Collaborate for free with online versions of Microsoft Word, PowerPoint, Excel, and OneNote. Save documents, spreadsheets, and presentations online, in OneDrive.

Introduction

If your organization has a hybrid deployment (on-premises plus Microsoft Office 365), you frequently have to relay email messages to the Internet through Office 365. That is, messages that you send from your on-premises environment (mailboxes, applications, scanners, fax machines, and so on) to Internet recipients are first routed to Office 365, and then sent out.

Office 365 Mailbox not showing in Hybrid Exchange server April 30, 2020 All Posts, Exchange 2013, Exchange 2016, Office365 Newly created Mailbox not showing in Hybrid Exchange Server Control Panel.Not all administrators certainly know that they should not provision office 365 mailbox directly from the office 365 console. Select Office 365 apps to begin the installation. The 64-bit version is installed by default unless Office detects you already have a 32-bit version of Office (or a stand-alone Office app such as Project or Visio) installed. In this case, the 32-bit version of Office will be installed instead. Modern workplace training. Learn how to get more work done, from anywhere on any device with Microsoft 365 and Windows 10. Discover how industry professionals leverage Microsoft 365 to communicate, collaborate, and improve productivity across the team and organization. Hosted Exchange 2016 and Office 365 Provider mindSHIFT Online offers Microsoft Exchange hosting, Office 365, Dedicated & Shared Exchange Server 2013, hosted email, and SharePoint Hosting. Enterprise, Business, and Individual plans all to meet your needs.

Figure: Email relayed from your on-premises email servers to the Internet through Office 365

For this relay to work correctly, your organization must follow these steps:

1. Create one or more connectors in Office 365 to authenticate email messages from your on-premises mail servers by using either the sending IP address or a certificate.

2. Configure your on-premises servers to relay through Office 365.

3. Configure your setup so that either of the following conditions is true:

   • Sender domain

     The sender domain belongs to your organization (that is, you have registered your domain in Office365).

     Note For more information, see Add User and Domain in Office 365.

   • Certificate-based connector configuration Edward of middleham prince of wales.

     Your on-premises email server is configured to use a certificate to send email to Office 365, and the Common-Name (CN) or Subject Alternate Name (SAN) in the certificate contains a domain name that you have registered in Office 365, and you have created a certificate-based connector in Office 365 that has that domain.

If neither of the conditions in step 3 is true, Office 365 can't determine whether the message that was sent from your on-premises environment belongs to your organization. Therefore, if you use hybrid deployments, you should make sure that you meet either of the step 3 conditions.

Summary

Beginning July 5, 2017, Office 365 no longer supports relaying email messages if a hybrid environment customer has not configured their environment for either of the step 3 conditions. Such messages are rejected and trigger the following error message:

550 5.7.64 Relay Access Denied ATTR36. For more details please refer to KB 3169958.

Additionally, you must meet the second condition ('certificate-based connector configuration') in step 3 in the Introduction section if your organization requires that any of the following scenarios continue to work after July 5, 2017.

Note

The original deadline for this new process was moved from February 1, 2017, to July 5, 2017, to provide sufficient time for customers to implement the changes.

Scenarios in which Office 365 does not support relaying email messages by default

• Your organization has to send non-delivery reports (NDRs) from the on-premises environment to a recipient on the Internet, and it has to relay the messages through Office 365. For example, somebody sends an email message to john@contoso.com, a user who used to exist in your organization's on-premises environment. This causes an NDR to be sent to the original sender.

• Your organization has to send messages from the email server in your on-premises environment from domains that your organization hasn't added to Office 365. For example, your organization (contoso.com) sends email as the fabrikam.com domain, and fabrikam.com doesn't belong to your organization.

• A forwarding rule is configured on your on-premises server, and messages are relayed through Office 365.

  For example, contoso.com is your organization's domain. A user on your organization's on-premises server, kate@contoso.com, enables forwarding for all messages to kate@tailspintoys.com. When john@fabrikam.com sends a message to kate@contoso.com, the message is automatically forwarded to kate@tailspintoys.com.

  From the point of view of Office 365, the message is sent from john@fabrikam.com to kate@tailspintoys.com. Because Kate's mail is forwarded, neither the sender domain nor the recipient domain belongs to your organization.

Figure: A forwarded message from contoso.com that's allowed to be relayed through Office 365 because the step 3 'certificate-based connector configuration' condition is met

More information

You can set up a certificate-based connector for Office 365 to relay messages to the Internet. To do this, use the following method.

Step 1: Create or change a certificate-based connector in Office 365

To create or change a certificate-based connector, follow these steps: Driverdoc 2018 key.

1. Sign in to the Office 365 portal (https://portal.office.com), click Admin, and then open the Exchange admin center. For more information, see Exchange admin center in Exchange Online.

