How to lock down Exchange Online so EOP refuses direct external mail

27/04/2026

Microsoft 365 · Email Security

A practical, step-by-step guide for tenants running a centralized mail flow with a third-party
Secure Email Gateway (SEG) — and discovering that mail and spoofing attempts still slip in
directly through Exchange Online Protection.

Security-relevant
Exchange Online
EOP / Defender
Production-ready

The problem in a nutshell

In a centralized mail flow setup, every inbound message is supposed to travel a single,
well-defined path: the public MX record points at a third-party Secure Email Gateway
(Mimecast, Proofpoint, Cisco IronPort, Barracuda, an on-premises Exchange edge — pick your
flavor), the gateway scans and filters the message, and only then is it handed off to
Exchange Online Protection through an authenticated connector.

In the real world, things are messier. Many organizations notice — sometimes only after
a successful phishing attempt — that mail is reaching mailboxes directly through
EOP, completely bypassing the gateway that was supposed to be the first line of
defense. Often these messages are spoofed, claiming to come from internal addresses such
as [email protected].

The desired state

Allowed mail flow

Internet

→

SEG / Gateway

→

EOP (via connector)

→

Mailbox ✓

Mail flow to be blocked

Attacker

⨯

tenant.mail.protection.outlook.com

⨯

EOP direct

Gateway bypass via direct SMTP connect to the EOP MX endpoint

What we want to achieve:

Block Direct Send — anonymous mail using your own domains, sent straight to EOP, must be rejected.
Restrict the inbound connector — only the SEG’s IPs or TLS certificate may deliver mail.
Stop spoofing — strict SPF, DKIM and DMARC, plus EOP anti-spoofing in enforcement mode.
Stay auditable — message trace and Defender reports must show every bypass attempt.

Why does EOP accept mail directly in the first place?

Every Microsoft 365 tenant has a publicly resolvable MX endpoint of the form
<tenant>.mail.protection.outlook.com. Regardless of where your MX record
actually points, that endpoint is reachable from the internet and — by default —
accepts anonymous SMTP connections for any of your accepted domains.
Microsoft calls this mechanism Direct Send.

Direct Send is officially intended for printers, scanners, and legacy line-of-business
apps that need to drop mail into internal mailboxes without authenticating. Convenient —
but it’s also exactly the mechanism attackers exploit to bypass your gateway and impersonate
internal senders.

Important to understand

A centralized mail flow or an MX record pointing somewhere else does not
protect you against Direct Send. The MX record is just a DNS hint. Attackers can connect
to the EOP endpoint directly at any time — unless you’ve explicitly hardened the tenant.

The fix is multi-layered: the tenant-wide RejectDirectSend flag, a tightly
restricted inbound connector, a transport rule as a safety net, and proper anti-spoofing
configuration. We’ll walk through each of them.

Prerequisites

Permissions

Organization Configuration (for Set-OrganizationConfig)
Exchange Administrator or Global Administrator (connectors and rules)
Security Administrator (Defender policies and anti-phishing)

Tooling

# Install the Exchange Online module if you haven't already
Install-Module -Name ExchangeOnlineManagement -Scope CurrentUser

# Connect
Connect-ExchangeOnline -UserPrincipalName [email protected]

Information to gather upfront

The full list of public IP addresses or ranges used by your SEG, including DR/secondary regions.
Optionally, the TLS certificate subject / SAN the SEG presents when delivering to EOP — preferred over IP binding.
All accepted domains of the tenant: Get-AcceptedDomain.
Document existing inbound connectors: Get-InboundConnector | Format-List.
Current SPF, DKIM, and DMARC records for each sending domain.

Recommendation

Before changing anything, take a JSON or XML snapshot of the current state via
Get-OrganizationConfig, Get-InboundConnector, and
Get-TransportRule. It makes rollback trivial if something breaks.

Step 1 — Enable Reject Direct Send

The simplest and most powerful single switch is the tenant-wide
RejectDirectSend flag. When it is enabled, EOP rejects any anonymous
message whose P1 Mail-From address matches one of your accepted domains, unless
it arrived authenticated through an inbound connector. The sender receives the NDR
550 5.7.68 TenantInboundAttribution; Direct Send not allowed for this organization from unauthorized sources.

Check the current state.
```
Get-OrganizationConfig | Select-Object Identity, RejectDirectSend
```
On existing tenants the default is False. Microsoft has announced that new tenants will get True by default starting in 2026.
Enable Reject Direct Send.
```
Set-OrganizationConfig -RejectDirectSend $true
```
Propagation across all EOP servers takes up to 30 minutes.

Verify.

Get-OrganizationConfig | Format-List RejectDirectSend
# Expected: True

Watch out — possible side effects

Before flipping the switch, identify any legitimate Direct Send sources in your environment:
multifunction printers, ERP systems, monitoring tools, marketing platforms — anything that
sends as one of your domains directly to EOP. Each of those needs a partner inbound connector
beforehand, otherwise their delivery breaks the moment the flag is enabled.

A useful starting point: review your domain’s SPF record. Every entry there is a candidate
for a dedicated connector.

Step 2 — Restrict the inbound connector to SEG IPs or certificate

RejectDirectSend only covers messages whose sender domain is one of your own
accepted domains. Spoofed mail from foreign domains delivered straight to
EOP would still be accepted. To close that gap, configure your Partner inbound
connector so that EOP only accepts inbound mail from the SEG’s IPs or matching TLS
certificate.

Option A — Configuration in the Exchange Admin Center

Open EAC at https://admin.exchange.microsoft.com →
Mail flow → Connectors → Add a connector.
Define the connection:
- Connection from: Partner organization
- Connection to: Office 365
Authenticate the partner: prefer
“By verifying that the subject name on the certificate that the sending server uses to
authenticate with Office 365 matches this domain name” and enter the certificate the
SEG actually presents. As a fallback — when no TLS certificate is available —
“By verifying that the IP address of the sending server matches one of the following
IP addresses” with all of the SEG’s outbound IPs.
Enforce delivery rules:
- ✅ Reject email messages if they aren’t sent over TLS
- ✅ Reject email messages if they aren’t sent from within this IP address range (with the SEG IPs)
Save and enable the connector.

