Title
Create new category
Edit page index title
Edit category
Edit link
Microsoft Exchange Online
MetaDefender™ Cloud Email Security integrates seamlessly with Microsoft Exchange Online by rerouting email traffic through the platform for advanced security analysis before emails reach user mailboxes or are sent externally. This proactive approach enhances protection compared to API-based solutions that scan emails only after delivery to the mailbox.
How the Exchange Online Integration Works
MetaDefender™ Cloud Email Security establishes a mail flow redirection path within Microsoft 365 using the following components:
Outbound Connector
Configured in Microsoft 365 to forward selected outbound emails to the product platform for inspection before external delivery.
Inbound Connector
Ensures that Microsoft 365 accepts and trusts emails processed and returned from the platform.
Mail Flow Rules (Transport Rules)
Customizable rules define which emails (inbound or outbound) are rerouted to MetaDefender™ Cloud Email Security for analysis. This provides granular control over the protection scope.
For more information see Integration Details (In-line Protection mode) and Integration Details (Monitoring mode).
When integrating on systems with other third-party email security solutions deployed, check Integrating with 3rd Party Connector-Based Email Security Solutions to ensure email loops are prevented.
IP Allowlisting
MetaDefender™ Cloud Email Security platform IP ranges are added to Microsoft 365's allowlist to ensure trusted communication and prevent emails from being marked as spam or rejected.
The IP ranges used by MetaDefender™ Cloud Email Security can be found in Service IP Ranges
Wizard Steps
This guide walks you through the steps to integrate Microsoft Exchange Online with MetaDefender™ Cloud Email Security.
Enter Integration Name
- In the Integration Name field, enter a meaningful name for the integration.
- Click Continue to proceed.
Sign in and Authorize
- Click the Sign in and Authorize button.
- This will open the Microsoft 365 sign in page.
- Log in using your Global Admin Credentials.
- Grant the required permissions for the platform.
Refer to the Microsoft 365 Application permissions KB article for detailed information on the permissions required by MetaDefender™ Cloud Email Security.
Choose Configuration Method
You will have two options:
- Automatic: MetaDefender™ Cloud Email Security will automatically configure the connection.
- Manual: Allows you to download and review a PowerShell script and manually apply the changes in your Microsoft 365 tenant environment.
Select the appropriate option based on your needs.
Select Protection Mode
Choose how MetaDefender™ Cloud Email Security should handle email security:
- Monitoring Mode: Receives and analyzes copies of emails for threats, providing detailed reports.
- In-line Protection: Would actively scan emails in real time.
Click Continue.
The protection mode defines how emails are routed. In Monitoring Mode, emails are BCC’d to MetaDefender™ Cloud Email Security while the original messages are delivered directly to users' mailboxes. For In-line Protection, emails are first routed to MetaDefender™ Cloud Email Security for analysis, and then returned to Microsoft 365 for delivery to users' mailboxes.
Select Protection Type
Select the type of email traffic to be analyzed (You can select one or multiple options):
- Inbound (Incoming emails)
- Outbound (Emails sent outside the organization)
Click Continue to proceed.
The protection type determines which email traffic is routed through MetaDefender™ Cloud Email Security. Emails traveling in directions not selected will bypass MetaDefender™ Cloud Email Security by omitting creation of the corresponding mail flow rules. (You can manually adjust/create/delete rules in the Microsoft 365 Exchange administration center.)
Define User Protection Scope
Choose which users will be protected:
- All users (Apply protection to all accounts)
- Selected users (Protect only specific accounts)
Click Continue to confirm your selection.
The user protection scope defines which users the Microsoft 365 mail flow rules will apply to. Emails for users not included in this scope will not be routed through MetaDefender™ Cloud Email Security. (You can modify the protection scope later through the mail flow rules in the Microsoft 365 Exchange administration center.)
Applying Changes (Automatic configuration only)
The system will configure the integration.
You will see status messages indicating successful steps:
- ✅ Connected to Microsoft Exchange Online.
- ✅ Configured outbound and inbound connectors.
- ✅ Configured transport rules.
Once the system configuration is completed, the mail flow rules can be examined before they are enabled.
- Refer to Integration Details (In-line Protection mode) or Integration Details (Monitoring mode) for more information.
The mail flow rules can also be enabled directly from: https://admin.exchange.microsoft.com. For more details on when using MetaDefender™ Cloud Email Security with other 3rd party connector based email security solutions, see: Integrating with 3rd Party Connector-Based Email Security Solutions
Complete Integration (Manual configuration only)
Download and review the automatically generated script.
