top of page

How to set up forced TLS for Exchange Online in Office 365

By default, Exchange Online always uses opportunistic TLS. Which means Exchange Online always tries to encrypt connections with the most secure version of TLS first, then by default the message will be sent unencrypted if the recipient organization doesn’t support TLS encryption. Unless you have configured Exchange Online to ensure that messages to that recipient are only sent through secure connections,  Opportunistic TLS is sufficient for most businesses.

If business that have compliance requirements such as medical, banking, or government organizations, you can configure forced TLS for Exchange Online.

If you decide to configure TLS between your organization and a trusted partner organization, Exchange Online can use forced TLS to create trusted channels of communication. Forced TLS requires your partner organization to authenticate to Exchange Online with a security certificate in order to send mail to you.Your partner will need to manage their own certificates in order to do this. In Exchange Online, we use connectors to protect messages that you send from unauthorized access before they arrive at the recipient’s email provider. 

1. Configuring Forced TLS from EOP to Partner

Login to –> Mail flow –> Connectors –> Click on Add 


Select From: Office 365 and Select To:Partner Organization and click Next 


Give Name for the Connector and Click Next 


You can use the Connector for the transport rule or add the domain in the connector as well, I have added the domains in my case.


Select Use the MX record associated with the partner’s domain and Click Next 


Select the Always use Transport Layer Security(TLS) to secure the connection and Select issued by a trusted Certificate authority (CA)


Click Next 


Add the partner Domain test Email address to validate the connector


Click on Validate 


In my case, Test Status  failed since there is no TLS connection available for the added domain. but you need to get success in the test case.


Click on save once the domain TLS Validation completed.



2. Configuring Forced TLS from Partner to EOP

This Enforcement will enable the TLS mail flow from the Partner to EOP.

Login to –> Mail flow –> Connectors –> Click on Add

Select From: Partner Organization and To: Office 365


Give the name for the Connector and Click Next 


Select Use the sender’s domain


Add domain


Click Next 


Select the Subject name in the TLS Certificate of the Exchange Online Protection. it is required to be properly validated and updated. if this name not matches, mails will not reach Office 365.


EOP’s Certificate Name as mentioned below in the below, Please refer the Article  for more information.


Click on Save


9 views0 comments
bottom of page