# Microsoft 365

## Introduction

O365 is able to direct traffic to certain recipients (recipient based routing), it does not however contain functionality for routing based on the sender (sender based routing). By using a redirect mail flow rule it is possible to do a form of sender based routing that is sufficient for directing traffic to SecuMailer without violating the Microsoft 365 way-of-working. The high level approach is that any mailbox that needs to be integrated with SecuMailer is placed in a specific Distribution Group. Next to that a new mail contact is created that uses a non-existent email address / domain (to prevent any undesirable external routing). A new mail rule is created that redirects email from members of the Distribution Group to the Contact with the non-existent email address. This Contact is associated with a Send Connector which in turn forwards all email to the SecuMailer Mail Relay (and thereby into the SecuMailer system).

## Microsoft 365 Admin center 

Please log in to your Microsoft 365 Admin Center(via <https://portal.office.com).&#x20>;

![Office 365 Admin Center](/files/-LrxgjKWYBprpuxTLlpr)

Select Admin Centers → Exchange.

![](/files/xOKrOcHtKNuC9xMj7yE9)

You will see the Exchange Admin Center as shown above.&#x20;

## Configure Connector

Please click on `mail flow`, followed by `connectors`. In the connector view click on the `+New Connector` link to open the `New Connector` popup (see below). In the corporate Microsoft 365 versions you need to select the send connector.

In the `Connection from` list select `Microsoft 365`, after selection select in the `Connection to` list select for `Partner organization`. Click `Next`.

![](/files/ROq29Sz0IQtcFQwoNXFx)

Next step is to give the connector a name. You may choose anything you like, if you can’t think of anything then put in `SecuMailer`. You can add a description if you wish in the `Description` field, it is not mandatory. You can keep the checkbox at `What do you want to do after connector is saved?` selected. Click on `Next` to go the step.

![](/files/VGMP2ZKUy1jawHLoM0KB)

The next steps determines when you want to use the connector. Please select the first radio button `Only when I have a transport rule set up that redirects messages to this connector` and click on `Next`.

![](/files/F7AAF8JStGEVa3GqmQhR)

The next step determines where you want to deliver email that is associated with this transport rule. Please select the second radio button `Route email through these smart hosts` and click on the `+` symbol. In the new popup fill in `mail-relay.secumail.cloud` and click on `Save`.

![](/files/PJcNfZURNr6zFBmP9e5v)

The `Add a connector` popup should show `mail-relay.secumail.cloud` as new smart host. Click `Next` to go to the next step.

In this step you need to configure the secure connection with the SecuMailer mail relay. Please make sure that the first checkbox is on, it's named `Always use Transport Layer Security (TLS) to secure the connection (recommended)`.  Select the radio button `Issued by a trusted certificate authority (CA)`. Please activate the checkbox `And the subject name or subject alternative name (SAN) matches this domain name:` and fill in `mail-relay.secumail.cloud` (see below). Click on `Next`.

![](/files/54JID7dMJ68eu7s2DbjU)

You are now at the final step of the Transport Rule flow. The connector needs to be validated through a remote e-mail domain. This cannot be the domains used within the Microsoft 365 tenant, Fill in an e-mail address (likely Gmail or another address) and click on `Validate` .

![](/files/UaUD3Xmw1Rq9fgTK3Nsk)

You should see a summary of the Transport Rule settings you applied in the previous steps.

![](/files/lQIXYvwg3XQAiTr2enEg)

Verify your settings and click on `Create connector`. Herby the connector is created.

## Configure Distribution Group

In Exchange Admin select `recipients` in the main menu and subsequently select `groups` from the context menu.&#x20;

<figure><img src="/files/o5qquFqwRfgnM4jFJjqm" alt=""><figcaption></figcaption></figure>

Click on `add a group.` You should get a choice for the type of the newly to created group, choose for mail-enabled security. Click `Next`.