Run the script in the Microsoft 365 environment to complete your integration.
- Refer to https://learn.microsoft.com/en-us/microsoft-365/enterprise/getting-started-with-microsoft-365-powershell?view=o365-worldwide for more information on how to run PowerShell scripts in Microsoft 365.
Once the system configuration is completed, the mail flow rules can be examined before they are enabled.
- Refer to Integration Details (In-line Protection mode) or Integration Details (Monitoring mode) for more information.
Integration Details (In-line protection mode)
The following changes are applied in your Microsoft 365 environment when integrating with Microsoft 365/Exchange Online.
Connectors
Inbound connector
Used to receive processed emails from MetaDefender™ Cloud Email Security.
| Property | Value |
|---|---|
| Connector Name | OPSWAT MDCES - Inbound |
| From | Partner organization / My organizations own mail server |
| To | Microsoft 365 |
| Identification Method | Sender's IP address |
| Sender IP(s) | [See Service IP ranges ] |
| TLS Settings | Require TLS |
| Restrict to specific domains | No |
| Restrict by certificate | No |
Outbound Connector
Used to send emails for processing by MetaDefender™ Cloud Email Security.
| Property | Value |
|---|---|
| Connector Name | OPSWAT MDCES - Outbound |
| From | Microsoft 365 |
| To | Partner organization |
| Use of Connector | Only when a mail flow rule routes messages through this connector |
| Smart Host | ces.metadefender.opswat.com |
| TLS Settings | Require TLS |
| Validation/Certificate | No |
| Routing Method | Route email through smart host |
Rules
SPF Rule
This rule will ensure that email sent from MetaDefender™ Cloud Email Security pass Microsoft 365 SPF and other checks.
| Property | Value |
|---|---|
| Rule name | OPSWAT MDCES - SPF |
| Apply this rule if | Sender IP address matches: [See Service IP ranges ] |
| Do the following |
|
| Stop processing more rules | No |
Inbound Emails Rule
This rule triggers for all inbound emails.
This rule is only created when inbound email traffic is analyzed.
| Property | Value |
|---|---|
| Rule name | OPSWAT MDCES - Inbound emails |
| Apply this rule if |
|
| Do the following |
|
| Except if |
|
| Stop processing more rules | Yes |
Outbound Emails Rule
This rule triggers for all outbound emails.
This rule is only created when outbound email traffic is analyzed.
| Property | Value |
|---|---|
| Rule name | OPSWAT MDCES - Outbound emails |
| Apply this rule if |
|
| Do the following |
|
| Except if |
|
| Stop processing more rules | Yes |
Integration Details (Monitoring mode)
Connectors
Inbound Connector
Used to receive processed emails from MetaDefender™ Cloud Email Security.
| Property | Value |
|---|---|
| Connector Name | OPSWAT MDCES - Inbound |
| From | Partner organization |
| To | Microsoft 365 |
| Identification Method | Sender's IP address |
| Sender IP(s) | [See Service IP ranges ] |
| TLS Settings | Require TLS |
| Restrict to specific domains | No |
| Restrict by certificate | No |
Outbound Connector
Used to send blind copy (bcc) emails for processing by MetaDefender™ Cloud Email Security.
| Property | Value |
|---|---|
| Connector Name | OPSWAT MDCES - Outbound |
| From | Microsoft 365 |
| To | Partner organization |
| Use of Connector | Use only for email sent to these domains: metadefender.email |
| Smart Host | ces.metadefender.opswat.com |
| TLS Settings | Require TLS |
| Validation/Certificate | No |
| Routing Method | Route email through smart host |
Rules
SPF Rule
This rule will ensure that email sent from MetaDefender™ Cloud Email Security pass Microsoft 365 SPF and other checks.
| Property | Value |
|---|---|
| Rule name | OPSWAT MDCES - SPF |
| Apply this rule if | Sender IP address matches: [See Service IP ranges ] |
| Do the following |
|
| Stop processing more rules | No |
Inbound Emails Rule
This rule triggers for all inbound emails.
This rule is only created when inbound email traffic is analyzed.
| Property | Value |
|---|---|
| Rule name | OPSWAT MDCES - Inbound emails |
| Apply this rule if |
|
| Do the following |
|
| Except if |
|
| Stop processing more rules | No |
Outbound Emails Rule
This rule triggers for all outbound emails.
This rule is only created when outbound email traffic is analyzed.
| Property | Value |
|---|---|
| Rule name | OPSWAT MDCES - Outbound emails |
| Apply this rule if |
|
| Do the following |
|
| Except if |
|
| Stop processing more rules | Yes |
