Module 10

Exchange Online
Mail Flow
Presenter name
Presenter role

Conditions and Terms of Use

Microsoft Confidential

This training package is proprietary and confidential, and is intended only for uses described in the training materials. Content and software is provided
to you under a Non-Disclosure Agreement and cannot be distributed. Copying or disclosing all or any portion of the content and/or software included in
such packages is strictly prohibited.
The contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind, whether express or
implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement.
Training package content, including URLs and other Internet Web site references, is subject to change without notice. Because Microsoft must respond
to changing market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the
accuracy of any information presented after the date of publication. Unless otherwise noted, the companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product,
domain name, e-mail address, logo, person, place, or event is intended or should be inferred.

Copyright and Trademarks

2014 Microsoft Corporation. All rights reserved.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject
matter in this document. Except as expressly provided in written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of
this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
For more information, see Use of Microsoft Copyrighted Content at
http://www.microsoft.com/about/legal/permissions/
Microsoft, Internet Explorer, Outlook, SkyDrive, Windows Vista, Zune, Xbox 360, DirectX, Windows Server and
Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Other Microsoft products mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries. All other trademarks are property of their respective owners.

Overview

This module covers the mail flow capabilities of Exchange Online,

including
Transport rules
Office 365 Message Encryption
Message tracing
Inbound and outbound connectors

Objectives

After completing this module, you will be able to:

Create transport rules to perform actions on messages
traversing through the transport pipeline
Trace messages sent to external organizations
Create connectors to enforce encryption for mail sent to
specific domains

Rules

Types Of
Rules

Transport Rules
Let you apply messaging policies to messages in the transport pipeline
Actions, such as redirecting a message or adding recipients, rightsprotecting messages, and rejecting or silently deleting a message can
be taken
Transport Protection Rules
Administrators can use transport protection rules to implement
messaging policies to inspect message content, encrypt sensitive
email content, and use rights management to control access to the
content
Outlook Protection Rules
In Exchange Online, Outlook, and OWA users and administrators can
apply Information Rights Management (IRM) protection to messages by
applying an Active Directory Rights Management Services (AD RMS)
rights policy template. This requires an AD RMS deployment in the
organization
6

Transport
Rules

Use transport rules to look for specific conditions on

messages that pass through your organization and take action
on them

Transport rules allow you to:

- Prevent inappropriate content from entering or leaving
- Filter confidential organization information
- Track or copy messages that are sent to or received from specific
individuals
- Redirecting inbound and outbound messages for inspection before
delivery
- Applying disclaimers to messages as they pass through the
organization

You can only create a maximum of 300 transport rules in Exchange

Online

Transport
Rule
Components

A transport rule consists of the following components:

Conditions: identify the messages that you want the rule to

apply to

Actions: specify what you want to do to the messages that

are identified by the conditions

Exceptions: override conditions and prevent the rule from

acting on specific messages

Choose a mode for this rule: (Enforce, Test with Policy Tips,
Test without Policy Tips)

How to
Create a
New Rule?

Transport
Rules via
PowerShell

How to create a New Transport Rule

New-TransportRule -Name "Mark messages from the Internet
to Sales DG" -FromScope NotInOrganization -SentTo "Sales
Department" -PrependSubject "External message to Sales
DG:

How to verify the Rule was created

Get-TransportRule "Mark messages from the Internet to Sales
DG

How to view all rules in your Exchange Online Tenant

Get-TransportRule

10

Encryption

11

Office 365
Message
Encryption

Office 365 Message Encryption is a new service that lets you send encrypted
emails to people outside your company
Admin:
Simple to provision and configure
Policy driven via Transport Rules
Customizable branding of encrypted emails and mail reading portal
Allows for Enterprise content inspection and compliance
Sender:
Ability to send encrypted messages to any SMTP address regardless of
recipients client or service provider
Recipient:
View encrypted messages on Office 365 Message Encryption portal after sign-in
Office 365 Message Encryption portal has rich OWA controls for viewing and
composing messages
Replies from the portal are also encrypted

12

Admin
Configurati
on

Enable Azure Rights Management service. This is included

with E3 & E4 licenses
Create a transport rule via EAC or PowerShell to apply
encryption to outgoing messages that match a certain criteria