Option B — PowerShell (idempotent and auditable)

# Example: SEG identifies itself via certificate (recommended)
New-InboundConnector -Name "From Secure Email Gateway" `
    -ConnectorType Partner `
    -SenderDomains "*" `
    -RestrictDomainsToCertificate $true `
    -TlsSenderCertificateName "*.mail-gateway.example.com" `
    -RequireTls $true `
    -Enabled $true

# Alternative: SEG identifies itself by IP range
New-InboundConnector -Name "From SEG (IP-bound)" `
    -ConnectorType Partner `
    -SenderDomains "*" `
    -RestrictDomainsToIPAddresses $true `
    -SenderIPAddresses "203.0.113.10","203.0.113.11","198.51.100.0/28" `
    -RequireTls $true `
    -Enabled $true

What RestrictDomainsTo* actually does

With these flags set to $true EOP effectively tells the world:
“Mail addressed to my domains is only accepted when it arrives via IP X or certificate Y.”
Any other source receives 550 5.7.51 TenantInboundAttribution; There is a partner connector configured that matched the message’s recipient domain and is rejected.

Method	Pros	Cons
TLS certificate	Robust against IP changes, cryptographically verifiable	Requires a valid third-party certificate at the SEG
IP range	Simple to set up	Maintenance burden when IPs change, slightly weaker

Step 3 — Add a transport rule as a safety net

Beyond the connector, it’s smart to add a transport rule as a second layer that rejects
any external mail not arriving from your allowed IP range. It protects you
against connector misconfiguration and produces a very clean audit trail in message trace.

Configuration in the EAC

EAC → Mail flow → Rules → Add a rule → Create a new rule.
Name: BLOCK – Direct internet ingress without SEG
Apply this rule if…
- The sender → is external/internal → Outside the organization
Do the following: Block the message →
Reject the message and include an explanation →
Reason: “Mail to this organization must be delivered via the official Secure Email Gateway.
Direct delivery to EOP is not permitted.”
Except if:
- The sender → IP address is in any of these ranges → your SEG IPs
- or The message headers → includes any of these words → header
  X-MS-Exchange-Organization-AuthAs with value Internal
  (prevents breaking internal hybrid mail flow)
Rule mode: start in Test with policy tips, then switch to Enforce after validation.

PowerShell variant

New-TransportRule -Name "BLOCK - Direct EOP Ingress (Bypass SEG)" `
    -FromScope NotInOrganization `
    -ExceptIfSenderIPRanges "203.0.113.10","203.0.113.11","198.51.100.0/28" `
    -ExceptIfHeaderMatchesMessageHeader "X-MS-Exchange-Organization-AuthAs" `
    -ExceptIfHeaderMatchesPatterns "Internal" `
    -RejectMessageEnhancedStatusCode "5.7.1" `
    -RejectMessageReasonText "Mail not delivered via SEG." `
    -Mode AuditAndNotify `
    -Enabled $true

Mind the rule order

Place this rule before any bypass or allow-list rules (lower priority value).
Otherwise an upstream rule may silently override your block. Starting in
AuditAndNotify mode gives you a safe pilot phase before flipping to
Enforce.

Step 4 — Anti-spoofing and DMARC

The previous steps lock down the transport path. Spoofing attempts that travel correctly
through the SEG (because an attacker hijacked some other domain or abused an open relay)
still need to be caught by authentication checks.

4.1 SPF, DKIM and DMARC for your domains

SPF: hard fail (-all), only your SEG egress IPs and legitimate cloud senders (e.g. spf.protection.outlook.com).
DKIM: enable signing for every sending domain in the Defender portal under
Email & collaboration → Policies → Email authentication settings → DKIM.
DMARC: at minimum p=quarantine, target p=reject with
rua=mailto:[email protected]. Use a DMARC reporting service
(dmarcian, Valimail, Postmark, etc.) to make the RUA/RUF data actionable.

# SPF record
yourcompany.com.   IN TXT "v=spf1 ip4:203.0.113.10 ip4:203.0.113.11 include:spf.protection.outlook.com -all"

# DMARC record
_dmarc.yourcompany.com.  IN TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1; adkim=s; aspf=s"

4.2 Anti-phishing policy (Defender for Office 365)

In the Defender portal under Email & collaboration → Policies & rules
→ Threat policies → Anti-phishing, harden the default policy or create a
dedicated one for high-value recipients:

Spoof intelligence: Enabled
Honor DMARC policy: Enabled (so messages with p=reject are actually rejected)
Action for unauthenticated senders: Quarantine
Impersonation protection: explicitly cover sensitive mailboxes (CEO, finance, HR)
Mailbox intelligence: Enabled

4.3 Anti-spam policy

Bulk Complaint Level (BCL) threshold: 6 or lower
Spam action: Quarantine
High-confidence phish action: Quarantine
Avoid allow lists — they’re a frequent root cause of spoofing slip-throughs.

Step 5 — Enhanced Filtering for Connectors

Because the SEG overwrites the original sender IP, EOP would normally evaluate SPF against
the SEG’s IP rather than the actual sender — meaning every phishing attempt passes SPF
effortlessly. Enhanced Filtering for Connectors (also known as skip listing)
fixes this by telling EOP to look further back in the Received header chain to find the real
sender IP.

Open the Defender portal at https://security.microsoft.com/skiplisting
(or Email & collaboration → Policies & rules → Enhanced filtering).
Select the inbound connector you created in Step 2.
Choose Skip these IP addresses that are associated with the connector
and add all public IPs of the SEG (including any intermediate hops).
Apply to entire organization after a small pilot phase with a few mailboxes.

Don’t do this

Do not add on-premises hybrid server IPs to the skip list when your MX points to EOP.
Microsoft does not support this in a centralized mail flow scenario; it can lead to
false positives in spam scoring.

