Exchange Online: Keeping your 'Inbound From Office 365' Receive Connector Current with Microsoft Public IP's

Background:

It's not uncommon for Exchange Online support to receive the occasional call where customers want to know how to stay on top of our public IP's. They change occasionally and unless customers are current with our RSS feeds on THIS page, then they'll likely find out that they're out of date when they start observing mail delays. Obviously, there is a better way to go about this. 

Disclaimer:
If you leverage your Firewall to Restrict/Allow Microsoft Public IPs, running this will likely break hybrid mail flow and should not be attempted. It's also worth noting that the ranges listed at https://technet.microsoft.com/en-us/library/hh373144.aspx will be slightly different than the results you get from running Get-HybridMailFlowDatacenterIPs. This is because the cmdlet only lists IP ranges that are specifically leveraged for mail flow and the website lists all IP ranges that the Exchange Online service uses for all of it's public facing functions, such as Client Access, EAC/ECP, Free/Busy, Migrations and of course, Mail Flow.

Manual Method:

1. Connect Exchange Management Shell to your tenant in Exchange Online (Refer to this link for help, https://blogs.technet.com/b/mitchelatmicrosoft/archive/2014/12/23/connecting-powershell-to-your-tenant.aspx )

2. Create a variable to pipe over to your Set-ReceiveConnector cmdlet

$FormatEnumerationLimit =-1
$ip = Get-HybridMailflowDatacenterIPs

3. You can run Get-HybridMailFlowDatacenterIPs by itself to verify the results. If you don't run $FormatEnumerationLimit =-1 prior to running this, you'll see that the IP range list is not enumerated:
Example:

DatacenterIPs : {65.55.88.0/24, 94.245.120.64/26, 207.46.51.64/26, 207.46.163.0/24...}

After running $FormatEnumerationLimit =-1 and running Get-HybridMailFlowDatacenterIPs, you should see the entire list:
Example:

DatacenterIPs : {65.55.88.0/24, 94.245.120.64/26, 207.46.51.64/26, 207.46.163.0/24, 213.199.154.0/24,
213.199.180.128/26, 216.32.180.0/24, 216.32.181.0/24, 2a01:111:f400:7c00::/54, 23.103.128.0/20,
23.130.156.0/22, 23.103.128.0/19, 104.47.0.0/17, 23.103.198.0/23, 23.103.200.0/21, 23.103.191.0/24,
2a01:111:f400:fc00::/54, 64.4.22.64/26, 65.55.169.0/24, 65.55.83.128/27, 134.170.132.0/24,
134.170.140.0/24, 134.170.171.0/24, 157.55.133.160/27, 157.55.158.0/23, 157.55.234.0/24,
157.55.206.0/23, 157.56.73.0/24, 157.56.87.192/26, 157.56.108.0/24, 157.56.110.0/24, 157.56.111.0/24,
157.56.112.0/24, 157.56.206.0/24, 157.56.208.0/22, 207.46.100.0/24, 207.46.101.128/26}

4. Once you have verified that you're seeing all of the IP ranges, you can feed them into a Set-ReceiveConnector cmdlet

Get-ReceiveConnector "Inbound From Office 365" | Set-ReceiveConnector -RemoteIPRanges $ip.DatacenterIPs

5. Run Get-ReceiveConnector "Inbound From Office 365" | fl Identity,RemoteIPRanges to verify that the IP ranges are current

Entire Script to paste into EMS:

$FormatEnumerationLimit =-1
$ip = Get-HybridMailflowDatacenterIPs
Get-ReceiveConnector "Inbound From Office 365" | Set-ReceiveConnector -RemoteIPRanges $ip.DatacenterIPs

Scripted Method:
Would you like to just run a script to do this? No problem!

1. Compile this script into a .PS1 file and modify the identity of the receive connector accordingly as well as the username after Get-Credential

$FormatEnumerationLimit =-1
$O365Cred = Get-Credential YourTenantAdmin@tenant.onmicrosoft.com
$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection
Import-PSSession $O365Session
$ip = Get-HybridMailflowDatacenterIPs
Get-ReceiveConnector "Receive Connector Name" | Set-ReceiveConnector -RemoteIPRanges $ip.datacenterips

2. Once you have this saved into .ps1 file, simply run it in Exchange Management Shell, type in your password and wait for it to complete, it should only take a matter of seconds.

Script/Scheduled Task Method:
Want it to just run for you? No problem! It involves caching a Tenant Admin password in your powershell script though.

1.  Compile this script into a .PS1 file, name it HybridIPs.PS1, throw it in the folder C:\Scripts (or change the file location in the script) and modify the identity of the receive connector accordingly as well as the username and password:

$FormatEnumerationLimit =-1
$Pass = ConvertTo-SecureString "ReplaceWithPlainTextPassword" -AsPlainText -Force
$O365Cred = New-Object System.Management.Automation.PSCredential ("YourTenantAdmin@tenant.onmicrosoft.com", $Pass)
$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection
Import-PSSession $O365Session
$ip = Get-HybridMailflowDatacenterIPs
Get-ReceiveConnector "Receive Connector Name" | Set-ReceiveConnector -RemoteIPRanges $ip.datacenterips
Start-Sleep -S 10
Exit

2. Run powershell as an Administrator on your Hybrid Server and run the following command:
Set-ExecutionPolicy Unrestricted

3. Create a Basic Task, name it appropriately, set your desired time and interval and select it to Start a Program. In the Program/script field, paste in the following:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

A. If you're on Exchange 2013 Hybrid, add the following into 'Add arguments (optional)' field:

-command ". 'C:\Program Files\Microsoft\Exchange Server\V15\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto; C:\Scripts\.\hybridips.ps1"

B. If you're on Exchange 2010 Hybrid, add the following into 'Add arguments (optional)' field:

-version 2.0 -command ". 'C:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto; C:\scripts\.\hybridips.ps1"

Then give it a try. You should see Powershell open and run through its' motions. If you run into any issues, feel free to ask me in the comments section.

I hope this helps! I may be updating this in the very near future with a script to account for any/all potential failures as well as logging changes.

-Mitchel