<figure><img src="/files/sUtoZRUrTNFzLYOaqCLt" alt=""><figcaption></figcaption></figure>

Please fill in `Name`

> If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use `SecuMailer AVG`.&#x20;

The description is not mandatory, Click `Next`.

<figure><img src="/files/2Wq1da6bZmUx1XTYY96i" alt=""><figcaption></figcaption></figure>

You should add a owner to this new group, like an Administrator or Manager. Click `Next.`

<figure><img src="/files/W1eQ40kEVmpDfw2NMru4" alt=""><figcaption></figcaption></figure>

Add users to this new group or add them later to this new group, Click `Next.`

<figure><img src="/files/UW4rkN0tLtFM4o6vtIiD" alt=""><figcaption></figcaption></figure>

Please fill in `Email address`

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use `secumailer_avg`.

<figure><img src="/files/bdhfq4sVsxZ7znlY0BBs" alt=""><figcaption></figcaption></figure>

Click Next.

You should see a summary of the settings you applied in the previous steps.

<figure><img src="/files/XsYwpY4u9EpVPr8fIKfb" alt=""><figcaption></figcaption></figure>

Verify your settings and click on `Create group`. Hereby the Secumailer AVG group is created, Click on `close`.

### Add members to Distribution Group

To add members to the specific group that you wish to connect with the specific SecuMailer function, head back to `recipients` in the main menu and subsequently select `groups` from the context menu. Under the specific tab `mail-enabled security`. click on the specific group you want to add members

![](/files/t0hYINwZdwvuIo1snCNc)

Click on `Members` followed by `View all and manage members.`

![](/files/MnTItFFLEVEf75dV58me)

When click on `+ Add Members`. you can add other users to this specific group.

![](/files/BcnBeouZS8KV8opXlcPU)

## Create mail flow rules

In this section you will create two mail flow rules:

1\)  that will direct your mail traffic towards the SecuMailer platform.

2\) that will direct out of office e-mails though public internet.

### Mail Flow Rule Redirection to SecuMailer

In this section you will create the mail flow rule that will direct your mail traffic towards the SecuMailer platform.

<figure><img src="/files/TMnkbAesYqiG5eqkbufv" alt=""><figcaption></figcaption></figure>

In the Exchange Admin please go to `mail flow` and then `rules`. Please create the mail flow rule by clicking on the `+` symbol and select `create a new rule` from the drop down menu. You should now see the pop-up named `new rule.`

<figure><img src="/files/M9dvFx0kGvguskOd904e" alt=""><figcaption></figcaption></figure>

Please carry out the following steps.\
Please fill in `Name`\
If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use “Redirect to SecuMailer AVG”.

At drop down list `Apply this rule if…` please select T`he sender is a member of…` and select and add the distribution group you created in section `Configure Distribution Group` and click on the `OK` button.\
At drop down list `Do the following…` please select `Modify the message properties...`, then select `Set a message header` and set the message header to X-Secumail-Id and the value to the value that was supplied to you by SecuMailer.\
Click on the button `Add action` to add another action to the mail flow rule.\
At drop down list `Do the following…` please select `Redirect the message to…` and select option `the following connector`, this will start a popup where you can select the SecuMailer connector you configured in section Configure Connector.&#x20;

Select connector\
At `Except if …` click on the button `add exception`. If you don’t see this option please scroll down until you see the link `More options…` and click on the link, this should give you the possibility of adding an exception. In the drop down list select `The recipient…` and select `internal/external`. In the popup window select `internal` and click on `OK`.

<figure><img src="/files/qOXX5ZdGszHWDhrcDy8e" alt=""><figcaption></figcaption></figure>

Please click on `Next` to set the additional settings

<figure><img src="/files/L4sRTvDUzr5kh0UhXnlC" alt=""><figcaption></figcaption></figure>

The default settings doesn’t need to be changed, so click on `Next.`

<figure><img src="/files/fR5vN28lrFqo6UZMOk0e" alt=""><figcaption></figcaption></figure>

Click on `Finish` to save this Rule.