Verification & testing

Test 1 — Direct Send from an external host

From an external system, attempt a direct SMTP delivery to the EOP endpoint:

Send-MailMessage `
    -From "[email protected]" `
    -To "[email protected]" `
    -Subject "Direct Send Test" `
    -Body "Testing the Reject Direct Send flag" `
    -SmtpServer "yourcompany-com.mail.protection.outlook.com" `
    -Port 25

Expected result:

550 5.7.68 TenantInboundAttribution;
Direct Send not allowed for this organization from unauthorized sources

Test 2 — Spoof from a foreign domain bypassing the SEG

External test using a foreign sender domain (e.g. [email protected]) directly to the EOP endpoint:

Expected result:

550 5.7.51 TenantInboundAttribution;
There is a partner connector configured that matched the message's recipient domain

Test 3 — Legitimate mail through the SEG

Send an external test message from Gmail or Outlook.com to an internal recipient. In message
trace, verify that the mail arrived from the SEG IP, was accepted by the inbound connector,
and delivered correctly.

Get-MessageTrace -RecipientAddress "[email protected]" -StartDate (Get-Date).AddHours(-1) -EndDate (Get-Date) |
    Select-Object Received, SenderAddress, FromIP, Status, Subject

Test 4 — Header analysis

Inspect a delivered message via File → Properties in Outlook or paste the headers
into the Message Header Analyzer.
The following headers confirm a healthy configuration:

Authentication-Results-Original shows SPF pass against the real sender IP — not the SEG IP.
The Received chain shows the SEG as the last hop before EOP.
X-MS-Exchange-SkipListedInternetSender is set, indicating Enhanced Filtering is working.

Monitoring & reporting

Daily / weekly

Message trace: filter on status Failed with reason 5.7.68 or 5.7.51 — every hit is a blocked bypass attempt.
Defender → Reports → Mailflow: Threat protection status and Spoof detections.
Transport rule reports: Mail flow → Reports → Mail flow rule matches — your safety-net rule from Step 3.
DMARC aggregate reports: review RUA reports — every unknown source is a signal worth investigating.

Useful KQL queries (Defender for Office 365 hunting)

// Direct Send attempts in the last 7 days
EmailEvents
| where Timestamp > ago(7d)
| where DeliveryAction == "Blocked"
| where DeliveryLocation == "Failed"
| where AdditionalFields has "5.7.68"
| project Timestamp, SenderFromAddress, RecipientEmailAddress, SenderIPv4, Subject

// Mail that did NOT arrive from your SEG IPs
EmailEvents
| where Timestamp > ago(1d)
| where SenderIPv4 !in ("203.0.113.10","203.0.113.11")
| where EmailDirection == "Inbound"
| summarize count() by SenderIPv4, SenderFromDomain

Alerting

Defender alert policy on Mail flow rule match for the safety-net rule.
SIEM forwarding (Sentinel, Splunk, etc.) of the EmailEvents table.
A weekly review report sent to the security team.

Rollback plan

If business-critical mail flows break after activation, the commands below let you revert
quickly. The rollback order is the reverse of the activation order.

# 1. Disable the transport rule
Disable-TransportRule -Identity "BLOCK - Direct EOP Ingress (Bypass SEG)"

# 2. Loosen the inbound connector (drop IP binding)
Set-InboundConnector -Identity "From Secure Email Gateway" `
    -RestrictDomainsToIPAddresses $false

# 3. Disable Reject Direct Send
Set-OrganizationConfig -RejectDirectSend $false

# Confirm
Get-OrganizationConfig | Format-List RejectDirectSend

Recommended rollout phases

1) Enable the transport rule in audit mode (one week of observation) →
2) Harden the inbound connector (one to two days of observation) →
3) Enable RejectDirectSend →
4) Switch the transport rule to Enforce. Each step is small and quickly reversible.

Final checklist

Direct Send sources inventoriedSPF analyzed, every printer / app / cloud service sending as your domain documented
Configuration backup takenGet-OrganizationConfig, Get-InboundConnector, Get-TransportRule exported
Inbound connector with IP/cert binding activeRestrictDomainsToIPAddresses or RestrictDomainsToCertificate set to $true
Reject Direct Send enabledSet-OrganizationConfig -RejectDirectSend $true applied and propagated
Transport rule (safety net) activeReject rule for non-SEG IPs in enforce mode, correctly prioritized
SPF / DKIM / DMARC enforcedSPF -all, DKIM signing for all sending domains, DMARC at least p=quarantine
Anti-phishing policy hardenedSpoof intelligence + Honor DMARC + quarantine for unauthenticated senders
Enhanced filtering configuredSkip listing of SEG IPs at the inbound connector enabled
Tests performedDirect Send blocked (550 5.7.68), legitimate mail via SEG delivered, headers correct
Monitoring in placeMessage trace reviews, KQL hunting, DMARC reporting, alerting

References & further reading

Microsoft Learn — Email routing in Exchange hybrid deployments
Microsoft Learn — Enhanced Filtering for Connectors
Microsoft Learn — Configure the default connection filter policy
Microsoft Tech Community — Introducing more control over Direct Send
Microsoft Learn — Mail flow rules in Exchange Online
Defender portal — https://security.microsoft.com/skiplisting
Exchange Admin Center — https://admin.exchange.microsoft.com

Post Views: 7,606

Microsoft Ignite Splitter | Coming soon

Soon, the Ignite 2018 in Orlando Florida will start. For me personally, after some Tech Summits this Ignite will be

Meeting Room Utilization Exchange online

Introduction I’ve delved into the world of PowerShell scripting to create a solution that records and reports the current utilization

Autodiscover and further DNS

In one of my LAST articles I have described the MX-Records and the SPF-Records, how they work and why we

Create an Exchange federation between Exchange and Office 365 Organization

Prolog Recently I had a small project by one of my customers. This customer company has bought another company and

Block inbound calls

As Microsoft Teams continues to replace conventional telephony systems, there are more and more tasks to be done in this

Exchange EWS and SMTP Relay Usage Scanner

Discover Hidden Applications Using Your Exchange Server A PowerShell Solution for Seamless Migration Planning ️ Exchange Server • PowerShell •

Build the Callback function in Microsoft Teams

This article is a sequel for my blog article ‘How to build a call center with Microsoft Teams’ and describes

Exchange Online Protection - EOP

More and more Customers are going to use Exchange online or other Microsoft Cloud services. One of them, which is

Enable daily Out of Office message - by PowerShell

Here some short article for today… In the morning an IT admin was asking me if it is possible to configure

Identity model for Office 365 - 3 ways...

By most of the companies I know or I was working with, there are two scenarios when I was speaking

Things to be aware of when migrating to Exchange Online

2018 is already knocking at the door and more and more of my customers find their way towards the cloud.

