check before: 2026-02-03
Product:
Exchange
Platform:
Online, World tenant
Status:
Change type:
Admin impact, Updated message
Links:
Details:
Summary:
Updated guidance warns against using OnPremises inbound connectors with certificates for domains not accepted by the tenant or IPs shared by multiple tenants. Misconfigurations can disrupt mail flow. Use unique client certificates and send connectors per tenant, and ensure third-party services use certificates matching accepted domains.
Details:
Updated February 4, 2026: We have updated the content. Thank you for your patience.
Original: Please do not paste images here. Attach your high-resolution PNGs to the No Reply confirmation email. Thank you!
We are reiterating the guidance for connector settings to ensure customers are using healthy configurations. The key problematic configurations we are seeing are:
When a tenant has an Inbound connector of type OnPremises and the connector does certificate-based authentication using a certificate with a subject/SAN for a domain that is NOT an Accepted Domain of the tenant.
When a tenant has an Inbound connector of type OnPremises and the connector does IP-based authentication, but the IP is used by other tenants On-Premises servers to connect to Exchange Online.
These anti-patterns typically occur when you are using a 3rd party service to relay email through Exchange Online but could also occur if your organization has a single on-premises Exchange Server connecting to multiple Exchange Online tenants.
These configurations can cause incorrect mail flow because Exchange Online is a multi tenant service and relies on message attribution to determine which tenant an incoming message belongs to. When messages are received through an Inbound connector of type OnPremises, attribution is determined using the following priority order:
The domain on the TLS certificate presented by the sending server
The P1 MailFrom (envelope sender) domain
The P1 RcptTo (recipient) domain
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2026-02-03
updated:
2026-02-05
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
To ensure smooth email delivery in Exchange Online, configure unique client certificates and distinct send connectors for each tenant, and ensure third-party relay services use certificates matching your accepted domains.
Direct effects for Operations**
Mail Flow Disruption
Misconfigured inbound connectors can lead to incorrect mail flow, causing emails to be misrouted or not delivered at all.
- roles: Exchange Administrator, IT Support Specialist
- references: https://learn.microsoft.com/exchange/mail-flow/connectors/send-connectors, https://learn.microsoft.com/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/integrate-office-365-with-an-email-add-on-service
Increased Support Tickets
Users may experience issues with email delivery, leading to an increase in support requests and user frustration.
- roles: Help Desk Technician, User Support Specialist
- references: https://learn.microsoft.com/exchange/mail-flow/connectors/send-connectors, https://learn.microsoft.com/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/integrate-office-365-with-an-email-add-on-service
Service Downtime
Internal changes or misconfigurations may lead to unexpected service downtime, affecting user access to email services.
- roles: System Administrator, Network Engineer
- references: https://learn.microsoft.com/exchange/mail-flow/connectors/send-connectors, https://learn.microsoft.com/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/integrate-office-365-with-an-email-add-on-service
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
XXXXXXX ... free basic plan only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2026-02-05 | MC Messages | We are reiterating the guidance for connector settings to ensure customers are using healthy configurations. The key problematic configurations we are seeing are:
When a tenant has an Inbound connector of type OnPremises and the connector does certificate-based authentication using a certificate with a subject/SAN for a domain that is NOT an Accepted Domain of the tenant. When a tenant has an Inbound connector of type OnPremises and the connector does IP-based authentication, but the IP is used by other tenants. These anti-patterns typically occur when you are using a 3rd party service to relay email through Exchange Online but could also occur if your organization has a single on-premises Exchange Server connecting to multiple Exchange Online tenants. These configurations can cause incorrect mail flow because Exchange Online is a multi tenant service and relies on message attribution to determine which tenant an incoming message belongs to. When messages are received through an Inbound connector of type OnPremises, attribution is determined using the following priority order: The domain on the TLS certificate presented by the sending server The P1 MailFrom (envelope sender) domain The P1 RcptTo (recipient) domain | Updated February 4, 2026: We have updated the content. Thank you for your patience.
Original: Please do not paste images here. Attach your high-resolution PNGs to the No Reply confirmation email. Thank you! We are reiterating the guidance for connector settings to ensure customers are using healthy configurations. The key problematic configurations we are seeing are: When a tenant has an Inbound connector of type OnPremises and the connector does certificate-based authentication using a certificate with a subject/SAN for a domain that is NOT an Accepted Domain of the tenant. When a tenant has an Inbound connector of type OnPremises and the connector does IP-based authentication, but the IP is used by other tenants On-Premises servers to connect to Exchange Online. These anti-patterns typically occur when you are using a 3rd party service to relay email through Exchange Online but could also occur if your organization has a single on-premises Exchange Server connecting to multiple Exchange Online tenants. These configurations can cause incorrect mail flow because Exchange Online is a multi tenant service and relies on message attribution to determine which tenant an incoming message belongs to. When messages are received through an Inbound connector of type OnPremises, attribution is determined using the following priority order: The domain on the TLS certificate presented by the sending server The P1 MailFrom (envelope sender) domain The P1 RcptTo (recipient) domain |
| 2026-02-05 | MC Title | Prevent/Fix: Guidance for On-Premises Connectors Configuration | (Updated) Prevent/Fix: Guidance for On-Premises Connectors Configuration |
| 2026-02-05 | MC Last Updated | 02/03/2026 00:47:44 | 2026-02-04T18:09:05Z |
| 2026-02-05 | MC MessageTagNames | Admin impact | Updated message, Admin impact |
| 2026-02-05 | MC Summary | Ensure On-Premises connectors use unique certificates with domains accepted by the tenant and avoid shared IPs across tenants. Misconfigurations can disrupt mail flow due to Exchange Online's multi-tenant nature. Use unique Send Connectors per tenant and prefer certificate-based authentication for reliable email routing. | Updated guidance warns against using OnPremises inbound connectors with certificates for domains not accepted by the tenant or IPs shared by multiple tenants. Misconfigurations can disrupt mail flow. Use unique client certificates and send connectors per tenant, and ensure third-party services use certificates matching accepted domains. |
Last updated 1 day ago ago