### Mail Flow Rule Out Of Office Message

In this section you will create the mail flow rule that will route your out-of-office e-mail towards the public internet. This is needed since the sender is out of office and cannot respond to notifications in case a recipient cannot be reached securely. These message typically don't contain personal information and can be send without securing the message.&#x20;

***Please do check with you Security Officer before applying this rule.***

<figure><img src="/files/opQGLMwu600qAqYizsIj" alt=""><figcaption></figcaption></figure>

In the Exchange Admin please go to `mail flow` and then `rules`. Please create the mail flow rule by clicking on the `+` symbol and select `create a new rule` from the drop down menu. You should now see the pop-up named `new rule.`

<figure><img src="/files/CNAUR4beje6igngbMtNx" alt=""><figcaption><p>.</p></figcaption></figure>

Please carry out the following steps. Please fill in `Name` If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use “Out Of Office Exception SecuMailer”.

At drop down list `Apply this rule if…` please select `The Message properties` and select `include the message type Automatic reply` and click on the `Save` button. At drop down list `Do the following…` please select `Modify the message properties...`, then select `Set a message header` and set the message header to `X-SecuMailer-OOO` and the value to`true`.

At `Except if` select `The recipient`  and `is external/internal.` In the pop-up select `Inside the organization.`

<figure><img src="/files/eeL5yylsuWglKhu9nB5Q" alt=""><figcaption></figcaption></figure>

Click on the `Next` button.

In the follewing screen check the option `Stop processing more rules`

<figure><img src="/files/Dy6FETv4Uk8MCi36aOCl" alt=""><figcaption></figcaption></figure>

Click next to complete the configuration.

<figure><img src="/files/vdAfC9WSC4fdFKuPougn" alt=""><figcaption></figcaption></figure>

Click on `Finish` to save this Rule.

## Disabling Rich Text Format&#x20;

Microsoft uses an outdated format for emails called “Rich Text Format” (or RTF in short). The RTF format is only supported by Outlook and can’t be read on the standard mail clients of Apple devices or Android devices. Microsoft advises to disable Rich Text Format to avoid inadvertently sending mails in this format.&#x20;

To disable RTF please go to `mail flow` section in Exchange Admin and select `remote domains`. Select the name `Default`. Click on `Edit text and character set`.

![](/files/h2iVL5b1wkeTm7IhOtga)

Change the setting from `Follow user settings` to `Never`

The integration is now completed. Please send a couple of test emails from the address you connected with SecuMailer and verify they arrive correctly at an email address you have access to.

## NTA 7516

The NTA 7516 functionality requires two additional changes to your Exchange configuration:

* Creation of a separate Distribution Group
* Creation of a mail flow rule

### [NTA 7516 Distribution Group](#nta-7516-distribution-group)

In Exchange Admin select `recipients` in the main menu and subsequently select `groups` from the context menu.&#x20;

<figure><img src="/files/bSoLfP16JRO7PL7flhmn" alt=""><figcaption></figcaption></figure>

Choose `Mail-enabled security`

<figure><img src="/files/riPXfM4zk6RxBIKvy3Fq" alt=""><figcaption></figcaption></figure>

If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use `SecuMailer NTA Group.`&#x20;

The description is not mandatory, Click `Next`.

<figure><img src="/files/up2UiqE3XMzL4BBLbiYL" alt=""><figcaption></figcaption></figure>

Assign members and click `Next`.

<figure><img src="/files/md5bK2ko8WtMclXdnR9q" alt=""><figcaption></figcaption></figure>

Please fill in `Alias`

> If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use `SecuMailer_NTA`.

Please fill in `Email address`

> If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use `secumailer_nta.`

Click `Next.`

You should see a summary of the settings you applied in the previous steps.

<figure><img src="/files/7hxU7Ix4Bvr71eQyTlCn" alt=""><figcaption></figcaption></figure>

Verify your settings and click on `Create group`. Hereby the Secumailer NTA group is created, Click on `close`.