The Rising Cybercrime Threat and the Imperative of Robust Password Policies

In today’s digital landscape, businesses are increasingly grappling with the repercussions of cybercrime. Cyberattacks are escalating in frequency, and the

Add or change Azure administrator roles that manage the subscription or services

You can change the Azure administrator that manages your Azure subscription or manages the Azure services used in your subscription.

How to build a call center with Microsoft Teams

Microsoft is becoming more and more a telephony provider. With the possibility of building a call centre with native tools

Create dynamic Azure AD Group for Autopilot deployment

This script helps to create dynamic Azure AD groups based on the PowerShell module Graph SDK. The idea is that

Assign licenses to users in Office 365 for business

We have a new employee in our company, who starts his work as junior System Engineer. However, as a junior

Microsoft Exchange services and ports

Every Microsoft product is very complex in itself, depending on the role and functionality there are different communication channels and

Part 2 - Assign Teams Licenses

To use Teams Phone, you’ll first need to assign the following licenses to a user: Microsoft Teams Microsoft 365 Teams

Microsoft Ignite Splitter | Day 1

First day on Ignite is over, and here we go with Ignite Splitter for the first day… When I was

Microsoft Ignite Splitter - Day four

Day four at the Microsoft Ignite 2019. If you ever was wondering what equipment Attendees are carrying on during the

Exchange 2016 problems after setting up CU8: Outlook Web App X-OWA-Error

Last week I had to update a customers Exchange server envoriment with the new CU Pack. It’s an Exchange 2016

Reaward as Microsoft MVP

Today is the first of July. This is a very special day for every Microsoft MVP. On this day the

Recommendation - Microsoft 365 authorization concepts - Part 1

Microsoft 365 administrators have various roles and tasks that they need to manage to ensure that the organization runs smoothly.

Migrating on-premise Mailboxes to Office 365 by using Quest Tools

Bevor I start writing this Article, I want to mace clear, I don’t get paid for this Post from the

Microsoft Teams data Location

The current COVID-19 threat forces more and more companies to use collaburation tools. There are some on the market which

Register Application in EntraID - Using PowerShell

In today’s digital landscape, automating processes is an essential part of increasing efficiency and maximizing productivity. In this blog post,

Microsoft Teams add-on licenses - Overview

After we have dealt with the various roles and capabilities of Microsoft Teams in the article Designate Teams admin roles,

Microsoft Ignite Splitter | Day 2

Day one has already passed, and I am looking forward for day two… My second day on the Ignite stated

Microsoft 365 networking - Proxy Endpoints

For larger environments and/or infrastructures that have more complex network architectures, it can be important to split up the topic-related

PowerShell commands for Exchange and Office 365 – Part 3

It look’s like I will start a series with this kind of articles. Thank you guys for your resonance and

Export and merge Mailbox Informations and Archive Informations

I was asked to create an informal export from Mailboxes with the Total Mailbox Size. Till now nothing special, I

Microsoft Teams calling ID policies (plus Script documentation - How to)

An extremely important element in the field of telephony, apart from incoming calls and their management, is the element of

Part two - How to prevent attacks against our business

In the first part of my small trilogy we have learned about the risks, which are waiting over the Emails.

Exchange Mail Alias Migration

A comprehensive PowerShell solution for migrating email aliases from on-premise Exchange to Exchange Online safely and efficiently. Download Scripts

Bulk import pictures in Office 365 users

A few days ago I got a customer request about User photos. The company had just migrated from Exchange 2010

Office 365 Multi-Geo

In the last general availability Microsoft has finally launched the Multi-Geo option for Exchange online. So, what that means for

5 Essential steps to keep all your mails safe

Your email account is a gold mine for hackers. And yet many people still aren’t taking basic precautions to secure

How to handle domains during a Tenant migration

It’s now already some years I am supporting companies with their journey to the cloud. Having read the Microsoft announcment

Microsoft Ignite Splitter - Day two

Second day at Ignite started very early for me, this year I didn’t travel alone from switzerland to U.S. My

Office 365 Ports and Firewall Challenges

In this article I would like to talk about the deployment of Office 365. We can prepare, automate, customize, etc.

How to check current Exchange Server version

Sometimes the simplest things need the most time to find out. There are many different versions of Exchange servers installed

Microsoft Ignite Splitter | Day 4

Day four has just ended, it was a long one. I look back to the Universal Studios party back as

Conditional Access Reporting

This article is a documentation for another script which I have written and would like to make available to the

Customize the Office 365 encryption Message

Microsoft Office 365 allows us in a very easy way to encrypt messages to our recipients. To be able to

Exchange 2016 CU9 Released!

The Exchange Team released the March updates for Exchange Server 2013 and 2016, and these Cumulative Updates contain a ton

Microsoft Ignite - Review

Microsoft Ignite this year is already finished, and it was a huge event and It was an honour for me

Microsoft 365 assessment Script

Introduction In this article, I describe one of the most elaborate scripts I have ever written for the community. This

Part 5 - Enable users for Direct Routing with Teams Phone

Before you can enable Direct Routing for users, you’ll need to have configured it at the organization level. This will

Re award as a Microsoft MVP - 2022

It is the first of July 2022 and, just like a year ago, it is with great pleasure that I

Delete Outlook cache with Microsoft Intune

There are various reasons why the Outlook cache needs to be deleted. One of the most common reasons is after

Get Who-Is information over the PowerShell

Finding out who owns a Domain is easy, there are a lot of Web Tools to find out, all informations…

Bridging the Gap: Mastering M365 Cross-Tenant Calendar Sharing

In today’s interconnected business world, organizations rarely operate in isolation. Whether it’s a merger, a holding structure with multiple subsidiaries,

Exchange PowerShell Suite - by MSB365

In the company I am working for, we have some multiple Exchange projects. To set them up in a standardized

Microsoft Bookings available in Office 365

At the end of April, Microsoft announced in its Message Center update that Microsoft Bookings, a self-service scheduling tool, will

Phishing attack simulation in Exchange online - Part one

Prolog One of the biggest dangers in the industry for IT professionals is attacks on their own company network. There

