Protect on-premises mailboxes in China with standalone EOP

Note

This article applies only to Office 365 operated by 21Vianet in China.

Even if you plan to host some or all of your mailboxes on-premises, you can still protect the mailboxes with Exchange Online Protection (EOP). To configure connectors, your account must be a global admin, or an Exchange Company Administrator (the Organization Management role group). For information about how Office 365 permissions relate to Exchange permissions, see Assigning admin roles in Office 365 operated by 21Vianet. If all of your mailboxes are in on-premises Exchange, follow the steps in this article to set up your standalone EOP service.

Important

Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

Step 1: Use the Microsoft 365 admin center to add and verify your domain

  1. In the Microsoft 365 admin center, go to Setup to add your domain to the service.

  2. Follow the steps in the portal to add the applicable DNS records to your DNS-hosting provider in order to verify domain ownership.

Tip

Add your domain and users to Office 365 operated by 21Vianet and Create DNS records for Office 365 when you manage your DNS records are helpful references as you add your domain to the service and configure DNS.

Step 2: Add recipients and configure the domain type

Before configuring your mail to flow to and from the EOP service, we recommend adding your recipients to the service. There are different was to add recipients as documented in Manage mail users in Exchange Online (and EOP).

Also, if you want to enable Directory Based Edge Blocking (DBEB) to enforce recipient verification, you need to set your domain type to Authoritative. For more information about DBEB, see Use Directory Based Edge Blocking to Reject Messages Sent to Invalid Recipients.

Step 3: Use the EAC to set up mail flow

Create connectors in the Exchange admin center (EAC) that enable mail flow between EOP and your on-premises mail servers. For detailed instructions, see Configure mail flow using connectors in Office 365.

To verify mail flow between EOP and your on-premises environment, see Test mail flow by validating your Microsoft 365 connectors.

Step 4: Allow inbound port 25 SMTP access

After you configure connectors, wait 72 hours to allow propagation of your DNS-record updates. Then, restrict inbound port-25 SMTP traffic on your firewall or mail servers to accept mail only from the EOP datacenters, specifically from the IP addresses listed at Managing Microsoft 365 endpoints. This action protects your on-premises environment by limiting the scope of inbound messages you can receive. Additionally, if you have settings on your mail server that control the IP addresses allowed to connect for mail relay, update those settings as well.

Tip

Configure settings on the SMTP server with a connection time out of 60 seconds. This setting is acceptable for most situations, allowing for some delay in the case of a message sent with a large attachment, for instance.

Step 5: Ensure that spam is routed to each user's Junk Email folder

To ensure that spam (junk) email is routed correctly to each user's Junk Email folder in on-premises Exchange, you need to do a couple of configuration steps to translate EOP spam verdicts to values that on-premises Exchange can use. The steps are provided in Configure standalone EOP to deliver spam to the Junk Email folder in hybrid environments.

If you don't want to move messages to each user's Junk Email folder, you can choose a different action by editing your anti-spam policies. For more information, see Configure anti-spam policies in Office 365.

Step 6: Use the Microsoft 365 admin center to point your MX record to EOP

Follow the domain configuration steps to update the MX record for your domain, so that your inbound email flows through EOP. Be sure to point your MX record directly to EOP as opposed to having a third-party filtering service relay email to EOP. For more information, you can again reference Create DNS records for Office 365.

To test mail flow, see Test mail flow by validating your Office 365 connectors.

At this point, you verified service delivery for a properly configured Outbound on-premises connector, and you verified that your MX record is pointing to EOP. You can now choose to run the following tests to further verify that an email can be successfully delivered by the service to your on-premises environment:

  • In the Remote Connectivity Analyzer, select the Office 365 tab, and then run the Inbound SMTP Email test located under Internet Email Tests.
  • Send an email message from any web-based email account to a mail recipient in your organization whose domain matches the domain you added to the service. Confirm delivery of the message to the on-premises mailbox using Microsoft Outlook or another email client.
  • If you want to run an outbound email test, you can send an email message from a user in your organization to a web-based email account and confirm that the message is received.

Less common: A hybrid setup with on-premises mailboxes and cloud mailbox

If you have on-premises Exchange mailboxes and one or more cloud mailboxes in Exchange Online, you have a hybrid setup. In a hybrid setup, features such as free/busy calendar sharing and mail routing work together in your on-premises and cloud environments. You might have a hybrid setup in place while you transition mailboxes to Exchange Online. A hybrid environment is set up differently than EOP standalone protection.

You might choose a hybrid scenario to take advantage of cloud-based email for most of your employees. You can do this hybrid scenario while also hosting some mailboxes on-premises; for example, for your legal department.

A hybrid setup can be complex, but it has many benefits. To learn more about setting up hybrid scenarios with Exchange, see (/Exchange/exchange-hybrid)Exchange Server hybrid deployments.