How to set up forced TLS for Exchange Online in Office 365

By default, Exchange Online always uses opportunistic TLS. Which means Exchange Online always tries to encrypt connections with the most secure version of TLS first, then by default the message will be sent unencrypted if the recipient organization doesn’t support TLS encryption. Unless you have configured Exchange Online to ensure that messages to that recipient are only sent through secure connections,  Opportunistic TLS is sufficient for most businesses.

If business that have compliance requirements such as medical, banking, or government organizations, you can configure forced TLS for Exchange Online.

If you decide to configure TLS between your organization and a trusted partner organization, Exchange Online can use forced TLS to create trusted channels of communication. Forced TLS requires your partner organization to authenticate to Exchange Online with a security certificate in order to send mail to you.Your partner will need to manage their own certificates in order to do this. In Exchange Online, we use connectors to protect messages that you send from unauthorized access before they arrive at the recipient’s email provider. 

1. Configuring Forced TLS from EOP to Partner

Login to https://outlook.office365.com/ecp –> Mail flow –> Connectors –> Click on Add 

1

 

Select From: Office 365 and Select To:Partner Organization and click Next 

2

Give Name for the Connector and Click Next 

3

You can use the Connector for the transport rule or add the domain in the connector as well, I have added the domains in my case.

4 5

Select Use the MX record associated with the partner’s domain and Click Next 

 

6

Select the Always use Transport Layer Security(TLS) to secure the connection and Select issued by a trusted Certificate authority (CA)

7

Click Next 

8

 

Add the partner Domain test Email address to validate the connector

 

9 10

Click on Validate 

 

11 12 13

In my case, Test Status  failed since there is no TLS connection available for the added domain. but you need to get success in the test case.

14

 

Click on save once the domain TLS Validation completed.15

 

16

 

2. Configuring Forced TLS from Partner to EOP

This Enforcement will enable the TLS mail flow from the Partner to EOP.

Login to https://outlook.office365.com/ecp –> Mail flow –> Connectors –> Click on Add

Select From: Partner Organization and To: Office 365

17

 

Give the name for the Connector and Click Next 

18

 

Select Use the sender’s domain

19

Add domain

20

Click Next 

21

Select the Subject name in the TLS Certificate of the Exchange Online Protection. it is required to be properly validated and updated. if this name not matches, mails will not reach Office 365.

23

EOP’s Certificate Name as mentioned below in the below, Please refer the Article  for more information.

24

Click on Save

25

26

Leave a Reply

Your email address will not be published.