How to force TLS on Office 365

    How to force TLS on Office 365

    Consider a mail flow scenario where your Office 365 tenant wants to force TLS for certain domains that you do business with. You can achieve this by creating inbound and outbound connectors in Exchange Admin Center.

    Suppose that which is on Office 365 wants to force TLS for for any emails coming in or going out of Office 365.

    Here are the steps:

    1. Login to Office 365 at with your Global Admin credentials
    2. Once logged in, click on Admin at the top right and then click on Exchange to go to Exchange Admin Center
    3. Click on mail flow and then click on the connectors tab
    4. Click on the plus symbol under Inbound Connectors
    5. Type in the name of the inbound connector. For example, “From”
    6. Under the connector type, select Partner
    7. Under Connection Security, select Force TLS and type * under Certificate. This means we are forcing TLS for all certificates which matches *.
    8. Under domain restrictions, select None
    9. Under Domains, click on the plus symbol and add your domain. In this case, it would be
    10. Do not enter anything under IP addresses and Accepted domains
    11. Hit Save. This connector will now force TLS for any incoming SMTP connections coming from
    12. Back to the Exchange Admin Center, under Outbound Connectors, click on the plus symbol for making a new outbound connector
    13. Under Name, enter the name of the connector. For example, “To”
    14. Under the connector type, select Partner
    15. Under the connection security, select Trusted certification authority. Note that this will be different according to the partner domains you are adding. You can also select Opportunistic TLS or self-signed certificate as per your security requirements.
    16. Under outbound delivery select MX record associated with the recipient domain
    17. Under domains, click on the plus symbol and add
    18. Hit save. This will ensure that all emails coming out from Office 365 to will always be forced a TLS connection.
    19. In order to use multiple partner domains to force the TLS, you can add multiple domains under steps 9 and 17 above
    20. You can also make changes to the above configuration using Powershell with the Set-InboundConnector and Set-OutboundConnector cmdlets: For example, you want to add a new domain in the inbound connector so that it will always use TLS for sending emails to Office 365. Here is an example,
    Set-inboundconnector "force tls for partner domains" -senderdomains (((Get-inboundconnector " force tls for partner domains ").senderdomains)+="")

    Inquire about managing and supporting your Microsoft Office 365 tennant for your business.

    Read More about Office 365

    Microsoft Office 365 top challenges

    TOp Ten Benefits Exchange Online

    Real-time, support for your Okta needs, delivered directly via our Slack channel.

    Talk to us

    Phone & Hours

    (888) 959-2825
    Monday-Friday: 9am to 5pm


    8117 W. Manchester Ave
    Suite 915
    Playa Del Rey, CA 90293