Configuring Exchange Online connectors

If you selected server-side or combo mode during the registration of a new tenant and completed the provisioning of our services and your SPF records are set up, you need to create Exchange Online connectors.

Creating an outbound and inbound Exchange Online connector for your tenant is required so that emails sent by your organization can be routed through our service to get signatures. Additionally, an Exchange Online transport rule needs to be configured for the outbound connector, to specify the scope of senders whose messages will be processed by our service. The CodeTwo Email Azure Service checks such messages against the signature rules you created and stamps them with signatures. 

You can configure Exchange Online connectors automatically or manually. Watch our step-by-step video guide or see detailed instructions below.

• Automatic configuration of Exchange Online connectors
• Manual configuration of Exchange Online connectors

If you want to remove the existing connectors, see the article on uninstalling CodeTwo Email Signatures for Office 365.

Automatic configuration of Exchange Online connectors

You can automatically configure Exchange Online connectors from the Manage tenant pages in the CodeTwo Admin Panel. To access these pages, enter the Dashboard or Tenants tab and use the Manage tenant () button next to the name of your tenant. Choose Exchange Online connectors from the left menu, select the first radio button (Automatically manage my connectors) and click Configure connectors (Fig. 1.).

Fig. 1. Exchange Online connectors configuration page.

The connectors configuration wizard will start (Fig. 2.). The wizard will guide you through the automatic configuration of Exchange Online connectors and transport rule.

Fig. 2. Connectors configuration wizard.

Click Next to start the configuration. On the Authorization page, you will be provided with a temporary authorization code needed to associate our service with your account (Fig. 3.). Copy the code and click Authorize. This will open a Microsoft sign-in page in a new window. Enter the code in the space provided and click Next. Sign in to your Microsoft 365 (Office 365) tenant by providing global admin credentials. When successfully signed in, close the sign-in page to return to the CodeTwo Admin Panel window. You will be automatically moved to step 3. of the wizard.

Fig. 3. Authorization code in the configuration wizard.

Configuring the scope of senders

In the next step (3. Senders scope) you need to specify senders whose emails will be routed through the CodeTwo Email Azure Service to get signatures.

Every sender whose emails go through our service uses one license from your license pool, no matter if this user is defined in any signature rule. That is why you should pay special attention when defining the scope of senders. Learn more about license counting.

You can select all AD users or (to avoid excessive usage of licenses) you can limit the scope of senders to members of a particular group in your Microsoft 365 (a distribution list, Microsoft 365 group, or mail-enabled security group; groups hidden from your address book are also available). You also need to decide if you want to apply signatures to emails sent within your organization.

Fig. 4. Configuring the scope of senders.

Note that any changes in your Active Directory might take some time (up to several hours) to propagate and synchronize with CodeTwo services:

• If you have just created a new group, it may not be available in the group picker (Fig. 4.) right away.
• Any future changes you make to the group selected in the wizard also need time for propagation. For example, if you add new users to this group, they might not get signatures right away. Learn more

If you select a group that has other groups nested inside, emails sent by members of the nested groups will also travel through the CodeTwo service.

If you wish to further customize the range of users whose emails will be stamped with signatures, you can do that by creating signature rules.

In the last step of the wizard (Fig. 5.), click Configure to auto-configure your Microsoft 365 connectors. You will see the progress in the trace log window.

Fig. 5. The last step of the connectors configuration.

When the setup is complete (Fig. 6.), click Finish.

Fig. 6. Successful configuration of connectors.

Once the connectors are set up, you can start managing your signature rules. Read this article for guidelines.

If you use smart host (mail relay) services in your organization, additional configuration might be required. See this article for details.

Manual configuration of Exchange Online connectors

You can also configure Exchange Online connectors manually in the Exchange admin center of your Microsoft 365. Manual setup might be useful if you have any problems with the connectors' configuration wizard, need non-standard (not available in the wizard) settings, or if you simply prefer to create connectors yourself.

To configure the connectors manually, follow the steps below.

1. Access the mail flow configuration pages in Exchange admin center.
2. Configure the inbound connector for CodeTwo Email Signatures for Office 365.
3. Configure the outbound connector for the program.
4. Configure the transport rule for the outbound connector.

Opening mail flow configuration in Exchange admin center

The manual configuration procedure is described in detail in the sections below. In a nutshell, you will need to add two connectors and a transport rule:

• The outbound connector will forward your emails to the service. Learn how to configure the outbound connector.
• The inbound connector will accept processed emails coming from the CodeTwo Email Azure Service. Learn how to configure the inbound connector.
• The transport rule will be responsible for filtering emails to be processed by the CodeTwo Email Azure Service. The rule also helps to avoid processing loops and signature duplicates. Learn how to configure the transport rule.

All the steps required for manual configuration are performed in the Exchange admin center. To access it, sign in to the Microsoft 365 admin center and expand the menu on the left by clicking Show all. Then, click Exchange in the Admin centers section (Fig. 7.). You can also access the Exchange admin center directly by clicking this link.

Fig. 7. Accessing the Exchange admin center from the Microsoft 365 admin center.

Configuration of the outbound connector

In the Exchange admin center, go to Mail flow > Connectors. Click Add a connector to create a new connector (Fig. 8.).

Fig. 8. Adding a new connector.

In the new pane that opens, select Connection from > Office 365, Connection to > Your organization's email server (Fig. 9.). Click Next to continue.

Fig. 9. Mail flow scenario configuration for the outbound connector.