13

Receiving
and
responding
to
encrypted
messages

When an external recipient receives an encrypted message

from your company they see an encrypted attachment with
instructions on how to view the encrypted message

To view the message, open the attachment and a new browser

window will open asking them to log into the Message
Encryption website

The Message Encryption interface is based on Outlook Web App

A 1-time use passcode, an Office 365 ID, or Microsoft Account

is required to login and view the message

When the receiver replies to the sender of the encrypted

message or forwards the message, those emails are also
encrypted

14

How it
works

Exchange Online
Policy detection and
Enforcement

O365 User

Delive
r

d
Sen

Internet User
Mail Reading Portal

t
Pos

Tenant
configuration

Microsoft
account/Organization
Account

15

Message Tracking

16

Message
Trace

The message trace feature enables an administrator to follow

email messages as they pass through your Exchange Online
or Exchange Online Protection service
It helps you determine whether a targeted email message was
received, rejected, deferred, or delivered by the service within
the past 90 days
It also shows what actions have occurred to the message
before reaching its final status
Obtaining detailed information about a specific message lets
you efficiently answer your users questions, troubleshoot
mail flow issues, validate policy changes, and alleviates the
need to contact technical support for assistance

17

How to Run
a Message
Trace

Navigate to Mail Flow > Message Trace in EAC

Select Fields (to narrow search)
Options include:
Sender
Recipient
Message was Sent or Received
Delivery Status or Message ID
Click Search to run the Message Trace

18

View
Message
Trace
Results

After running a search, the results will be listed in the

Message Trace Results pane below the search section
The following information is displayed about each message:
Date
Sender
Recipient
Subject
Status
Each column can be sorted by clicking on the column name.
Clicking it will switch the current sort order
If results exceed 500 entries there will be a page navigation
section which will appear for use

19

Message
Tracing via
PowerShell

Using Get-MessageTrace to see information

Get-MessageTrace -SenderAddress john@contoso.com
-StartDate 06/13/2012 -EndDate 06/15/2012

Obtain more detailed information by pipelining the results to

the Get-MessageTraceDetail cmdlet
Get-MessageTrace -Id 2bbad36aa4674c7ba82f4b307fff549f
-SenderAddress john@contoso.com -StartDate 06/13/2012
-EndDate 06/15/2012 | Get-MessageTraceDetail

20

Accepted
Domains

21

Accepted
Domains

An accepted domain is any SMTP namespace for which a

cloud-based email organization sends or receives email
Can be used to assign proxy addresses to users and to
configure mail routing
Domains are added using the Microsoft Office 365 admin
center or through WAAD PowerShell
Domains default as Authoritative domains

22

Domain
Types

Authoritative
All recipient mailboxes in that domain are hosted by Exchange
Online and all email is delivered directly to Exchange Online
More than one accepted domain can be configured as
authoritative
Required for Directory-Based Edge Blocking
Internal Relay
Responsibility for mail delivery is shared between Exchange
Online and another messaging system
Typically, your on-premises messaging system receives mail
first and then relays mail to the Internet for delivery to
Exchange Online recipients

23

Connectors

24

Connector
Types

Connectors are used to control inbound and outbound mail

flow
With connectors, you can route mail to and receive mail from
recipients outside of your organization, a partner through a
secure channel, or a message-processing appliance
The most commonly used connector types are Outbound
connectors, which control outbound messages, and Inbound
connectors, which control inbound messages
Connectors can be configured to enforce IP address and
domain restrictions, as well as TLS encryption, for both
inbound and outbound mail

25

Using
Connectors

Mail flows into and out of Exchange Online through EOP

without the need to create any inbound or outbound
connectors by default

Create connectors when you need to customize inbound

and outbound mail flow between:
Exchange Online and On-Premises
Exchange Online and External Recipients
Exchange Online and Partner Organizations

An example scenario where connectors using TLS are

created to enforce encrypted mail flow between EOP and
a partner
26

Lab: Mail Flow

27

Module
Review

1. How far back can you trace a message?

2. Where do you add accepted domains?
3. Explain the use of connectors.

28

Module
Summary

In

this module, you learned about:

Rules
Delivery Reports
Message Trace
Accepted Domains
Connectors

30

 2013
2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks
in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of
this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and
Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR
STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION