, forums and book reviews. He is a regular contributor here at,, and Anderson (Portuguese).


Featured Links