Configuring Exchange Online connectors

If you selected server-side mode or combo mode during registration of a new tenant, you will be asked to take a few additional steps to finish your tenant's configuration when the provisioning of our services is completed (Fig. 1.). This includes creating and setting up Exchange Online connectors. You can do it later, either automatically or manually, but keep in mind that email signatures will not be added by the CodeTwo Email Azure Service until the connectors are configured correctly. Creating an outbound and inbound Exchange Online connector for your tenant is required so that emails sent by your organization can be routed through our service. Additionally, an Exchange Online transport rule needs to be configured for the outbound connector, to specify the scope of senders whose messages will be processed by the service. The CodeTwo Email Azure Service checks these messages against the signature rules you created and stamps them with signatures.

Important

If you selected client-side mode when registering your tenant, configuring Exchange Online connectors is not required.

Fig. 1. Additional steps required to finish the configuration of a tenant.

The program allows you to configure Exchange Online connectors automatically or manually. Use the links below to learn more.

Automatic configuration of Exchange Online connectors
Manual configuration of Exchange Online connectors

Info

If you want to remove the existing connectors, see the article on uninstalling CodeTwo Email Signatures for Office 365.

Automatic configuration of Exchange Online connectors

If you decided to configure connectors right away, select the first radio button (Automatically manage my connectors) and click the Configure connectors button displayed on the Next steps page (see Fig. 1.).

Tip

If you skip the connectors configuration at this moment, you can get back to it anytime from the Manage tenant pages in the CodeTwo Admin Panel. To access these pages, enter the Dashboard or Tenants tab and use the Manage tenant ( ESIG for O365 settings button2 13px ) button next to the name of your tenant. Choose Exchange Online connectors from the left menu, select the first radio button (Automatically manage my connectors) and click Configure connectors (Fig. 2.).

Fig. 2. Exchange Online connectors configuration page.

The connectors configuration wizard will start (Fig. 3.). The wizard will guide you through the automatic configuration of Exchange Online connectors and transport rule.

Fig. 3. Connectors configuration wizard.

Click Next to start the configuration and the wizard will ask you to provide your Office 365 global admin credentials (step 2. Login - not shown here). These credentials are necessary because initial authorization via Azure's OAuth 2.0 does not allow any third-party apps to access the connectors' configuration in Office 365 tenants.

Important

Your credentials are not stored with any CodeTwo service. If necessary, you can skip the connectors' configuration via the wizard and set them up manually in your Office 365. However, we strongly advise against manual configuration of connectors.

Info

If multi-factor authentication (MFA) was enabled for the account used to set up the connectors, remember to use the app password instead of your regular Office 365 password. Learn more

In the next step (3. Senders scope) you need to specify senders whose emails will be routed through the CodeTwo Email Azure Service to receive signatures. You can select all AD users or (to avoid excessive usage of licenses) you can limit the scope of senders to members of a particular group in your Office 365 (a distribution list, Office 365 group, or mail-enabled security group; groups hidden from your address book are also available). You also need to decide if you want to apply signatures to emails sent within your organization.

Important

Every sender whose emails go through our service uses one license from your license pool, no matter if this user is defined in any signature rule. In addition, in combo mode, every user who installs and signs in to CodeTwo Signatures Add-in for Outlook also consumes one license, unless the user was already counted towards the limit by being included in the group of senders whose messages go through our service. That is why you should pay special attention when defining the scope of senders. Learn more about license counting.

Fig. 4. Configuring the scope of senders.

Note that if you select a group that has other groups nested inside, emails sent by members of the nested groups will also travel through the CodeTwo service.

Tip

A good idea is to prepare a separate group for all users who may require email signatures. Such a solution lets you avoid excessive usage of licenses. If you want to add more than one group, you need to edit the transport rule and add another group manually.

If you wish to further customize the range of users whose emails will be stamped with signatures, you can do that by creating signature rules (see our Quick guide and articles in the signature management section).

In the last step of the wizard (Fig. 5.), click Configure to auto-configure your Office 365 connectors. You will see the progress in the trace log window.

Fig. 5. The last step of the connectors configuration.

Once this step is complete (Fig. 6.), click Finish.