In the next step of the wizard, enter the following name: CodeTwo Outbound Connector and make sure that the Turn it on and Retain internal Exchange email headers (recommended) checkboxes are both enabled (selected), as shown in Fig. 10. Click Next to continue.

Fig. 10. Naming and enabling the outbound connector.

In the next step, choose the second option (Only when I have a transport rule set up that redirects messages to this connector), as shown in Fig. 11. Proceed to the next step.

Fig. 11. Selecting when the outbound connector is going to be used.

In the Routing step, add the following CodeTwo smart host address (Fig. 12.):

[your unique subdomain name].smtp.codetwo.online

Click the Add (+) button and then click Next to continue configuring the connector.

Fig. 12. Routing configuration for the outbound connector.

In the Security restrictions step, configure the options as shown in Fig. 13. and make sure that you provide this address:

*.codetwo.com

as the domain name on the certificate. Proceed to the Validation email step by clicking Next.

Fig. 13. Configuring security restrictions for the outbound connector.

You have to validate the outbound connector (Fig. 14.) by typing any external (not hosted in Microsoft 365) email address and clicking the Add (+) button. After adding the email address, click Validate and - after successful validation - click Next to continue.

Fig. 14. Validation of the outbound connector.

401 4.5.4 Invalid arguments - possible version mismatch [VE1EUR01FT009.eop-EUR01.prod.protection.outlook.com]

In the Review connector step, click Create connector to finish the configuration. When the connector is created click Done.

Configuration of the inbound connector

Next, create an inbound connector. Click the Add a connector button (as shown in Fig. 8.). In the new pane that opens, select Connection from > Your organization's email server. The Connection to selection is made automatically (as shown in Fig. 15.). Click Next to continue.

Fig. 15. Mail flow scenario configuration for the inbound connector.

In the next step of the wizard, enter the following name: CodeTwo Inbound Connector 2.0 and make sure that the Turn it on and Retain internal Exchange email headers (recommended) checkboxes are both enabled (selected), as shown in Fig. 16. Click Next to continue.

Fig. 16. Naming and enabling the inbound connector.

On the Authenticating sent email page, select the first radio button and provide the domain name as follows (Fig. 17.):

[your unique subdomain name].smtp.codetwo.online

Fig. 17. Email authentication method configuration.

Click Next to proceed to the Review connector step and then click Create connector to finish the configuration. When the connector is created, click Done.

Configuration of the CodeTwo Exchange transport rule

Once you're done with connectors, you need to create a new transport rule that will specify senders whose emails will be processed by the CodeTwo Email Azure Service.

This configuration corresponds to the Senders scope step during the automatic configuration of connectors (learn more earlier in this article). You can specify the following scopes of senders:

• all of your Active Directory users,
• only selected users or users belonging to a specific group or groups,
• all or selected AD users but excluding internal messages.

Configuration of the transport rule for all AD users

To add and configure a new transport rule for all AD users (including emails sent internally in your organization), open the Exchange admin center and go to Mail flow > Rules. Use the New (+) button and select Create a new rule from the drop-down list (Fig. 18.).

Fig. 18. Adding a new transport rule for the program's outbound connector.

Configure the rule in the following way:

• Type the following name: CodeTwo Exchange transport rule
• Click the More options... link at the bottom to show all configuration settings.
• In the Apply this rule if... section, add the following condition: The sender... > is external/internal. Select Inside the organization
• In the Do the following... section, add the following action: Redirect the message to... > the following connector > CodeTwo Outbound Connector
• In the Except if... section, add the following three exceptions:
  • The sender... > address matches any of these text patterns... > specify the following phrase: <>
  • The message properties... > include the message type > select the following message type: Calendaring
  • A message header... > matches these text patterns > specify the following header name:
    X-CodeTwoProcessed and enter the following text pattern: true

Leave the other options with their default settings, except for these fields:

• Defer the message if rule processing doesn't complete - must be enabled (selected)
• Match sender address in message - change to Header or envelope

Review your settings - compare them with Fig. 19. and make sure your rule looks exactly the same.

Fig. 19. The correct configuration of the CodeTwo Exchange transport rule for all users.

The created transport rule is applied to both outgoing and internal messages. If you do not want to add signatures to emails sent between the users inside your tenant, you need to specify an additional condition, as described in this section.

Configuration of the transport rule for selected users or groups

If you want to add a transport rule that limits your users to a particular group in your Microsoft 365, start with configuring a transport rule for all users, as described earlier in this article. If all the settings are exactly as in Fig. 19., add another condition in the Apply this rule if... field: you can select individual senders (The sender... > is this person) or groups (The sender... > is a member of this group) from the menu. An example of changing the scope of senders to a distribution group (Engineering) is shown in Fig. 20.

Fig. 20. Limiting the scope of senders.

The transport rule will be applied to both outgoing and internal messages sent by the users and/or members of the group(s) you specified. Note that if the group you selected has other groups nested inside, emails sent by members of the nested groups will also travel through the CodeTwo service.

If you do not want to add signatures to emails sent between the users inside your tenant, you need to add and configure another condition, as described in the next section.

Configuration of the transport rule to exclude internal emails

If you would like to stop adding signatures to your internal correspondence, you need to modify your transport rule by adding an extra condition in the Apply this rule if... field. Click add condition, select The recipient... is external/internal and choose Outside the organization. The condition should appear as shown in Fig. 21.

Fig. 21. Additional condition to exclude internal correspondence.

See next

Start managing email signatures in your organization