In this article, you will find information about the M365 Exchange Connector setup for customers using Office 365 as a mailing service. This alternative to the traditional MX record setup offers a fast, practical route to configure Email Security. The connector ensures full scanning of both inbound and outbound email flows, delivering comprehensive threat prevention while simplifying deployment for Microsoft 365 environments.
1. Requirements
2. Creating the Entra ID enterprise app
3. Setting up a domain to use the M365 Exchange connector setup
4. Switching from MX records setup to M365 Exchange connector setup
REQUIREMENTS
The M365 Exchange Connector setup requires the following conditions:
- Azure/Entra tenant ID for the Entra ID enterprise app.
- Your domain's MX records must point to the Office 365 MX records.
- Your SPF records must be configured on the domain's DNS settings.
CREATING THE ENTRA ID ENTERPRISE APP
To be able to configure connectors and mail transport rules in the Exchange Online Protection, HEIMDAL creates an Entra ID enterprise app in Entra ID to handle everything through the Microsoft Graph. To set it up, follow the steps below:
1. In the HEIMDAL Dashboard, go to Guide -> Customer settings -> Login Setup -> Azure Login and insert your Azure/Entra tenant ID.
2. After setting your Azure/Entra tenant ID, navigate to the Network Settings -> Email Protection, enable Email Security (if not already enabled), and press the Grant consent link.
3. You will be prompted to insert your M365 credentials (make sure you use a Global Administrator user account).
4. Press the Accept button to grant permissions to the Entra ID enterprise app:
5. After accepting permissions, a new enterprise app (called Heimdal Security ESEC All) will be created in Entra ID.
SETTING A DOMAIN TO USE THE M365 EXCHANGE CONNECTOR SETUP
Adding a new domain is pretty simple with the following steps:
1. In the Email Protection tab, click the Add Domain button.
2. Type in your domain's name, select M365 Exchange Connector setup, insert your Inbound Mail Server (provided by the Microsoft 365) and your Outbound IP/Provider (select the Office365 option from the dropdown), and press Save changes.
A validation operation takes place, and if all conditions are met, the Exchange Online connectors and rules are created. The following 3 connectors will be automatically created to handle the flow:
The following 4 rules will handle the routing of the email flows.
Note: In case the connectors and rules are not being created in Exchange Online, make sure to have the Heimdal Security ESEC All application added to the Exchange Administrator role (in the Entra Roles and Administrators):
SWITCHING FROM MX RECORDS SETUP TO M365 EXCHANGE CONNECTOR SETUP
If you are looking to switch an existing Email Security configuration from the MX records setup to the M365 Exchange Connector setup, you need to make sure you fulfill the following conditions:
- Consent is granted to the Heimdal Security ESEC All Entra ID enterprise app.
- Inbound flow
- Your domain's MX records must point to the the Office 365 MX records, not the Email Security MX records.
- The SPF checkbox under Additional Domain Settings must be disabled.
- Outbound flow (if configured)
- Your SPF records must be configured on the domain's DNS settings.
- You have only one Outbound IP/Provider server set to use Office 365.
Once the conditions are met, you can open the Configuration tab and, under the Domain Name field, click the M365 Exchange Connector setup and press Save Changes.
A validation toaster message will be displayed to confirm if all conditions are met:
IMPORTANT
In the case of switching from MX records setup to M365 Exchange Connector setup, the Inbound Verification - Anti-Spoofing and SEPO sections are greyed out.
If switching from the M365 Exchange Connector setup to the MX records setup, the Inbound Verification - Anti-Spoofing and SEPO sections are reactivated. Additionally, the Heimdal Security ESEC All application in Entra ID is removed.
Note: If the Grant Consent is revoked (status becomes disabled) and the setup is switched to MX Record, the previously configured M365 Exchange Connector will not be removed automatically. It must be deleted manually by the administrator.
The Health Check Connector option is available and is intended to validate the M365 Exchange Connector provisioning. This is particularly useful, as connector creation may take up to 1–2 minutes and allows IT admins to confirm the readiness and operational status of the configured connector, prior to applying critical routing changes.