Activating Office 365 Mail in Hybrid Environments
A hybrid environment is a setup in which some mailboxes are in Microsoft 365 or Office 365, and some mailboxes are on your organization's email servers (on-premises Exchange server).
The most common use case for hybrid environments is with organizations migrating the mailboxes group by group to Microsoft 365 or Office 365.
Mail Flow in Hybrid Environments
Legacy Hybrid Architecture – MX Points to On-Premises Exchange Server
While migrating from an on-premises environment to the cloud (Exchange Online), organizations usually start with a basic architecture where the MX record points to the on-premises Exchange server or to the legacy Secure Email Gateway (SEG) that protects the on-premises Exchange server.
So the mail flows from the sender to the on-premises Exchange server and then gets routed to Microsoft 365 or Office 365.
Modern Hybrid Architecture – MX Points to Microsoft 365 or Office 365
To reduce the load on the organization's network and to ensure all emails are secured, organizations often change the mail flow so that the MX record points to Microsoft 365 or Office 365.
Microsoft 365 or Office 365 performs all the filtering and routes the emails sent to on-premises mailboxes to the on-premises Exchange server. For this scenario, your organization's mail flow setup looks like the following diagram.
Note - To protect mailboxes in hybrid environments, Avanan need the modern hybrid architecture, where MX points to Microsoft 365 or Office 365. See Modern Hybrid Architecture.
Best Practice - Microsoft recommended this architecture for hybrid environments. For more information, see Microsoft documentation.
Modern Hybrid Architecture – Licensing Considerations
Before migrating to the modern hybrid architecture, make sure you have the required licenses:
- For incoming emails, Microsoft usually does not require additional cloud mailbox licenses. The licenses you have for your on-premises mailboxes should be enough.
- For outgoing emails, Microsoft might require additional licenses to route outgoing emails from on-premises mailboxes through Microsoft 365 or Office 365.
Note - Before migrating, consult your Microsoft representative to ensure you have the required licenses.
Avanan Support for Hybrid Environments
Avanan can protect mailboxes in multiple locations (Exchange Online and on-premises Exchange Server) with modern hybrid architecture mail flow, where the MX record points to Microsoft 365 or Office 365. See Modern Hybrid Architecture.
Hybrid Environments – Protection Scope
When integrated with modern hybrid environment, where the MX points to Microsoft 365 or Office 365, Avanan can protect these:
- Microsoft OneDrive, Microsoft SharePoint and Microsoft Teams (The protection to these SaaS applications is not affected by the environment being hybrid)
- All incoming and outgoing emails, whether they are sent to or sent from mailboxes in on-premises Exchange Server or Exchange Online (cloud mailboxes)
- Internal emails, only when the mailbox of either the sender or one of the recipients is in the Exchange Online (cloud mailboxes)
Limitations for On-premises Mailboxes
Avanan does not have API access to the mailboxes in on-premises Exchange Server. So, these are the limitations.
- Avanan cannot pull the emails from on-premise mailboxes to quarantine.
Important - To secure hybrid environments, you must keep the Avanan policies in Protect (Inline) mode. Otherwise, phishing emails sent to on-premises mailboxes will not be quarantined. -
Avanan cannot present the status of the emails (deleted, forwarded, replied to etc.).
Enabling Office 365 Mail Protection in Hybrid Environments
Prerequisites
Before you connect Avanan to your environment, perform these steps:
- Ensure that the mail flow is configured correctly, where the MX points to Microsoft 365 or Office 365. For more details, contact your Microsoft technical representative.
- Ensure you have the required licenses from Microsoft. See Modern Hybrid Architecture - Licensing Considerations.
Connecting Avanan to Microsoft 365 or Office 365
After all the prerequisites are met, you can connect and protect your hybrid environments with Avanan.
To connect with Avanan, see Activating Office 365 Mail in Hybrid Environments.
Important - To secure hybrid environments, you must keep the Avanan policies in Protect (Inline) mode. Otherwise, phishing emails sent to on-premises mailboxes will not be quarantined.
If you need help connecting your SaaS application with Avanan, contact Avanan Support.