2. Click mail flow, click connectors, and then do one of the following:

   • If there are no connectors, click (Add) to create a connector.

   • If a connector already exists, select it, and then click (Edit).

3. On the Select your mail flow scenario page, select Your organization's email server in the From box, and then select Office 365 in the To box.

   Note

   This creates a connector that indicates that your on-premises server is the sending source for your messages.

4. Enter the connector name and other information, and then click Next.

5. On the New connector or Edit connector page, select the first option to use a Transport Layer Security (TLS) certificate to identify the sender source of your organization's messages. The domain name in the option should match the CN name or SAN in the certificate that you're using.

   Note

   This domain must be a domain that belongs to your organization, and you have to have added it to Office 365. For more information, see Add Domains in Office 365.

   For example, Contoso.com belongs to your organization, and it's part of the CN name or SAN name in the certificate that your organization uses to communicate with Office 365. If the domain in the certificate contains multiple domains (such as mail1.contoso.com, mail2.contoso.com), we recommend that the domain in the connector UI be *.contoso.com.

   Note

   Existing hybrid customers who used the Hybrid Configuration Wizard to configure their connectors should check their existing connector to make sure that it uses, for example, *.contoso.com instead of mail.contoso.com or <hostname>.contoso.com. This is because mail.contoso.com and <hostname>.contoso.com may not be registered domains in Office 365.

   Figure: Setting up the connector to use the 'contoso.com' format (for example)

Step 2: Register your domain in Office 365

To register your domain, follow the steps in the following Office article:

In the Microsoft 365 Admin Center, click Setup, and then click Domains to see the list of domains that are registered.

Step 3: Configure your on-premises environment

To configure your on-premises environment, follow these steps:

1. If your organization uses Exchange Server for its on-premises server, configure the server to send messages over TLS. To do this, see Set up your email server to relay mail to the Internet via Office 365.

   Note

   If you've already used Hybrid Configuration Wizard, you can continue to use it. However, make sure that you use a certificate that matches the criteria that's outlined in Step 1, sub-step 5 of this section.

2. Install a certificate in your on-premises environment. To do this, see Step 6: Configure an SSL certificate.

References

For more information about how to address the connector setting requirement, see Important connector notice.

For more information about how to relay messages through Office 365, see the 'Setting up mail flow where some mailboxes are in Office 365 and some mailboxes are on your organization's mail servers' section of Mail flow best practices for Exchange Online and Office 365.

Still need help? Go toMicrosoft Community or the Exchange TechNet Forums.

The Exchange Online PowerShell V2 module (abbreviated as the EXO V2 module) uses modern authentication and works with multi-factor authentication (MFA) for connecting to all Exchange-related PowerShell environments in Microsoft 365: Exchange Online PowerShell, Security & Compliance PowerShell, and standalone Exchange Online Protection (EOP) PowerShell. For more information about the EXO V2 module, see About the Exchange Online PowerShell V2 module.

This article contains instructions for how to connect to Exchange Online PowerShell using the EXO V2 module with or without MFA.

To use the older, less secure remote PowerShell connection instructions that will eventually be deprecated, see Basic auth - Connect to Exchange Online PowerShell.

To use the older Exchange Online Remote PowerShell Module to connect to Exchange Online PowerShell using MFA, see V1 module - Connect to Exchange Online PowerShell using MFA. Note that this older version of the module will eventually be retired.

What do you need to know before you begin?

• The requirements for installing and using the EXO V2 module are described in Install and maintain the EXO V2 module.

  Note

  The rest of the instructions in the article assume that you've already installed the module.

• After you connect, the cmdlets and parameters that you have or don't have access to is controlled by role-based access control (RBAC). For more information, see Permissions in Exchange Online.

  To find the permissions that are required to run specific Exchange Online cmdlets, see Find the permissions required to run any Exchange cmdlet.

• If your organization is on-premises Exchange, and you have Exchange Enterprise CAL with Services licenses for Exchange Online Protection (EOP), your EOP PowerShell connection instructions are the same as Exchange Online PowerShell as described in this article.

Tip

Having problems? Ask in the Exchange Online forum.

Connect to Exchange Online PowerShell using modern authentication with or without MFA

These connection instructions use modern authentication and work with or without multi-factor authentication (MFA).

For other sign in methods that are available in PowerShell 7, see the PowerShell 7 log in experiences section later in this topic.

1. In a PowerShell window, load the EXO V2 module by running the following command:

   Notes:

   • If you've already installed the EXO V2 module, the previous command will work as written.
   • You might be able to skip this step and run Connect-ExchangeOnline without loading the module first.

