Customers currently using the Connect Application are advised to complete their onboarding setup as soon as possible, as the Connect Application is scheduled to be discontinued on the 31st of January, 2024.
This article explains how to configure the Connect application with Microsoft 365. This applies to new clients connecting with Mimecast using the Connect Application with Microsoft 365 Exchange Online.
-
-
- If you are using an On-Premise Exchange Server or an Exchange Server in a Hybrid configuration, see the Securing Your Inbound Email (On-Premise / Hybrid Exchanges) page.
- If you are not using the Connect Application, click here.
-
This guide describes the correct navigation through the Classic Exchange Admin Center (Classic EAC). Administrators can choose to use either the Classic EAC or the new Exchange Admin Center (new EAC) however, features and routing will differ from that described in this guide when using the new EAC. For more information, please see the relevant Microsoft documentation here.
Setting Us as Your Trusted Email Source
Once you have completed all the Connect Application tasks, we recommend locking down your inbound email flow in Microsoft 365 to only allow mail from Mimecast IP addresses.
This ensures your emails are scanned by the Mimecast security systems to prevent viruses and spam from reaching your internal environment.
For further assistance, see the following pages in the Microsoft documentation:
To secure your inbound email:
- Log in to the Microsoft 365 Exchange Admin Console.
- Click on the Mail flow menu item on the left-hand side.
- Click on the Connectors link at the top. Your connectors are displayed.
- Click on the + icon.
- Complete the Select Your Mail Flow Scenario dialog as follows:
Field / Option Description From Partner organization To Microsoft 365
The text at the bottom of the wizard changes to, "Creating a connector is optional for this mail flow scenario. Create a connector only if you want to enhance security for the email messages sent between your partner organization or service provider and Microsoft 365. You can create multiple connectors for this scenario, each applying to different partner organizations or service providers.
- Click the Next button.
- Change the connector's name to "Mimecast to Microsoft 365".
- Click the Next button.
- Select “By verifying that the IP address of the sending server matches one of the following IP addresses that belongs to your partner organization”. Add the IP ranges from the Mimecast Grid the organization is hosted on Mimecast Data Centers and URLs.
- Click the Next button.
- Click on the + icon to add the * as the domain.
- Click on the OK button.
- Click the Next button.
- Leave the Reject Email Messages if They Aren't Sent Over TLS option with the default value on the "What security restrictions do you want to apply?" dialog. Mimecast will send the message on to Microsoft 365 with Opportunistic TLS.
- Select Reject Email Messages if they aren't sent from within this IP address range.
- Click on the + icon to add the Mimecast IP address ranges depending on your region.
- Click the Next button. A summary page is displayed. Check this to ensure it has all the correct information.
- Click the Save button.
Testing Your Microsoft 365 Inbound Security
Once you have locked down your firewall, you can run the firewall test from the Connect Application to determine if the lockdown was successful.
To test your firewall and complete the task:
- Click on the Gateway | Secure Your Inbound Email menu item.
- Click on the Start button. Our Inbound IP Ranges are displayed.
- Ensure you have set up Mimecast as your only trusted email source. See the "Securing Your Inbound Email" section above.
- Click on the Next button.
- Click the Test Host link to test your Microsoft 365 connection. A popup dialog is displayed.
The test attempts to establish a connection to your Microsoft 365 host name from a Mimecast IP address that isn't part of the data centers you've set up. This uses the SMTP protocol up to the "RCPT" command.
- Enter a valid internal email address and click Test. Your firewall's status is displayed as one of the following:
- Secured: The host has rejected the recipient. This is the desired outcome.
- Not Secured: The host has accepted the recipient.
- Click the More or Less link to toggle the view of your domain's route information.
- When you're ready, click the Confirm button. A summary of your secure inbound email connection is displayed.
Comments
Please sign in to leave a comment.