Important

Note that it can take from a few minutes to more than an hour for the changes in the connector configuration to propagate. Email signatures created in the program might not be added to messages sent from your tenant during that time.

If you configured the program to process messages sent to a particular group, every change made to this group (such as adding new users) also requires time to propagate in your Office 365. Learn more

Fig. 6. Successful configuration of connectors.

Info

If you cannot or do not want to use the wizard, see the section on manual configuration of connectors and transport rule.

If you use smart host (mail relay) services in your organization, additional configuration might be required. See this article for details.

You can now install and launch the Manage Signatures App to start managing your signature rules. Read this article for guidelines.

Manual configuration of Exchange Online connectors

You can also configure Exchange Online connectors manually in the Exchange admin center of your Office 365. Manual setup might be useful if you have any problems with the connectors' configuration wizard, need non-standard (not available in the wizard) settings, or if you simply prefer to create connectors yourself.

Warning

CodeTwo strongly recommends that you use the configuration wizard instead of manually setting up connectors, to avoid mistakes and unsupported customizations.

To configure the connectors manually, follow the steps below.

Access the mail flow configuration pages in Exchange admin center.
Configure the inbound connector for CodeTwo Email Signatures for Office 365.
Configure the outbound connector for the program.
Configure the transport rule for the outbound connector.

Opening mail flow configuration in Exchange admin center

To manually add your connectors, start with logging in to your Office 365 tenant as administrator. On the Home screen, select Admin (Fig. 7.) to enter your Microsoft 365 admin center (Office 365 admin center).

Fig. 7. Accessing Microsoft 365 admin center.

Enter your Office 365 Exchange admin center via the navigation menu on the left side (Fig. 8.).

Fig. 8. Opening Exchange admin center.

Select mail flow from the menu (Fig. 9.).

Fig. 9. Accessing mail flow configuration pages in Exchange admin center.

Now you have to configure the mail flow configuration pages. The whole procedure is described in detail in the sections below. In a nutshell, you will need to add two connectors (Fig. 10.) and a transport rule:

The inbound connector will accept processed emails coming from the CodeTwo Email Azure Service. Learn how to configure the inbound connector.
The outbound connector will forward your emails to the service. Learn how to configure the outbound connector.
The transport rule will be responsible for filtering emails to be processed by the CodeTwo Email Azure Service. The rule also helps to avoid processing loops and signature duplicates. Learn how to configure the transport rule.

Fig. 10. CodeTwo connectors in Exchange admin center.

Configuration of the inbound connector

First, create an inbound connector on the connectors tab (see Fig. 10.). Click the plus (+) button to create a new connector. On the pop-up page (Fig. 11.), select From: Your organization's email server, To: Office 365.

Fig. 11. Inbound connector configuration.

On the next page (Fig. 12.), enter the following name: CodeTwo Inbound Connector 2.0 and make sure that the Turn it on and Retain internal Exchange email headers (recommended) checkboxes are both enabled (selected).

Fig. 12. Inbound connector configuration.

On the last page (Fig. 13.), select the first radio button and provide the domain name as follows:

[your unique subdomain name].smtp.codetwo.online

Info

In order to get [your unique subdomain name], go to CodeTwo Admin Panel, access the Exchange Online connectors page in the Manage tenant section of your tenant, and use the link displayed in the I manage my connectors manually section.

Fig. 13. Inbound connector configuration.

Click Next and then Save to finish the configuration.

Configuration of the outbound connector

Next, create an outbound connector via the plus (+) button (see Fig. 10.). On the pop-up page (Fig. 14.), select From: Office 365, To: Your organization's email server.

Fig. 14. Outbound connector configuration.

On the next page, enter the following name: CodeTwo Outbound Connector and make sure that the Turn it on and Retain internal Exchange email headers (recommended) checkboxes are both enabled (selected), as shown in Fig. 15.

Fig. 15. Outbound connector configuration.

In the next step (Fig. 16.), choose the first option (Only when I have a transport rule set up...).

Fig. 16. Outbound connector configuration.

On the next page (Fig. 17.), add the following CodeTwo smart host address:

[your unique subdomain name].smtp.codetwo.online

Info

Fig. 17. Outbound connector configuration.

In the next step, configure the options as shown in Fig. 18. and make sure that you provide the address:

*.codetwo.com

as the domain name on the certificate. Proceed to the connector validation step by clicking Next.