Outlook Web App supports now third party storage

Microsoft has announced about new feature that soon it will be possible to add third party storage for Outlook Web

Accessing Copilot for Microsoft 365: A Comprehensive Guide

Microsoft Copilot is not a tool that only needs to be planned for use in the future, no, it is

Microsoft Teams: Private Line

Microsoft has done it again! What? More feature updates in the Microsoft Teams area. Okay, that’s not much of a

Best‑Practice Configuration of Microsoft Teams Walkie Talkie for Frontline Security at Airports

A security‑first, real‑world deployment guide tailored to airport security operations and their unique regulatory and operational needs. Executive summary

Sensitivity Labeling with Microsoft

For almost a year now, we have had to deal with the COVID-19 pandemic. Many of us can work from

Master Microsoft Teams Administration with PowerShell

Complete guide to creating comprehensive Microsoft Teams reports using PowerShell and Microsoft Graph. Automate guest user management, compliance

Automatisation Office 365 Language Settings

By using Office 365 you are syncing your local Active Directory with Azure AD which is comming together on Office

Announcement Cloud8 Summit - 5th Edition

It’s almost time for the 5th edition of the Cloud8 Summit. As things stand, it seems that the COVID pandemic

Azure Active Directory Pass-through Authentication

As far we know until today, the best solution form the Microsoft point of view is, to use ADFS to

Goodbye Xing

Since 22 October 2009 I am now a Xing Member. However, I did not have the Premium Subscription for a

Thank you <3

In this article I have decided not to write a technical contribution. Here you can see a video of me

A short note about personal passwords

Strong passwords are an important basis for protecting your data. Unfortunately, many users still use the same passwords for all

Add Email Address Policies by PowerShell

To create Mail Address Policies on Exchange I prefer to use PowerShell. If you go this Way, there are some

PowerShell Email Domain Migration Guide

Overview: This comprehensive guide provides PowerShell commands for migrating email domains in hybrid Microsoft 365 and Active Directory

Install Exchange Management Shell on your Computer

If you’re administrating an Exchange organisation there are different ways to do it. The simple way is to use the

Configure remote domain for automatic replies

Few weeks ago, I was working on a migration project between two independent domains. The project by itself was huge

Customize Password Expiration in Office 365

Having password policies in a company is good! Very good! And important! Using on-premises active directory and GPO’s makes it

Microsoft Teams phone meets Copilot

Since its launch in 2017, Microsoft Teams has stood by a unique perspective: integrating communication and collaboration seamlessly into a

Another 10 useful PowerShell cmdlets for Exchange

After all the positive feedback to my article “10 Useful PowerShell cmdlets for Exchange” (thanks again to Steve Goodman), I

Join the community - Subscribe to the Newsletter

Do you like my posts about Office 365, Exchange, ADFS and PowerShell? So why not subscribe to my newsletter? Get

Microsoft Ignite Splitter - A look back

Microsoft Ignite this year is already finished, and it was a huge event and It was an honour for me

Finding out the own Tenant ID

Recently I was asked for one of my customers how he can find out his Tenant ID. The Office 365

The future of Messaging - a personal view

I am working many years in IT, most ot the time with the messaging and emailing. My first steps I

Microsoft Ignite Splitter | Day 3

Day tree is just over and the halftime of the Ignite 2018 is already reached. Walking around the convention centre

Problem with Exchange management shell: IncorrectProtocolVersion

Today I want to write about some small issue one of my customers just had.This customer has installed an exchange

Information about "Microsoft 365"

In August 2017 Microsoft released a new Product in their Portfolio. They call it ‘Microsoft 365’. But what is ‘Microsoft

Use Telnet for sending e-mails

Prolog This article is about an old school topic. In the last few weeks after my vacation, I was supporting

Microsoft Ignite Splitter - Day five

Here we are, the last Day at Microsoft Ignite 2019 has come 🙁 This article is not about a lock

Advanced version of the Teams Voice Admin Tool

A few weeks ago, I wrote a PowerShell script concerning the Teams Voice Admin Tool. This script received a good

Intune MAM for Exchange On-Premise Mailboxes

A couple of months ago, I was working on a project to reveal the power of Microsoft Intune for my

Office 365 admin roles

By using Office 365 we have a new horizon of opportunities and features we can go with. In the other

#MVPbuzzChat with Christian Buckley

For the Episode 233 of the #MVPbuzzChat interview series, I was invited by my fellow M365 Apps & Services MVP

Microsoft submerges data center in the sea

Microsoft sunk a data center in the sea. The company wants to accelerate the development of self-sufficient underwater data centers

Change Language settings by Office365 Mailbox

After the migration to Exchange online there are Users, which have language Issues. This kind of problem occurs mostly by

Microsoft Ignite Splitter - Day one

Here we are, Microsoft Ignite 2019 has finally started. Yesterday on Sunday I was the whole day on a MVP

Multi ADFS Forrest

About the way how you can deploy an ADFS Infrastructure I have already described here and more about ADFS you

Migrate Fileserver to SharePoint online with Microsoft Teams - and make it accessible in the File Explorer

Microsoft Temas is becoming more and more the central working point where, regardless of the industry, companies are focusing more

Part 1 - Enable users for Teams Phone

After you have set up your organization’s configuration for Teams Phone with Calling Plans or configured a partnership with your

PowerShell Script for creating License Groups including assignments

Since I rely heavily on standardization for my clients, I have created a new script that I would like to

Fix: Teams Phone Device Rollout

Depending on the tenant configuration, there may be problems with the rollout of Team Certified phones. Here is a solution:

Building a hybrid Exchange environment

This week, I was on a technical board and had to explain to customers on the level of CTO (chief

Strategic Implementation Concept: Microsoft Teams Walkie-Talkie for Airport Operations

Aviation Digital Operation Blueprint Executive Summary Modernizing airport communication is a critical safety and efficiency factor. This document outlines the

Microsoft adds support for Google Gmail IDs to Azure Active Directory

Microsoft has fulfilled the promise about enabling Gmail users to collaborate with others, using Azure Active Directory (B2B) without the

Restoring a Hybrid Exchange Environment

Prolog Recently, I have been getting inquiries from customers, who have the following scenario: The environment was originally an on-premises

Address policy by recipient filters

There are several ways how we can create email address policies for an Organization. In the companies where I consult,

