Secure Mail Flow
You or your clients and vendors may require TLS encryption for email exchanges. Financial and health care providers will often be subject to government regulations that require this additional layer of protection. The default configuration provides opportunistic TLS encryption; in other words, Exchange Online will first try to connect to another mail system with TLS encryption and fail back to plain text if that doesn't work.
If you require enforced TLS encryption, you will need to create two connectors: one for sending mail and one for receiving mail. To do so, open the Exchange admin center and navigate to Mail Flow > Connectors. Creating the sending connector is very straightforward. Click on the + (plus) sign and select "Sending from Office 365 to a partner organization." Give the new connector a name and type an optional description. Finally, you will enter your partner organization's domain name(s) and save the connector.
The connector for receiving mail is slightly more complicated but still rather straightforward. You begin as before by clicking the + sign. This time you will select sending from your partner organization to Office 365. You will then be prompted to specify whether you want to set this connector to apply to specific domain names or IP addresses. Choose whichever is appropriate for your scenario and enter the information on the next screen. Choose to reject any messages not sent using TLS encryption and optionally verify the TLS certificate. If you want to scope this domain to a specific IP range, you can do so here and save the connector.
The full details of configuring these connectors is available on Microsoft's TechNet Library.
Finally, you will want to ensure line-of-business applications, multifunction copiers, ticketing systems, and other applications and devices will be able to send through your new Office 365 account. There are three options available to you, and Microsoft has documented them all with step-by-step guides.
Now that all of your email and service settings are stored in the cloud, you must pay very close attention to your security settings. It takes only one lucky phishing attempt or social engineering call to give up the keys to the kingdom.
At a minimum, you should establish and use a separate account from your main mailbox as an administrator account and configure your other administrators in the same fashion. In addition, each administrator account should have an enforced minimum password length and expiration period (Service Settings > Passwords), and use multifactor authentication (Users > Active Users > Set multi-factor authentication requirements > Set up), and only the minimum set of permissions required to do the job through Role Based Access Control (RBAC) settings (Exchange admin center > Permissions > Admin roles).
Sign up for CIO Asia eNewsletters.