Fig. 18. Outbound connector configuration.

Finally, you have to validate the outbound connector (Fig. 19.) by typing any external (not hosted in Office 365) email address. Click Validate and - after successful validation - click Save to finish the configuration of the outbound connector.

Fig. 19. Validation of the outbound connector.

Warning

If you are not able to validate your connectors and you get the following (or similar) error:

401 4.5.4 Invalid arguments - possible version mismatch [VE1EUR01FT009.eop-EUR01.prod.protection.outlook.com]

then you might be experiencing a recent Office 365 health issue. This problem is not related to our software.

Configuration of the CodeTwo Exchange transport rule

Once you're done with connectors, you need to create a new transport rule that will specify senders whose emails will be processed by the CodeTwo Email Azure Service.

Important

Every sender selected in this step will use one license from your license pool, no matter if the sender is defined in any signature rule. That is why you should pay special attention to properly define the scope of senders in the transport rule.

This configuration corresponds to the Senders scope step during the automatic configuration of connectors (learn more earlier in this article). You can specify the following scopes of senders:

all of your Active Directory users,
only selected users or users belonging to a specific group or groups,
all or selected AD users but excluding internal messages.

Configuration of the transport rule for all AD users

To add and configure a new transport rule for all AD users (including emails sent internally in your organization), switch to the rules tab. Use the plus (+) button to create a new rule (Fig. 20.).

Fig. 20. Adding a new transport rule for the program's outbound connector.

Configure the rule in the following way:

Type the following name: CodeTwo Exchange transport rule
Click the More options... link at the bottom to show all configuration settings.
In the Apply this rule if... section, add the following condition: The sender... > is external/internal. Select Inside the organization
In the Do the following... section, add the following action: Redirect the message to... > the following connector > CodeTwo Outbound Connector
In the Except if... section, add the following three exceptions:
- The sender... > address matches any of these text patterns... > specify the following phrase: <>
- The message properties... > include the message type > select the following message type: Calendaring
- A message header... > matches these text patterns > specify the following header name:
  X-CodeTwoProcessed and enter the following text pattern: true

Leave the other options with their default settings, except for these fields:

Defer the message if rule processing doesn't complete - must be enabled (selected)
Match sender address in message - change to Header or envelope

Review your settings - compare them with Fig. 21. and make sure your rule looks exactly the same.

Fig. 21. The correct configuration of the CodeTwo Exchange transport rule for all users.

Important

In the above configuration, emails of all of your users will be routed through the CodeTwo Email Azure Service to receive signatures. This might lead to excessive usage of licenses (learn more).

The created transport rule is applied to both outgoing and internal messages. If you do not want to add signatures to emails sent between the users inside your tenant, you need to specify an additional condition, as described in this section.

Configuration of the transport rule for selected users or groups

If you want to add a transport rule that limits your users to a particular group in your Office 365, start with configuring a transport rule for all users, as described earlier in this article. If all the settings are exactly as in Fig. 21., add another condition in the Apply this rule if... field: you can select individual senders (The sender... > is this person) or groups (The sender... > is a member of this group) from the menu. An example of changing the scope of senders to a distribution group (Engineering) is shown in Fig. 22.

Fig. 22. Limiting the scope of senders.

The transport rule will be applied to both outgoing and internal messages sent by the users and/or members of the group(s) you specified. Note that if the group you selected has other groups nested inside, emails sent by members of the nested groups will also travel through the CodeTwo service.

Tip

If you need guidelines on how to add multiple groups or if some of your groups are not displayed in the group picker, see our Knowledge Base article.

If you do not want to add signatures to emails sent between the users inside your tenant, you need to add and configure another condition, as described in the next section.

Configuration of the transport rule to exclude internal emails

If you would like to stop adding signatures to your internal correspondence, you need to modify your transport rule by adding an extra condition in the Apply this rule if... field. Click add condition, select The recipient... is external/internal and choose Outside the organization. The condition should appear as shown in Fig. 23.

Fig. 23. Additional condition to exclude internal correspondence.

Important

If you use smart host (mail relay) services in your organization, additional configuration might be required. See this article for details.

See next

Installing and launching the signature management application