PowerShell does not reflect the correct server for Mailboxes

By preparing tasks for a customer’s Enterprise Vault I had to figure out on which Mailbox Database and on which

Configuring ADFS for Office 365

Almost everyone is using Cloud services, there are a lot of them like Azure, Office 365, G-Suite, Dropbox, AWS. Some

Part 3 - Assign phone numbers and emergency locations to users

After assigning licenses to users for Teams Phone, you’ll then need to assign phone numbers and emergency locations. In European

Cleaning up Mailbox Folder Permissions

I guess many of you who are reading my blog are also working in the Messaging and/or Cloud area. That

Unveiling an unexpected behavior in ConditionalAccess: Unable to enforce controls for some Apps

Recently, an unexpected problem popped up with some ConditionalAccess policies: it is not possible to enforce controls. Applications show up

Create SSL Certificate Request by PowerShell

Creating SSL Certificate Requests needs a lot of Time, how to create a Request without IIS I wrote here in

All about Exchange 2019

Many companies are still using the on-premise version of Exchange Server. And the IT departments have faced the decision of

Exchange Connectivity Tester

An Exchange Troubleshooting PowerShell Tool for IT Administrators Troubleshoot Exchange connectivity issues with this comprehensive PowerShell script that tests

Microsoft To-Do is released

Today I received a Email from Microsoft that they began with the Rollout of Microsoft To-Do. But what is Microsoft

Add BULK Users from CSV to Azure AD Group

This script is for the following use case: An administrator needs to add multiple users from an organisation to an

.NET Assemblies In PowerShell - Part 3: Create Active Directory objects

In the first parts of the series “.NET Assemblies In PowerShell”, I wrote about managing existing Active Directory groups and

Enabling Audit Logs in Office 365 Security and Compliance

After an organization has deployed Office 365, the companies’ administrator roles will be changed. Each company needs an administrator, who

Phishing attack simulation in Exchange online - Part two

Prolog In my last article about this topic I have described how you can perform simulated phishing attacks on your

Migrate from Gmail to Office 365

There are many articles in the field about migrating from on-premise Exchange to Office 365, but how about migrating from

Script: All information about Mobile devices

Today I had to prepare some things for migration between two Active Directory forests. Both sites have a 2-Way trust

Try now - The "new" Microsoft Teams Client

Microsoft is currently working on a major update for the Microsoft Teams Client for Windows. Microsoft Teams is increasingly becoming

Naming convention suggestion

Creating a standardized and consistent naming convention for IT infrastructures based on Microsoft 365 and Microsoft Azure is essential for

Mail encryption issues with PGP and S/MIME (high importance)

PGP and S / MIME encryption is not nearly as reliable as expected. Inadequate standards, outdated technology, and malicious programs

Meltdown/Spectre Powershell Module

Meltdown is currently thought to primarily affect Intel processors manufactured since 1995, excluding the company’s Itanium server chips and Atom

GRAPH UPDATE: Add BULK Users from CSV to Azure AD Group

For a given occasion, I have rewritten the script: Add BULK Users from CSV to Azure AD Group. The

Set automated disclaimer to all E-Mails sending out

Company e-mails have to follow some policies before they can be sent out from an organization. If these policies are

Exchange 2016 CU8 Issue Occurs in Hybrid Mode

On December 19th Microsoft has announced thr Cumulative Update 8 (CU8) for Exchange server 2016. With the CU8 Microsoft fixed

.NET Assemblies In PowerShell - Part 2: Manage Active Directory group members and user accounts

In the first part of this series, I described how you can add and remove members to and from Active

Manage Windows devices with Intune

With Intune you can manage devices and apps of your employees as well as their access to your company data.

Planning an Office 365 migration

Many articles were written in the past about migrating environment to Office 365. In this article I don’t want to

Allow Exchange users to see Calendar availability on G Suite

Thanks to the globalization, companies worldwide are working closer with each other. However, not all companies are using the same

Choosing the right .NET version for your exchange environment

Before you install Exchange 2016, you need to review the topic to ensure that your network, hardware, software, clients, and

Enable Sent Item Copy for shared Mailboxes in Exchange online

Time by time customers are asking me if it is possible, to move sent mails from shared mailboxes, to the

MFA with Microsoft Authenticator App for OWA

In one of my last articles, I wrote about installing, customizing and about the functionality of the ADFS servers. Today

Ransomware Strain Encripts Cloud Email

A new ransomware strain dubbed as “ransomcloud” has been developed and it can encrypt online email accounts like Office 365

Powershell function for Exchange online

Working as a consultant for multiple customers forces us to connect multiple times a day to different Exchange Online management

Announcement and teaser for the Cloudeight virtual Summit on November 13

We are currently in the planning phase for the second cloudeight virtual summit, which will take place on November 13th.

Celebrating My 7th Microsoft MVP Award!

A Journey of Excellence in Microsoft 365 Technologies I’m Thrilled to Announce… I am extremely happy and

Automated ADFS setup - with WAP roles for Exchange and Skype

It is already some time ago that I have posted a PowerShell script to the community. So I thought why

Enable UM for multiple Exchange Mailboxes

Background Some time ago I was on a very interesting project about on-premise infrastructure, Exchange online and 3rd party player

Microsoft Teams Presence Portal

Introducing the Microsoft Teams Presence Dashboard I’m excited to announce the release of the Microsoft Teams Presence Dashboard,

Cloud Solution Provider (CSP) program Important Informations!!!

Availability The Cloud Solution Provider program is available to companies with offices in the following countries/regions. These are grouped

Microsoft Teams Survival Guide

On the Microsoft Technet I found this very interesting Post about Microsoft Teams. I reposted this Article here by me

Create a Certificate Request (CSR) without IIS

Prolog There are several ways to create a Certificate request (CSR) for SSL Certificates. There are a large number of

Configure and manage voice users

Ongoing management is required as new employees start, or if their needs change. Learn how to manage voice user configuration,

Phishing attack simulation in Exchange online - Part three

Prolog At this point I am happy to present the third part of my series “Phishing attack simulation”. In this

10 Useful PowerShell cmdlets for Exchange

On the Ignite 2017 Steve Goodman held a very good session about 10 useful PowerShell commands, which are important to know

Enabling Sent Items Copy features with Exchange online for shared mailboxes

Shared mailboxes are great. They can be used for a variety of scenarios within your environment. What is that

Merge Exchange online Mailbox with on-premise AD account

One of my customer runs a hybrid exchange environment. By the onboarding process of new employees he needs to create

Transfer FSMO Roles by PowerShell

If FSMO role holder DC goes under upgradation process or down, we think about FSMO roles as its important and

PowerShell Tool - Teams Voice - BULK handling Voice policies

I was looking for an easy way to distribute Teams Voice policies for several users. I came up with the

Part one - How to secure the number one hacking Target - Email...

