Appendix F: Activating Office 365 Mail in Hybrid Environments

A hybrid environment is a setup in which some mailboxes are in Microsoft 365, and some mailboxes are on your organization's email servers (on-premises Exchange server).

The most common use case for hybrid environments is with organizations migrating the mailboxes group by group to Microsoft 365.

Mail Flow in Hybrid Environments

Legacy Hybrid Architecture – MX Points to On-Premises Exchange Server

While migrating from an on-premises environment to the cloud (Exchange Online), organizations usually start with a basic architecture where the MX record points to the on-premises Exchange server or to the legacy Secure Email Gateway (SEG) that protects the on-premises Exchange server.

So the mail flows from the sender to the on-premises Exchange server and then gets routed to Microsoft 365.

Modern Hybrid Architecture – MX Points to Microsoft 365

To reduce the load on the organization's network and to ensure all emails are secured, organizations often change the mail flow so that the MX record points to Microsoft 365.

Microsoft 365 performs all the filtering and routes the emails sent to on-premises mailboxes to the on-premises Exchange server. For this scenario, your organization's mail flow setup looks like the following diagram.

Note - To protect mailboxes in hybrid environments, Harmony Email & Collaboration need the modern hybrid architecture, where MX points to Microsoft 365. See Modern Hybrid Architecture – MX Points to Microsoft 365.

Best Practice - Microsoft recommended this architecture for hybrid environments. For more information, see Microsoft documentation.

Modern Hybrid Architecture – Licensing Considerations

Before migrating to the modern hybrid architecture, make sure you have the required licenses:

• For incoming emails, Microsoft usually does not require additional cloud mailbox licenses. The licenses you have for your on-premises mailboxes should be enough.

• For outgoing emails, Microsoft might require additional licenses to route outgoing emails from on-premises mailboxes through Microsoft 365.

Note - Before migrating, consult your Microsoft representative to ensure you have the required licenses.

Harmony Email & Collaboration Support for Hybrid Environments

Harmony Email & Collaboration can protect mailboxes in multiple locations (Exchange Online and on-premises Exchange Server) with modern hybrid architecture mail flow, where the MX record points to Microsoft 365. See Modern Hybrid Architecture – MX Points to Microsoft 365.

Hybrid Environments – Protection Scope

When integrated with a modern hybrid environment, where the MX points to Microsoft 365, Harmony Email & Collaboration can protect these:

• Microsoft OneDrive, Microsoft SharePoint and Microsoft Teams (The protection to these SaaS applications is not affected by the environment being hybrid)

• All incoming and outgoing emails, whether they are sent to or sent from mailboxes in on-premises Exchange Server or Exchange Online (cloud mailboxes)

• Internal emails, only when the mailbox of either the sender or one of the recipients is in the Exchange Online (cloud mailboxes)

Limitations for On-premises Mailboxes

Harmony Email & Collaboration does not have API access to the mailboxes in on-premises Exchange Server. So, these are the limitations.

• Harmony Email & Collaboration cannot pull the emails from on-premise mailboxes to quarantine.

  Important - To secure hybrid environments, you must keep the Harmony Email & Collaboration policies in Prevent (Inline) mode. Otherwise, phishing emails sent to on-premises mailboxes will not be quarantined.

• Harmony Email & Collaboration cannot present the status of the emails (deleted, forwarded, replied to etc.).

Enabling Office 365 Mail Protection in Hybrid Environments

Prerequisites

Before you connect Harmony Email & Collaboration to your environment, perform these steps:

• Ensure that the mail flow is configured correctly, where the MX points to Microsoft 365. For more details, contact your Microsoft technical representative.

• Ensure you have the required licenses from Microsoft. See Modern Hybrid Architecture – Licensing Considerations.

Connecting Harmony Email & Collaboration to Microsoft 365

After all the prerequisites are met, you can connect and protect your hybrid environments with Harmony Email & Collaboration.

To connect with Harmony Email & Collaboration, see Activating Office 365 Mail.

Important - To secure hybrid environments, you must keep the Harmony Email & Collaboration policies in Prevent (Inline) mode. Otherwise, phishing emails sent to on-premises mailboxes will not be quarantined.

If you need help in connecting your SaaS application with Harmony Email & Collaboration, contact Check Point Support.

.