Prevent/Fix: Guidance for On-Premises Connectors Configuration

Ensure On-Premises connectors use unique certificates with domains accepted by the tenant and avoid shared IPs across tenants. Misconfigurations can disrupt mail flow due to Exchange Online’s multi-tenant nature. Use unique Send Connectors per tenant and prefer certificate-based authentication for reliable email routing. We are reiterating the guidance for connector settings to ensure customers are using healthy configurations. The key problematic configurations we are seeing are: When a tenant has an Inbound connector of type OnPremises and the connector does certificate-based authentication using a certificate with a subject/SAN for a domain that is NOT an Accepted Domain of the tenant. When a tenant has an Inbound connector of type OnPremises and the connector does IP-based authentication, but the IP is used by other tenants. These anti-patterns typically occur when you are using a 3rd party service to relay email through Exchange Online but could also occur if your organization has a single on-premises Exchange Server connecting to multiple Exchange Online tenants. These configurations can cause incorrect mail flow because Exchange Online is a multi tenant service and relies on message attribution to determine which tenant an incoming message belongs to. When messages are received through an Inbound connector of type OnPremises, attribution is determined using the following priority order: The domain on the TLS certificate presented by the sending server The P1 MailFrom (envelope sender) domain The P1 RcptTo (recipient) domain How this will affect your organization: We may perform internal changes, such as tenant moves, without notice, which can impact mail flow if a tenant has a bad connector configuration. This means a misconfigured connector that works today may unexpectedly stop working. What you need to do to prepare: If you have a single on-premises Exchange Server connecting to multiple Exchange Online tenants, your on-premises Exchange environment must use a unique client certificate to send to each unique Exchange Online tenant belonging to your organization. You must configure a unique Send Connector on-premises for each unique tenant in Exchange Online that you want to route on-premises traffic to: Send connectors in Exchange Server | Microsoft Learn. You should also […]

The post Prevent/Fix: Guidance for On-Premises Connectors Configuration appeared first on M365 Admin.