Working in IT shows us that one of the main things we must think about is to defend our organization

Import PST files using Exchange PowerShell

If we want to import PST files into an Exchange mailbox, we can use the PowerShell CMDlet New-MailboxImportRequest. The PST

Microsoft Intune Automatization Script

I am currently working on a new project involving the integration and configuration of Microsoft Intune in a hybrid environment.

Get all Mobile Devices on Office 365

In the past I have described how we can delete old EAS devices from our Exchange on-premises and/or Exchange online

Deploy Remote Desktop Gateway (RDS)

For creating a Remote Desktop Gateway infrastructure we need different configuration steps. For the Deployment I prefer to use PowerShell.

How Microsoft 365 Copilot Transforms Teams Meetings and PSTN Calls

Discover how AI-powered intelligence is revolutionizing workplace communication through automated summaries, real-time insights, and seamless call management In today’s fast-paced

Product Review | Stellar Phoenix Mailbox Exchange Recovery Tool

This week I had the opportunity to review the Stellar Phoenix Mailbox Exchange Recovery Tool. The background for this is,

VMware Power CLI meets PowerShell

Administrating and operating windows services can be done in different ways, one of the most useful ways is to do

Five more PowerShell commands you need to know

In this article I would like to return to an old series. It’s about PowerShell commands that we should all

The new Exchange Server

Microsoft revealed today their plans for Microsoft Exchange. This means that a new Exchange version is being released. This is

encrypted contacts manager

Today Proton Technologies Ltd. presented a new feature in their portfolio. Proton is a know swiss company who created a full

Archive or not to archive (that is the question)

Archiving emails is a progress many of us knows. Let us have a look back how the scenario was couple

Microsoft Hybrid Agent for Exchange

Microsoft sees midsize businesses as users of Office 365 and is setting things in motion to facilitate the migration of

Cloud8 virtual Summit

The first Cloud8 virtual event will take place on May 22. Here in this article I describe briefly what it

Deploy Windows 10 usin Intune - and USB Stick

There are different ways to roll out Windows 10. One option that is becoming increasingly popular is the deployment with

Error by installing Exchange CU (Event 1002)

Today I had to install new Exchange 2016 CU on a customer’s exchange environment. Normally that is an easy going

Microsoft Teams Presence Report

I’m excited to share a new PowerShell script I’ve developed that dives into Microsoft Teams presence data and generates a

Veeam Backup for Microsoft 365 v7

My daily work with Microsoft 365 includes not only Microsoft Teams Enterprise Voice (or Microsoft Teams Phone as it is

Intune Deploy Win32 applications - public preview

Seems like Microsoft really cares a lot about the ideas that users post on the Intune Feedback page. 🙂

Message Encryption with Office 365

At the Ignite 2017 Microsoft presented a bulk of new features which are waiting for us in 2018. One of

Windows Server 2012/2016: Installing and Configuring PowerShell Web Access (PSWA)

PowerShell on Samsung Galaxy and iPhone? PowerShell Web Access is a new Windows Server Feature. It provides a web-based PowerShell

Microsoft uncovers Windows 11 - these are the new features

New user interface The most obvious change is the new taskbar, which now displays pinned program icons centered at the

Designate Teams admin roles

In this article I would like to take a closer look at the different Microsoft Teams Admin roles. My

Web Application Proxy PowerShell Cheat Sheet

As Web Application Proxy is a standard Windows Server role service, you can use many Windows Server PowerShell tools to

Major Update Office 365 | Group members receive email in their mailbox

Microsoft has announced a new major update that group members are able to receive group emails in their personal mailboxes.

Setting Up Calendar Sharing Between Microsoft 365 Tenants

Introduction In today’s interconnected business world, collaboration across organizations is essential. Microsoft 365 offers robust tools for cross-tenant calendar sharing,

Part 4 - Assign calling policies and dial plans to a user

While you can assign a multitude of policies to Teams users, two important policies for Voice are dial plans and

Mastering Exchange Online Security: Automating Send-As & Impersonation Audits

PowerShell • Exchange Online • Security • Auditing As Exchange Online administrators, visibility is our most valuable asset. One of

Good to know - Email encryption

In this article, I describe the most important points about email encryption in a kind of FAQ. We have all

100 Days with Microsoft Copilot for Microsoft 365

As an honoured Microsoft MVP immersed in the ever-evolving landscape of technology, I witness first-hand the perpetual metamorphosis of tools

Sixth Time's the Charm: Honored to Be Named Microsoft MVP Again!

I’m thrilled to announce that I’ve been awarded the prestigious Microsoft Most Valuable Professional (MVP) Award for the sixth year

Cleaning Meetings in M365

This documentation describes how to properly cancel and remove meetings and recurring meetings organized by a departed employee from the

Brief how-to: Enable MFA for Office 365

Here is another article before my Ignite journey this year. 🙂 Today I want to write about activating multi factor

Microsoft Teams Shared Locations

Technical Deep Dive 2026 A comprehensive guide to mobile sharing, AI-driven Wi-Fi detection, and enterprise privacy. In the modern era

Checklist: How companies use Microsoft 365 securely

Microsoft 365 provides companies with numerous protective measures that ensure a high level of security for all applications and data.

