Microsoft O365 Message Source

If you selected Microsoft O365 as your message source, you must configure Microsoft 365 to send journals to Secure Email Threat Defense. To do this, you add a journal rule. If you have a Gateway in place, add a connector in Microsoft 365 before adding your journal rule.

  1. For users with a Secure Email Gateway (SEG): Add a connector in Microsoft 365.
    To ensure journals are sent directly from Microsoft 365 to Secure Email Threat Defense without passing through the Secure Email Gateway, we recommend adding an outbound connector in Microsoft 365. You need to add the connector before setting up journaling.
    From the Microsoft 365 Exchange Admin Center, create a new connector by using the following settings in the Add a connector wizard:

    • Connection from: Office 365.

    • Connection to: Partner organization.

    • Connector name: Outbound to Cisco Secure Email Threat Defense (select the Turn it on check box).

    • Use of connector: Only when email messages are sent to these domains (add mail.cmd.cisco.com for North American environments, mail.eu.cmd.cisco.com for European environments, mail.au.etd.cisco.com for Australian environments, or mail.in.etd.cisco.com for Indian environments).

    • Routing: Use the MX record associated with the partner’s domain.

    • Security restrictions: Always use Transport Layer Security (TLS) to secure the connection (recommended); Issued by a trusted certificate authority (CA).

    • Validation email: Your journal address from the Secure Email Threat Defense setup page.

    2. The connector validation may fail if your O365 tenant is already configured with conditional mail routing using an Exchange transport rule to route outbound mail to an existing connector. While journal messages are system-privileged and are not affected by transport rules, the connector validation test email is not privileged and is affected by transport rules.

    To overcome this validation issue, locate the preexisting transport rule and add an exception for your Secure Email Threat Defense journal address. Wait for this change to be effective, then retest the new connector validation.

  2. Configure Microsoft 365 to send journals to Secure Email Threat Defense. To do this, add a journal rule.

    1. Copy your journal address from the Secure Email Threat Defense setup page. If you need to repeat this process later, you can also find your journal address on the Administration page.

    2. Go to your Microsoft Purview compliance portal: https://purview.microsoft.com/.

    3. Navigate to Solutions > Data lifecycle management > Exchange (legacy) > Journal rules.

    4. If you haven’t already done so, add an Exchange recipient to the Send undeliverable journal reports to field, then click Save. The email address used will not be journaled; do not use an address you want Secure Email Threat Defense to analyze. If you do not have a recipient you want to use for this purpose, you will need to create one.

    5. Return to the Journal rules page. Click the + button to create a new journal rule.

    6. Paste the journal address from the Secure Email Threat Defense setup page into the Send journal reports to field.

    7. In the Journal rule name field, enter Cisco Secure Email Threat Defense.

    8. Under Journal messages sent or received from, select Everyone.

    9. Under Type of message to journal, select All messages.

    10. Click Next.

    11. Review your choices, then click Submit to finish creating your rule.

  1. Return to the Secure Email Threat Defense setup page. Click Review Policy.