Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

"Outbound Emails sent from Sophos" Connector Failed to Setup

I am attempting to setup Sophos Mailflow for a O365 tenant with Microsoft Basic Business licenses. The "Outbound Emails sent from Sophos" inbound connector fails to enable and when I try to enable it manually I get the error: 

Error executing request. For this service offering, you can't enable an inbound connector. Please contact Support to enable it. Organization '0f4eda73-53b3-4e46-ad7f-aec9d9ff6dad', Service Offering: 'O365_BUSINESS_ESSENTIALS'.

Apparently Microsoft made an unannounced change, that took affect 01/01/2023, restricting admins from activating newly-created inbound connectors for new tenants. This change affects the following SKUs:

Microsoft 365 Business Standard
Microsoft 365 Business Basic
Exchange Online Essentials

These connectors are created as “Disabled” by default. Customers that experience this behavior must contact Microsoft support with a business justification to enable an Inbound connector of OnPremises type within their tenant.

I have opened a ticket with Microsoft to enable the connector. I will update this post with my experience and steps.

This thread was automatically locked due to age.
  • 11-May-2023 - To update everyone on this thread. Since last week Microsoft Product Management Team and the Sophos Management Team have been engaged in discussions and plans to fix this for Sophos customers. Microsoft made the change to protect their environment and customers from bad actors creating IP based connectors, dumping a bunch of spam and then tearing down those connectors. Like it or not they did this with good intentions. Sophos was not aware of the change and as a result it has impacted many of you. 

    So what is being done about it? We are in the process of getting an IP exemption rule in place at Microsoft for a time period while we build customer specific certificate based connectors. This requires Sophos to develop the infrastructure and processes required to issue our customers domain based certificates. This process will likely take 6-9 months for development, QA and field testing. During that time the IP exception will be in place so MFR will operate as before.

    When? As mentioned I am in communication daily with Microsoft about getting this exemption rule in place and as soon as we have validated it is working I will update this community.

    We appreciate your understanding and cooperation as we work through this.


    Tom Foucha

    Sr. Director Product Management - Messaging

  • Hi Tom,

    Thanks for the detailed explanation. Do you have any updates on the timeline for the IP exception?



  • Hello Tom,

    Has there been any further updates on the progress of this issue?



Reply Children
  • The IP exception has been in place for a few weeks and we have not seen any issues creating active connectors. We are working on a certificate based connector but still a few months away from deploying. If you are seeing issues please open a support ticket and escalate to me.