Restarting Stopped Services with PowerShell

Last weekend I had to work on a change request in a company. Our guys from the network team had

Mails from external cannot be received after migration to Exchange Online

After migrating several users from Exchange 2010 to Exchange Online it can happen that some of the users are not

Creating a Exchange 2016 Building Block

Deploying a new Exchange Server infrastructure is never been so Standarted like today with Exchange 2016. In this Post it

Microsoft Ignite Splitter - Day three

Day three at the Microsoft Ignite 2019, it is unbelievable how fast the time flies. It is halftime again and

Fix Office 365 issues using the Microsoft Tool "SaRA"

Each of us has had issues with Outlook OneDrive or other Office 365 themes in the past. Microsoft has provided

Remove a former employee from Office 365

Have an employee leaving and need to block access to data and email? To do this: Go to Active Users.

Reaward as Microsoft MVP 2021

Today is the first of July and I am extremely pleased to have received an email from Microsoft on this

Orphaned Exchange Online External Contacts preventing users account to sync to Exchange Online

I recently had a problem with an Exchange Online tenant. There was an external mail contact which was previously synchronised from Active

Add, remove and manage email alias using Powershell

This short article is about a returning question about how to add or remove smtp alias addresses using the Exchange

Scalability update for Exchange 2016

In the end of September 2017 Microsoft has announced a significant update to the scalability guidance for Exchange 2016. If

Entra Application Proxy with on-prem OWA

From time to time I get requests from customers for the following scenario: The customer basically has a hybrid infrastructure,

Fixing Outlook Calendar Issue

Usually my posts are all about server related topics. But from time to time some Outlook issues appear on my

Deploying Intune Applications

This article is a follow-up article based on my article “Microsoft Intune Automatization Script“. In this article, I introduce you

Generate Email for default Mails over PSForm

I was asked from a small Business Company to create an easy way for the Administration, to create default Email

Email Address Internationalization (EAI) support in Office 365

This Days Microsoft announced that Office 365 will enable Email Address Internationalization (EAI) support in Q1 2018. This can have

PowerShell Script - Setting Calling Policies for multiple users

This article serves as documentation for the script, which is stored on GitHub. The corresponding script can be downloaded from

Mailbox Location Report Script

Generate Comprehensive Mailbox Reports with PowerShell Discover which mailboxes are in Exchange Online vs On-Premises with this powerful

How to import an Outlook 2010 PST to Office365

Last month one of our Junior Engineers got a task to move some outlook information’s to the O365 Mailbox. It

Show Calendar Permission as a Report

Our 2nd level support came up to me earlier this week with a with a request about calendar permissions. He

Easy Office 365 Management -AdminDroid

Cloud services from Microsoft, Amazon, Google and other service providers have been booming not only since the Corona crisis. Of

Finding E-Mail sender IP address

Internet emails are designed to carry the IP address of the computer from which the email was sent. This IP

Installation documentation with Powershell

By setting up or configuring software it is always necessary to make documentations. To document the installation or configuration steps

The Deep-Dive Guide: Microsoft Graph API for PowerShell

In the modern Microsoft 365 landscape, the “Portal-Clicker” is being replaced by the “Automation Architect.” Microsoft Graph is the engine

Issue deleting Mailbox - Active directory response: 00000005: SecErr: DSID-03152612, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Recently, one of my customers reported a problem that he was unable to delete a mailbox of a former employee.

How to lock down Exchange Online so EOP refuses direct external mail

The problem in a nutshell

The desired state

Allowed mail flow

Mail flow to be blocked

Why does EOP accept mail directly in the first place?

Prerequisites

Permissions

Tooling

Information to gather upfront

Step 1 — Enable Reject Direct Send

Step 2 — Restrict the inbound connector to SEG IPs or certificate

Option A — Configuration in the Exchange Admin Center

Option B — PowerShell (idempotent and auditable)

Step 3 — Add a transport rule as a safety net

Configuration in the EAC

PowerShell variant

Step 4 — Anti-spoofing and DMARC

4.1 SPF, DKIM and DMARC for your domains

4.2 Anti-phishing policy (Defender for Office 365)

4.3 Anti-spam policy

Step 5 — Enhanced Filtering for Connectors

Verification & testing

Test 1 — Direct Send from an external host

Test 2 — Spoof from a foreign domain bypassing the SEG

Test 3 — Legitimate mail through the SEG

Test 4 — Header analysis

Monitoring & reporting

Daily / weekly

Useful KQL queries (Defender for Office 365 hunting)

Alerting

Rollback plan

Final checklist

References & further reading

SHARE THIS

Related Posts

Microsoft Ignite Splitter | Coming soon

Meeting Room Utilization Exchange online

Autodiscover and further DNS

Create an Exchange federation between Exchange and Office 365 Organization

Block inbound calls

Exchange EWS and SMTP Relay Usage Scanner

Build the Callback function in Microsoft Teams

Exchange Online Protection - EOP

Enable daily Out of Office message - by PowerShell

Identity model for Office 365 - 3 ways...

Things to be aware of when migrating to Exchange Online

The Rising Cybercrime Threat and the Imperative of Robust Password Policies

Add or change Azure administrator roles that manage the subscription or services

How to build a call center with Microsoft Teams

Create dynamic Azure AD Group for Autopilot deployment

Assign licenses to users in Office 365 for business

Microsoft Exchange services and ports

Part 2 - Assign Teams Licenses

Microsoft Ignite Splitter | Day 1

Microsoft Ignite Splitter - Day four

Exchange 2016 problems after setting up CU8: Outlook Web App X-OWA-Error

Reaward as Microsoft MVP

Recommendation - Microsoft 365 authorization concepts - Part 1

Migrating on-premise Mailboxes to Office 365 by using Quest Tools

Microsoft Teams data Location

Register Application in EntraID - Using PowerShell

Microsoft Teams add-on licenses - Overview

Microsoft Ignite Splitter | Day 2

Microsoft 365 networking - Proxy Endpoints

PowerShell commands for Exchange and Office 365 – Part 3

Export and merge Mailbox Informations and Archive Informations

Microsoft Teams calling ID policies (plus Script documentation - How to)

Part two - How to prevent attacks against our business

Exchange Mail Alias Migration

Bulk import pictures in Office 365 users

Office 365 Multi-Geo

5 Essential steps to keep all your mails safe

How to handle domains during a Tenant migration

Microsoft Ignite Splitter - Day two

Office 365 Ports and Firewall Challenges

How to check current Exchange Server version

Microsoft Ignite Splitter | Day 4

Conditional Access Reporting

Customize the Office 365 encryption Message