### NTA 7516 Mail Flow Rule - 1

In EAC select `mail flow` in the main menu and subsequently select `rules` from the context menu. Click on the `+` symbol and select `create a new rule` from the dropdown menu. You should now see the pop-up named `new rule` (see below).

<figure><img src="/files/ThfETg3xsrlDq60ULmeU" alt=""><figcaption></figcaption></figure>

Please fill in `Name`.&#x20;

> If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use “SecuMailer NTA7516 Rule - 1”.&#x20;

Please carry out the following steps:

* At dropdown list `Apply this rule if…` please select `The sender is a member of…` and select and add the distribution group you created  in  [<mark style="color:blue;">NTA 7516 Distribution Group</mark>](#nta-7516-distribution-group) and click on the `OK` button.&#x20;
* In the next dropdown list named `Do the following` select the option `Modify the message properties` and select `Set a message header`.  In the text to the right of the option click on the first `Enter text...` link and in the message header popup fill in: X-SecuMailer-NTA7516 and click on `OK`.  Click on the second `Enter text...` link and in the message value popup fill in: `true` and click on `OK`.

This completes the Transport Rule 1 for NTA 7516. Please click on `Save` to finalize the setup.

### NTA 7516 Mail Flow Rule - 2

In EAC select `mail flow` in the main menu and subsequently select `rules` from the context menu. Click on the `+` symbol and select `create a new rule` from the dropdown menu. You should now see the pop-up named `new rule` (see below).

<figure><img src="/files/ThfETg3xsrlDq60ULmeU" alt=""><figcaption></figcaption></figure>

Please fill in `Name`.&#x20;

> If you have a naming convention in your organization, please use that convention. If there is no naming convention you can use “SecuMailer NTA7516 Rule - 2”.&#x20;

Please carry out the following steps:

* At dropdown list `Apply this rule if…` please select `The sender is a member of…` and select and add the distribution group you created  in  [<mark style="color:blue;">NTA 7516 Distribution Group</mark>](#nta-7516-distribution-group) and click on the `OK` button.&#x20;
* At drop down list `Do the following…` please select `Modify the message properties...`, then select `Set a message header` and set the message header to X-Secumail-Id and the value to the value that was supplied to you by SecuMailer.
* Click on the button `Add action` to add another action to the mail flow rule
* At drop down list `Do the following…` please select `Redirect the message to…` and select option `the following connector`, this will start a popup where you can select the SecuMailer connector you configured in section [Configure Connector](https://docs.secumailer.com/manuals/mailservers/office-365#configure-connector).
* At `Except if …` click on the button `add exception`. If you don’t see this option please scroll down until you see the link `More options…` and click on the link, this should give you the possibility of adding an exception. In the drop down list select `The recipient…` and select `internal/external`. In the popup window select `internal` and click on `OK`.

This completes the Transport Rule 2 for NTA 7516. Please click on `Save` to finalize the setup.

### Rule Order

For the rules to work correctly the following order must be maintained:

1. Out Of Office Exception SecuMailer
2. SecuMailer NTA 7516 Mailflow Rule - 1
3. SecuMailer NTA 7516 Mailflow Rule - 2
4. SecuMailer AVG mailflow Rule

WARNING: The SecuMailer NTA7516 rules have to have a higher priority then the regular Secumailer AVG mailflow rule, so that the highest security set is always used if the case a user is a member of both AVG and SecuMailer NTA7516 groups.

This completes the Transport Rules for NTA 7516. Please click on `Save` to finalize the setup.

## Appendix Exclaimer & CodeTwo

If the customer is using Exclaimer or CodeTwo, please see the separate section on [configuring SecuMailer together with Exclaimer](/manuals/appendices/exclaimer.md) or  [configuring SecuMailer together with CodeTwo](/manuals/appendices/exclaimer-1.md) .


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.secumailer.com/manuals/mailservers/office-365.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.