This is an important announcement for the customers who have set up their M365 domains in Sophos Mailflow. We are pleased to announce that we have made the necessary enhancement in our Sophos Mailflow setup to comply with a change in Microsoft's policy related to connectors.

What changed and why?

During the MFR setup, Sophos creates a few connectors in M365. These connectors are IP-based and are integral to the functioning of the Sophos MFR service. Last year, Microsoft implemented a policy change, and as a result, the onboarding procedure inadvertently generated one of Microsoft's inbound IP-based connectors in a disabled state, obstructing the outbound email flow. Additionally, M365 admins have no option to manually enable these connectors through the M365 portal. The impact was limited to new onboarding processes only. The connectors that were already created and active were not impacted.

Microsoft reference documents: Inbound connector FAQ and Malicious OAuth Applications.

In response to this challenge, we engaged with the Microsoft product team and, as per their recommendation, undertook this enhancement to create certificate-based connectors instead of IP-based. In the new setup, when a new domain is onboarded, the connectors are now created with a certificate-based configuration. There is no change in the product's capability or the user experience in Central.

I am on Gateway mode. What impact does it have on my Sophos configuration?
None.

How does it impact new Mailflow onboarding?
As a result of this enhancement, if you onboard a new domain now in Sophos Mailflow, the connectors that are created will be certificate-based instead of IP-based. There is no change in the Mailflow onboarding experience. However, you’ll see a subdomain of 'xgeconnector.com' (a domain owned by Sophos, explicitly for hosting these certificates) added to the accepted domain list of your M365 tenant. Refer to this document.

Do we need to modify the existing connectors, too?
Yes. But, Sophos will complete the migration of these connectors by running automatic scripts.

Microsoft recommended Sophos to proactively migrate existing connectors from IP-based to certificate-based configuration. Although there is no official deadline announced at present, it is advisable to modify these existing connectors as soon as possible. Sophos will run automatic scripts to migrate these connectors from IP-based to certificate-based. We at Sophos have started the work now and will be gradually modifying these connectors for existing domains over the next few weeks. We expect to complete this migration exercise by 15-Feb-2024.

<Update 15-Feb-2024> As per this blog post from Microsoft, the connectors must be updated by 31-Mar-2024.

Any action for existing customers/partners?
No action is needed from your end at this time. Stay tuned for the second part of this announcement that will come your way with the progress update on the automatic migration.

Part 2 of the announcement (published on 15-Feb-2024): https://community.sophos.com/sophos-email/b/blog/posts/sophos-mailflow-certificate-based-connector-part-2.