Microsoft 365 Integration (MX Deployment)

About Microsoft 365

Microsoft 365 is a cloud-based solution offered by Microsoft. It supports email, messaging, security, archiving and other capabilities delivered by Microsoft's worldwide network of cloud data centers. For more information about Microsoft 365, see: https://products.office.com/en-us/business/office.

About Proofpoint Essentials Integration with Microsoft 365

Overview

Proofpoint Essentials can be configured as the inbound mail gateway through which all incoming mail for specified domains is filtered before reaching Microsoft 365. It can also be configured as the outbound mail gateway through which all mail sent from a Microsoft 365 tenant to an external recipient can be filtered. Utilizing this configuration, the Microsoft 365 mail servers will pass outgoing mail through the Proofpoint Essentials to be filtered before final delivery.

The Microsoft 365 Integration tool automates several of the steps necessary to configure Proofpoint Essentials as an inbound and outbound mail gateway for the Microsoft 365 tenant. After running the Microsoft 365 Integration tool, several prerequisite mail flow configuration steps will be complete, including:

All domains, associated with the Microsoft 365 tenant, will be imported, verified and configured in order to support mail flow
Azure Directory sync will be configured and be ready to import user accounts
All necessary mail flow rules and connectors in the organizations Exchange tenant will be created

Proofpoint recommends that any changes to Proofpoint Essentials, DNS, or Microsoft 365 take place during a well-planned change control window to help reduce the risk to your organization.

Impact to the Microsoft 365 Tenant

As part of the Microsoft 365 integration process, Proofpoint Essentials will configure several entities in Microsoft 365. The necessity for these entities is described in this section.

Component	Item	Description	Additional Information
Azure	Security Principle	The Proofpoint Essentials M365 Application will be installed in the organizations Azure tenant as a security principle. The organization’s Azure admin will be able to view and manage the new security principle within Azure. Further information can be found here: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/view-applications-portal	It is possible for the organization’s Azure administrator to modify the installed security principle in such a way that the connection with Proofpoint Essentials will be lost. Please be aware of this risk before making changes.
Exchange Online	The Proofpoint Essentials M365 Application will create ‘Connectors’ and ‘Rules’ in the organizations Exchange Online service.
	Connectors	Inbound Connector for Proofpoint Essentials This connector will relay inbound mail traffic to Essentials. It will utilize the rule described in the section below.
	Connectors	Outbound Connector for Proofpoint Essentials This connector relays outbound mail traffic to Essentials. It will utilize the rule described in the section below.	The outbound connector is disabled by default and need to be updated after you have configured your organization’s DNS to include Proofpoint Essentials in your SPF record.
	Rules	Bypass Spam Filtering for Proofpoint Essentials This rule is used to ensure that the organization’s Exchange Online service does not treat any of Proofpoint Essential’s IP addresses as a spam source.

Before You Start

Be sure to have the credentials for an Exchange Global Administrator account. This is required to assign assign permissions to the Microsoft 365 integration tool.

Run Microsoft 365 Integration Tool

Go to Account Management > Profile.
In the Mailflow Setup section, click View Details to check your current deployment method.
- If it is already set to Direct MX Routing, skip to step 5
Click Change Deployment to launch the setup wizard.
In the wizard, select Direct MX Routing with Microsoft 365 as your deployment method.
Go to Account Management > Integrations.
Click Connect on the Microsoft 365 integration tile.
Review the details regarding the features which will be configured automatically. If they are acceptable, click Next, otherwise, click Cancel.
- A new browser window will open, prompting you to login to your Microsoft account.
Enter credentials associated with an account that has global administrator permissions.
Click Next.
Review the permissions requested by the Proofpoint Essentials M365 Application.
-The necessity for these permissions is described in the Application Permissions below.
Click Accept to start the Microsoft 365 Integration automation, otherwise, click Cancel.

The automated process will begin and may take a few minutes to complete. Once complete, you will receive an email notification.

Next Steps

Once the Microsoft 365 integration has been successfully run, you should continue with onboarding steps. Please keep in mind the following:

Domains
- Imported domains are not automatically enabled for mail relay. You will need to enable these domains.
Azure Active Directory
- The Azure Active Directory will run using default settings. You may want to review and update these settings.
Connector
- The outbound connector will be disabled by default. It should not be enabled until your organization has performed a DNS change to include Proofpoint Essentials in the SPF record. You will need to enable the connector before you can properly direct outbound mail to Proofpoint Essentials.

Microsoft 365 Integration Application Permissions

During the Microsoft 365 setup process, the administrator is redirected to a Microsoft Online login. This is referred to by Microsoft as an “Admin Consent Flow”.

The Azure admin consent flow is a mechanism used to grant permissions to an Azure Active Directory application by an administrator. It allows an application to request permissions that require admin consent, and provides the admin the opportunity to review and approve these permissions on behalf of their organization.

For further information consult Microsoft Documentation: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/admin-consent-workflow-overview

The specific list of permissions that the Proofpoint Essentials M365 application requires, in order to perform automation of mail flow configuration, is listed below with an explanation of the necessity for each. Note: some automation tasks require multiple permissions.

Item	Component	Description
Application.Read.All	Microsoft 365 Integration Tool	Used to perform self-management (of the Proofpoint Essentials M365 application) and facilitate Exchange Online mail flow configuration.
AppRoleAssignment.ReadWrite.All	Microsoft 365 Integration Tool	Used to self-assign the Exchange Online management role in order to create the rules and connectors necessary for mail flow.
EntitlementManagement.ReadWrite.All	Microsoft 365 Integration Tool	Used to self-assign the Exchange Online management role in order to create the rules and connectors necessary for mail flow.
Exchange.ManageAsApp	Microsoft 365 Integration Tool	Used to enable Exchange Online management for the application in order to create the rules and connectors necessary for mail flow.
RoleManagement.ReadWrite.Directory	Microsoft 365 Integration Tool	Used to enable Exchange Online management for the application in order to create the rules and connectors necessary for mail flow.
Domain.Read.All	Domains Azure Active Directory	Used to import domains for the purpose for configuring mail flow in Proofpoint Essentials. Used to import domains for the purpose of determining users to sync via Azure Directory Sync.
Group.Read.All	Azure Active Directory	Used by Azure Directory Sync to import organization groups into Proofpoint Essentials.
GroupMember.Read.All	Azure Active Directory	Used by Azure Directory Sync to recreate groups during import of users into Proofpoint Essentials
User.Read.All	Azure Active Directory	Used by Azure Directory Sync to import organization users into Proofpoint Essentials.
Mail.ReadWrite	One Click Message Pull	Used by One Click Message Pull to enable Proofpoint Essentials to manage mail disposition directly in a user’s inbox (i.e., move a mail to/from quarantine).