How to force TLS on Office 365

How to force TLS on Office 365

Consider a mail flow scenario where your Office 365 tenant wants to force TLS for certain domains that you do business with. You can achieve this by creating inbound and outbound connectors in Exchange Admin Center.

Suppose that domain1.com which is on Office 365 wants to force TLS for domain2.com for any emails coming in or going out of Office 365.

Here are the steps:

  1. Login to Office 365 at https://portal.microsoftonline.com with your Global Admin credentials
  2. Once logged in, click on Admin at the top right and then click on Exchange to go to Exchange Admin Center
  3. Click on mail flow and then click on the connectors tab
  4. Click on the plus symbol under Inbound Connectors
  5. Type in the name of the inbound connector. For example, “From domain2.com”
  6. Under the connector type, select Partner
  7. Under Connection Security, select Force TLS and type * under Certificate. This means we are forcing TLS for all certificates which matches *.
  8. Under domain restrictions, select None
  9. Under Domains, click on the plus symbol and add your domain. In this case, it would be domain2.com
  10. Do not enter anything under IP addresses and Accepted domains
  11. Hit Save. This connector will now force TLS for any incoming SMTP connections coming from domain2.com
  12. Back to the Exchange Admin Center, under Outbound Connectors, click on the plus symbol for making a new outbound connector
  13. Under Name, enter the name of the connector. For example, “To domain2.com”
  14. Under the connector type, select Partner
  15. Under the connection security, select Trusted certification authority. Note that this will be different according to the partner domains you are adding. You can also select Opportunistic TLS or self-signed certificate as per your security requirements.
  16. Under outbound delivery select MX record associated with the recipient domain
  17. Under domains, click on the plus symbol and add domain2.com.
  18. Hit save. This will ensure that all emails coming out from Office 365 to domains2.com will always be forced a TLS connection.
  19. In order to use multiple partner domains to force the TLS, you can add multiple domains under steps 9 and 17 above
  20. You can also make changes to the above configuration using Powershell with the Set-InboundConnector and Set-OutboundConnector cmdlets: For example, you want to add a new domain in the inbound connector so that it will always use TLS for sending emails to Office 365. Here is an example,
Set-inboundconnector "force tls for partner domains" -senderdomains (((Get-inboundconnector " force tls for partner domains ").senderdomains)+="newdomain.com")

Phone & Hours

(888) 959-2825
Monday-Friday: 9am to 5pm

Address

8117 W. Manchester Ave
Suite 915
Playa Del Rey, CA 90293