How to route internal Microsoft 365 messages through an on-premises mail server

Problem:

In your hybrid environment with Centralized Mail Transport, internal emails sent between Microsoft 365 / Office 365 (cloud) mailboxes are not routed through your on-premises Exchange server. As a result, CodeTwo software is not able to process these emails (e.g. add email signatures).

Solution:

The software from the CodeTwo Exchange Rules family can only process emails that travel through on-premises (local) Exchange Server. By default, the Centralized Mail Transport (CMT) feature does not apply to messages sent internally between cloud mailboxes (that is, mailboxes in Microsoft 365 / Exchange Online) - such messages are not routed through the on-premises part of your organization. If you want the CodeTwo software to process internal emails sent from one Microsoft 365 mailbox to another, you need to reconfigure the mail flow in your Microsoft 365 tenant (Exchange Online), so that these emails pass through your on-premises mail server. Such reconfiguration requires:

1. Creating an Exchange Online connector with the same settings as the outbound hybrid connector responsible for delivering messages to your on-premises server, but that can only be triggered by a transport rule. See guidelines
2. Creating a transport rule that uses the newly created connector and applies only to messages sent by your Microsoft 365 mailboxes. See guidelines

Creating an outbound connector based on the existing outbound hybrid connector

Exchange Online connectors allow you to choose which messages are routed through them (Fig. 1.). Two routing methods are available: you can specify the scope of messages directly in the connector setup (so the connector controls the scope autonomously) or you can set the connector to be used only when a transport rule redirects messages to this connector (this is known as conditional mail routing). A single connector can only use one routing method at a time.

Fig. 1. The message routing options in the connector configuration.

By default, your outbound hybrid connector is configured to automatically control which messages are sent to the on-premises part of the environment. You need to be able to control your hybrid outbound connector via a transport rule, without affecting the current (default) hybrid configuration. The safest way to achieve that is to create a new Exchange Online connector by copying the configuration of the existing outbound hybrid connector, and setting this new connector to be triggered by a transport rule. To do so, please follow these steps:

1. Sign in to the Exchange admin center.
2. Go to Mail flow > Connectors.
3. Find your outbound hybrid connector. You can recognize it by its mail flow scenario: it is set to transfer messages FROM Office 365 and TO Your organization's email server. Also, its name usually begins with: Outbound to <your GUID here>.
4. Select this connector, carefully note down all the configuration information presented in the right pane, and close the pane.
5. Make sure the connector can be validated.

   Warning

   If your connector cannot be validated, this is caused by issues related to your environment. Do not proceed further until you solve all the problems and validate the connector. Otherwise, your messages may not be delivered correctly.

6. Once your connector is successfully validated, you can create its clone which will be controlled via a transport rule. This way, you will be able to decide which messages are supposed to reach the on-premises part of the environment, without affecting the default hybrid configuration.
7. To create a new connector, click the Add a connector button.
8. On the first page of the wizard, select the following mail flow scenario: Connection from: Office 365, Connectionto: Your organization's email server (Fig.2.). Click Next.

Fig. 2. Creating a clone of the default hybrid outbound connector.

10. Provide a name for the connector (e.g. OnPremisesManualForward), leave all the other settings (checkboxes) as they are, and proceed to the next step.
11. In the next step, you need to specify when you want to use your connector. Make sure to select Only when I have a transport rule set up that redirects messages to this connector (see Fig. 1.).
12. Complete the wizard using the same settings as those in your default outbound hybrid connector (you should have noted down all the required information, as mentioned earlier).
13. Validate your connector and make sure it works correctly.

    Warning

    If your connector is not validated successfully, this is caused by issues related to your environment. Do not proceed further until you solve all the problems and complete the validation. Otherwise, your emails may not be delivered correctly.

After you successfully verify your new connector, you can proceed and create a transport rule that will route your emails to this connector.

Creating a transport rule to forward messages sent by Microsoft 365 mailboxes to the new connector

If you have completed creating and validating the new (cloned) outbound hybrid connector, you need to create a transport rule that will forward specific messages (in this case: messages sent from mailboxes in your Microsoft 365) to your on-premises mail server.

To create the transport rule that redirects messages to the newly created connector, you need to:

1. Open the Exchange admin center again and go to the Mail flow > Rules.
2. Click the Add a rule button and select Create a new rule from the drop-down menu.
3. First, name the rule.
4. In the Apply this rule if section, configure the following condition: The sender > is external/internaland choose Inside the organization.
5. In the Do the following section, add the following actions (keep the same order):
   • Action #1: Modify the message properties > set a message header. Name the header as you want (e.g. X-OnPremisesManualForward) and set the value to true.
   • Action #2: Redirect the message to > the following connector and choose your cloned hybrid outbound connector.
6. In the Except if section, add the following exceptions:
   • Exception #1: The message headers > includes any of these words. You need to use the same header name as in action #1 (here: X-OnPremisesManualForward) and specify the following phrase: true. This exception prevents against message routing loops.
   • ​Exception #2: The sender > is a member of this group and select the distribution group containing the cloud-only objects (Microsoft 365 objects that are not synchronized with your on-premises Exchange server).
   • ​Exception #3: The recipient > is a member of this group and select your distribution group with the cloud-only objects (Microsoft 365 objects that are not synchronized with your on-premises Exchange server).
7. The complete transport rule should look similar to the one shown in Fig. 3.

Fig. 3. An example configuration of the new transport rule.

8. Proceed to the next step of the wizard, Set rule settings. Scroll down and select the Defer the message if rule processing doesn't complete checkbox to make sure the rule will not be skipped in case of any mail flow issues (Fig. 4.).

Fig. 4. Making sure the rule is not skipped if there are any mail flow issues.

9. Complete the wizard and save your rule by clicking Finish and Done - it will appear on the rules' list.
10. By default, the rule is disabled. To turn it on, click it (to select it) and, in the pane that opens, set the toggle button to Enabled (Fig. 5.).

Fig. 5. Enabling the newly-created rule.

From now on, messages sent between your Microsoft 365 users should be routed through the on-premises environment without causing any delivery issues, and the CodeTwo software should be able to process them.