Rules, Connectors, and Groups

I’ve finished project setup for ERS, what’s next?

After Email Rewrite Services (ERS) is configured in your project, each tenant will have a series of configurations automatically deployed through our orchestration engine. The following FAQs will help you get acquainted with the ERS configuration components.

 

What is setup when I enable ERS?

When ERS is enabled, the following configuration items are created and managed. If ERS is disabled, the same configurations will be removed.

  1. Exchange Online Transport Rules to redirect mail flow for ERS eligible users
  2. Exchange Online Connectors to manage encrypted mail flow between ERS and Exchange Online
  3. Mail-Enabled Groups to managed user’s eligibility for ERS

All configurations can be reviewed for any tenant from the Exchange Online portal. You may also view all configurations using PowerShell.

 

How can I confirm everything was created?

You may verify the configurations from the Microsoft 365 admin portal or by using PowerShell.

To verify by portal, simply login to the Exchange Online Admin Portal. Then navigate to Mail Flow. Under Mail Flow you will find the rules and connectors. To view the groups, navigate to recipients then groups.

The simplest way is to use a PowerShell query to get a list of all rules, connectors and groups. Follow these easy steps to do just that.

  1. Launch PowerShell.
  2. Connect to your tenant, if you don’t know how, here is a quick article from MS:

    1. How to connect to Exchange Online PowerShell

  3. Once authenticated, run these example commands:

    Get-TransportRule BT-* -ErrorAction SilentlyContinue | select @{Name='Identity'; Expression={'Rule: '+$_.Identity }}

    Get-InboundConnector BT-* -ErrorAction SilentlyContinue | select @{Name='Identity'; Expression={'Inbound: '+$_.Identity }}

    Get-OutboundConnector BT-* -ErrorAction SilentlyContinue |select @{Name='Identity'; Expression={'Outbound: '+$_.Identity }}

    Get-DistributionGroup BT-* -ErrorAction SilentlyContinue | select @{Name='Identity'; Expression={'Group: '+$_.Identity }}

  4. Repeat these steps for each tenant.

 

How are Transport Rules & Send Connectors used?

Exchange Online transport rules and send connectors are the way in which mail is routed from an Office 365 tenant to Power365 ERS. Transport Rules examine a message to determine if it should be rewritten and the connectors route the message to Power365 ERS. This ensures that only messages that need to be rewritten are routed to Power365 ERS and messages that do not are immediately sent to the recipients.

There are 3 categories of transport rules. The following section outlines each category and describes the naming convention used for the rules.

Sorting Rules

For outbound messages, a sorting rule examines each recipient on an SMTP message and adds an SMTP header to identify if the recipient is internal or external.

  • BT-IntegrationPro-Out-S-Internet – rule for external recipients.
  • BT-IntegrationPro-Out-S-[Guid]-[#] – rules for internal recipients in target tenant [Guid] where [#] indicates a block of SMTP domains. E.g. BT-IntegrationPro-Out-S-15d82781-e5e8-4691-a77f-0f5fb10b6482-1

From, To, CC Rules

For outbound messages, these rules determine if any of the From, To or CC addresses on an SMTP message include an internal or external recipient that should be rewritten and updates the SMTP header added above appropriately.

  • BT-IntegrationPro-Out-[From/ToCc] – rules for external recipients.
  • BT-IntegrationPro-Out-[Guid]-[From/ToCc] – rules for internal recipients in target tenant [Guid]. E.g. BT-IntegrationPro-Out-15d82781-e5e8-4691-a77f-0f5fb10b6482-From.

Inbound Rules

The outbound rules ensure that Office 365 routes only the messages that need to be rewritten to Power365. The inbound rules have two functions.

  • BT-IntegrationPro-In - rule for messages returning from Power365 ERS.

    After a message is rewritten it is returned to the original tenant for delivery to external recipients.

    This rule removes the header added by the outbound rules so that a message is only processed by Power365 ERS once.

  • BT-IntegrationPro-In-DKIM - rule for messages returning from Power365 ERS.

    When an external recipient replies to an ERS user, the message is rewritten back to the original domain. After which, the message is redirected to the original tenant.

    This rule removes the secret key added to the header by the sending tenant to ensure the message was securely delivered before and after being rewritten.

 

How are Connectors used?

Power365 ERS adds an inbound and outbound connector to all Office 365 tenants defined on a Premium Integration project. The purpose of these connectors is to ensure mail flow from an Office 365 tenant to Power365 ERS is encrypted with the assigned TLS/SSL certificate. This outbound connector contains the FQDN of the Power365 ERS Relay used to receive mail for the tenant (e.g. ersrelayprod4-eu-2-10446.ers.power365.cloud). Some versions of ERS include connectors for each Client/Project combination.

  • BT-IntegrationPro-In – inbound connector
  • BT-IntegrationPro-Out – outbound connector

 

How are groups used?

The ERS groups control mailbox eligibility. When a recipient is added to the ERS group it will be enabled for the ERS type selected. When the user is ready, the user’s status will update in Power365 indicating the ERS type that is now enabled.

The ERS day 1 and day 2 groups are cloud-only Exchange Online distribution groups. ERS Day 1 is used to control which (not migrated) source users should be presented to external recipients using their target address. ERS Day 2 is used to control which (migrated) target users should be presented to external recipients with their source address. Some versions of ERS include groups for each Client/Project combination.

Administration Groups

Power365 ERS automatically adds the following two (2) groups in the source tenant(s) of a Power365 Premium Integration project. These groups are managed by the administrator(s) of the tenant.

  • BT-IntegrationPro-[DayOne/DayTwo] – day one or day two mailbox users. E.g. BT-IntegrationPro-DayOne.

For more information check out the Email Rewriting Eligibility Groups online help.

Internal Groups

Power365 ERS automatically adds several groups in the source and target tenant(s) for internal use. These groups should not be changed or deleted by administrators and are managed by Power365.

  • Source Tenants – Power365 ERS adds the following groups in the source tenant(s) of an Premium Integration project.

    • BT-IntegrationPro-[DayOne/DayTwo]-[Guid] – target addresses (contacts) of day one or day two users in target tenant [Guid]. E.g. BT-IntegrationPro-DayOne-15d82781-e5e8-4691-a77f-0f5fb10b6482
    • Target Tenants – Power365 ERS creates the following groups in the target tenant(s) of an Premium Integration project.

    • BT-IntegrationPro-[DayOne/DayTwo] – source addresses (contacts) of day one or day two users from all source tenants. E.g. BT-IntegrationPro-DayOne.
    • BT-IntegrationPro-[DayOne/DayTwo]-[Guid] – source addresses (contacts) of day one or day two users from source tenant [Guid]. E.g. BT-IntegrationPro-DayOne-15d82781-e5e8-4691-a77f-0f5fb10b6482.
    • BT-IntegrationPro-NC-[Guid] – source addresses (contacts) of users from source tenant [Guid] that have not been cutover. E.g. BT-IntegrationPro-NC-15d82781-e5e8-4691-a77f-0f5fb10b6482.

 

When is it safe to remove ERS configurations?

You may disable ERS when production services are no longer required. Upon disabling, the related configurations will automatically be removed.

 

Additional Information

Email Rewrite Services Whitepaper (PDF)

Domain Sharing (Email Rewrite Services)

Eligibility Groups

DKIM

TLS/SSL

Power365 DAY 1 Email Rewrite Services – Before User Migrates with New Domain

Power365 DAY 2 Email Rewrite Services – After User Migrates with Original Domain