Protect on-premises mailboxes in China with standalone EOP


The improved Microsoft 365 security center is now available in public preview. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new. This topic might apply to both Microsoft Defender for Office 365 and Microsoft 365 Defender. Refer to the Applies To section and look for specific call-outs in this article where there might be differences.


This article applies only to Office 365 operated by 21Vianet in China.

Even if you plan to host some or all of your mailboxes on-premises, you can still protect the mailboxes with Exchange Online Protection (EOP). To configure connectors, your account must be a global admin, or an Exchange Company Administrator (the Organization Management role group). For information about how Office 365 permissions relate to Exchange permissions, see Assigning admin roles in Office 365 operated by 21Vianet. If all of your Exchange mailboxes are on-premise, follow these steps to set up your EOP service.

Step 1: Use the Microsoft 365 admin center to add and verify your domain

  1. In the Microsoft 365 admin center, navigate to Setup to add your domain to the service.

  2. Follow the steps in the portal to add the applicable DNS records to your DNS-hosting provider in order to verify domain ownership.


Add your domain and users to Office 365 operated by 21Vianet and Create DNS records for Office 365 when you manage your DNS records are helpful resources to reference as you add your domain to the service and configure DNS.

Step 2: Add recipients and configure the domain type

Before configuring your mail to flow to and from the EOP service, we recommend adding your recipients to the service. There are several ways in which you can do this, as documented in Manage mail users in EOP. Also, if you want to enable Directory Based Edge Blocking (DBEB) in order to enforce recipient verification within the service after adding your recipients, you need to set your domain type to Authoritative. For more information about DBEB, see Use Directory Based Edge Blocking to reject messages sent to invalid recipients.

Step 3: Use the EAC to set up mail flow

Create connectors in the Exchange admin center (EAC) that enable mail flow between EOP and your on-premises mail servers. For detailed instructions, see Configure mail flow using connectors in Office 365.

How do you know this task worked?

See Test mail flow by validating your Office 365 connectors.

Step 4: Allow inbound port 25 SMTP access

After you configured connectors, wait 72 hours to allow propagation of your DNS-record updates. Following this, restrict inbound port-25 SMTP traffic on your firewall or mail servers to accept mail only from the EOP datacenters, specifically from the IP addresses listed at URLs and IP address ranges for Office 365. This protects your on-premises environment by limiting the scope of inbound messages you can receive. Additionally, if you have settings on your mail server that control the IP addresses allowed to connect for mail relay, update those settings as well.


Configure settings on the SMTP server with a connection time out of 60 seconds. This setting is acceptable for most situations, allowing for some delay in the case of a message sent with a large attachment, for instance.

Step 5: Ensure that spam is routed to each user's Junk Email folder

To ensure that spam (junk) email is routed correctly to each user's Junk Email folder, you must perform a couple of configuration steps. The steps are provided in Configure standalone EOP to deliver spam to the Junk Email folder in hybrid environments. If you don't want to move messages to each user's Junk Email folder, you may choose another action by editing your anti-spam policies (also known as content filter policies). For more information, see Configure anti-spam policies in Office 365.

Step 6: Use the Microsoft 365 admin center to point your MX record to EOP

Follow the Office 365 domain configuration steps to update your MX record for your domain, so that your inbound email flows through EOP. For more information, you can again reference Create DNS records for Office 365 when you manage your DNS records.

How do you know this task worked?

See Test mail flow by validating your Office 365 connectors.

At this point, you've verified service delivery for a properly configured Outbound on-premises connector, and you've verified that your MX record is pointing to EOP. You can now choose to run the following additional tests to verify that an email will be successfully delivered by the service to your on-premises environment:

  • In the Remote Connectivity Analyzer, click the Office 365 tab, and then run the Inbound SMTP Email test located under Internet Email Tests.

  • Send an email message from any web-based email account to a mail recipient in your organization whose domain matches the domain you added to the service. Confirm delivery of the message to the on-premises mailbox using Microsoft Outlook or another email client.

  • If you want to run an outbound email test, you can send an email message from a user in your organization to a web-based email account and confirm that the message is received.

Less common: A hybrid setup with mailboxes on-premises and in the cloud

If you have Exchange mailboxes on-premises and one or more mailboxes in the cloud in Exchange Online, you have a hybrid setup. In a hybrid setup, features such as free/busy calendar sharing and mail routing work together in your on-premises and cloud environments. You might have a hybrid setup in place while you transition mailboxes to Exchange Online. A hybrid environment is set up differently than EOP standalone protection.

You might choose a hybrid scenario to take advantage of cloud-based email for most of your employees. You can do this while also hosting some mailboxes on-premises; for example, for your legal department.

A hybrid setup can be complex, but it has many benefits. To learn more about setting up hybrid scenarios with Exchange, see Exchange Server hybrid deployments.