2. The command that you need to run uses the following syntax:

   • <UPN> is your account in user principal name format (for example, navin@contoso.com).
   • When you use the ExchangeEnvironmentName parameter, you don't need use the ConnectionUri or AzureADAuthorizationEndPointUrl parameters. For more information, see the parameter descriptions in Connect-ExchangeOnline.
   • The DelegatedOrganization parameter specifies the customer organization that you want to manage as an authorized Microsoft Partner. For more information, see Partners.
   • If you're behind a proxy server, run this command first: $ProxyOptions = New-PSSessionOption -ProxyAccessType <Value>, where <Value> is IEConfig, WinHttpConfig, or AutoDetect. Then, use the PSSessionOption parameter with the value $ProxyOptions. For more information, see New-PSSessionOption.
   • You can often omit the UserPrincipalName parameter in the next step to enter both the username and password after you run the Connect-ExchangeOnline command. If it doesn't work, then you need to use the UserPrincipalName parameter.
   • If you aren't using MFA, you can often use the Credential parameter instead of the UserPrincipalName parameter. First, run the command $Credential = Get-Credential, enter your username and password, and then use the variable name for the Credential parameter (-Credential $Credential). If it doesn't work, then you need to use the UserPrincipalName parameter.

   This example connects to Exchange Online PowerShell in a Microsoft 365 or Microsoft 365 GCC organization:

   This example connects to Exchange Online PowerShell in an Office 365 Germany organization:

   This example connects to Exchange Online PowerShell in a Microsoft GCC High organization:

   This example connects to Exchange Online PowerShell in a Microsoft 365 DoD organization:

   This example connects to Exchange Online PowerShell to manage another tenant:

3. In the sign-in window that opens, enter your password, and then click Sign in.

4. MFA only: A verification code is generated and delivered based on the response option that's configured for your account (for example, a text message or the Microsoft Authenticator app on your device).

   In the verification window that opens, enter the verification code, and then click Verify.

For detailed syntax and parameter information, see Connect-ExchangeOnline.

Note

O365 Exchangeguid

Be sure to disconnect the remote PowerShell session when you're finished. If you close the PowerShell window without disconnecting the session, you could use up all the remote PowerShell sessions available to you, and you'll need to wait for the sessions to expire. To disconnect the remote PowerShell session, run the following command.

PowerShell 7 log in experiences

This section describes the log in experiences that are available in version 2.0.4 or later of the EXO V2 module in PowerShell 7.

For more information about the operating systems that are supported by the EXO V2 module in PowerShell 7, see Supported operating systems for the EXO V2 module.

For detailed syntax and parameter information, see Connect-ExchangeOnline.

O365 Exchange Admin

Interactive scripting using browser-based single sign-on

Browser-based single sign-on (SSO) is the default log in method in PowerShell 7. The Connect-ExchangeOnline command opens the Azure AD login page in the default browser. After you enter your credentials, older Exchange Online cmdlets and EXO V2 module cmdlets are available in the resulting PowerShell session.

If you use the UserPrincipalName parameter in the command, the UPN value is used on the login page in the browser.

Device-based log in

Use device-based log in when no browser is available (and therefore, you can't see the login page):

The command returns a URL and unique code that's tied to the session. You need to open the URL in a browser on any computer, and then enter the unique code. After you complete the login in the web browser, the session in the Powershell 7 window is authenticated via the regular Azure AD authentication flow, and the Exchange Online cmdlets are imported after few seconds.

Inline credentials

You can enter your credentials directly in the PowerShell window without the need to go to the browser for SSO.

Note

Medieval ii total war patch 1.1. This method does not work with accounts that use multi-factor authentication.

Office 365 Exchange Login

This method is an improvement on the Credential parameter, because you don't need to store the credentials locally in a script, and you can enter the credentials directly in an interactive PowerShell session.

365 Login

How do you know this worked?

The Exchange Online cmdlets are imported into your local PowerShell session and tracked by a progress bar. If you don't receive any errors, you connected successfully. A quick test is to run an Exchange Online PowerShell cmdlet, for example, Get-Mailbox, and see the results.

If you receive errors, check the following requirements:

• A common problem is an incorrect password. Run the three steps again and pay close attention to the username and password that you use.

• To help prevent denial-of-service (DoS) attacks, you're limited to five open remote PowerShell connections to Exchange Online.

• The account that you use to connect to must be enabled for remote PowerShell. For more information, see Enable or disable access to Exchange Online PowerShell.

• TCP port 80 traffic needs to be open between your local computer and Microsoft 365. It's probably open, but it's something to consider if your organization has a restrictive internet access policy.

• If your organization uses federated authentication, and your identity provider (IDP) and/or security token service (STS) isn't publicly available, you can't use a federated account to connect to Exchange Online PowerShell. Instead, create and use a non-federated account in Microsoft 365 to connect to Exchange Online PowerShell.