I am attempting to setup Sophos Mailflow for a O365 tenant with Microsoft Basic Business licenses. The "Outbound Emails sent from Sophos" inbound connector fails to enable and when I try to enable it manually I get the error: Error executing request. For this service offering, you can't enable an inbound connector. Please contact Support to enable it. Organization '0f4eda73-53b3-4e46-ad7f-aec9d9ff6dad', Service Offering: 'O365_BUSINESS_ESSENTIALS'.
Apparently Microsoft made an unannounced change, that took affect 01/01/2023, restricting admins from activating newly-created inbound connectors for new tenants. This change affects the following SKUs:
Microsoft 365 Business Standard Microsoft 365 Business Basic Exchange Online Essentials
These connectors are created as “Disabled” by default. Customers that experience this behavior must contact Microsoft support with a business justification to enable an Inbound connector of OnPremises type within their tenant.
I have opened a ticket with Microsoft to enable the connector. I will update this post with my experience and steps.https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/inbound-connector-faq
Update to original post:
Only the O365 licenses mentioned in my original post are restricted from enabling inbound connectors from your org. to O365 that are configured to use an IP address. However, if you use a certificate domain name instead of an IP address, you can enable the inbound connector without an elevated license. In my case, I have pressed the tech and he is going to get with his senior engineers to see if they will enable the connector still since I have explained its legitimacy.
It seems to me that Sophos should adjust this connector to use a certificate domain name automatically now that Microsoft has implemented this change so that the setup continues to be as smooth and easy as it was prior to the change.
Hello there,
Thank you for contacting the Sophos Community.
Can you please share the Case ID you have logged so we can follow up?
I would like to check if this is a Feature Request/if this is in the Road Map/ or if there’s a misconfiguration.
Regards,
We have two cases: 35418014, 06315032.
Thank you for the Case IDs
I will check internally and get back to you once I hear back or by next Monday end of the day.
Just to let you know this is already being investigated under XGE-28188
This is currently under review.
I appreciate the update. I could not find XGE-28188 when I searched known Sophos Email issues. Could you please provide a link?
Thanks.
Update:
After conversing with two different Microsoft Reps by both myself and a colleague, for over a week, the connector has been turned on. However, I believe the Microsoft rep that I was dealing with nor the rep my colleague is dealing has a clue that this was done. At 3:30am CST, my colleague received a test email he sent 4 days ago to himself from one of the mailboxes that is protected by Sophos Email. We checked the inbound connector in O365 and it was enabled now. Neither of us have yet to receive any communication from our respective Microsoft reps informing us of anything.
The last communication I received from my Microsoft rep was yesterday at 4:30pm EST stating "We have shared your concern regarding inbound connector with the engineering team and we haven't received any update on the same. I will update you once we received any update regarding your query."
I am going to inquire upon Microsoft what are the "proper" steps to have an inbound connector of the sort enabled in the future without a back and forth with support for over a week.
Stay tuned.
Hello,
This is a new number; this is not a known issue at the moment so you won't find it in our documentation; also this is being investigated currently.
Thanks Emmanuel, I really appreciate your updates. Since it is not a known issue yet, is there any means for me to track the progress of XGE-28188?
For information: Seem it's a "security feature" which was implemented by Microsoft for a few months ago, that you're not allowed to create an inbound connector. Just the activation must done via Microsoft Support. techcommunity.microsoft.com/.../3727793