Skip to content

Rules and connectors created in M365

Find out what changes are made in your Microsoft 365 environment when you connect to Sophos Mailflow.

Sophos Mailflow protects the mailboxes of Microsoft 365 (formerly Office 365) users. We use Microsoft's Graph APIs and Powershell commands to create mail flow rules in your Microsoft 365 environment. These rules route messages from Microsoft 365 to Sophos Mailflow for checking, then back again.

After you've set up Sophos Mailflow, you can sign in to your Microsoft Exchange admin center to see the applications, connectors, and rules that we've created. See Exchange admin center.

To find out more about Microsoft's mail flow rules (also known as transport rules), see Mail flow rules (transport rules) in Exchange Online.


You can't turn off spam filtering, but you can use Microsoft Exchange mail flow rules to bypass it for inbound messages. For example, you can create mail flow rules to skip filtering for messages you route through Sophos Gateway or third-party protection before delivering them to M365. See Use mail flow rules to set the spam confidence level (SCL) in messages in Exchange Online.


Microsoft filters high-confidence phishing and malware messages before they reach Sophos Central Email. See Configure anti-spam policies in EOP.

What changes are made?

When you configure a new domain for Sophos Mailflow, we do the following in your Microsoft environment.

  1. You're asked to sign in to your Microsoft 365 domain, to confirm that you own it.

    The account you sign in with must have the Global admin role in your Microsoft domain.

  2. We synchronize the mailboxes, users, and groups in your Microsoft domain with Sophos Central.

  3. We create an application in your Microsoft 365 domain called “Sophos Email Mail flow”.
  4. You're asked to grant permissions for the application, so that it can manage mail flow rules.
  5. We add a subdomain of to your tenant's accepted domain list.

    This domain is associated with Sophos certificates and will only be used in Exchange Online; it won't be used anywhere else. Adding this domain is safe for the following reasons:

    • Sophos owns and manages the domain.
    • The domain doesn't have email services enabled.


    Don't remove the domain. Doing so might break the email flow and stop email processing. For information on how you're notified when there are changes from the M365 console that could impact Sophos Mailflow setup, see Sophos Mailflow Tamper.

  6. We create inbound and outbound connectors to Sophos Mailflow.

  7. We create mail flow rules that use the connectors to redirect inbound and outbound messages to Sophos Mailflow.

The permissions you grant won't expire. You can revoke them, if you need to, through the Microsoft Exchange admin center. Sophos Mailflow stops working if you revoke them.

Sophos Mailflow and Post delivery protection

If you use the Post delivery protection feature in Sophos M365 Security, we create a second application in Microsoft 365. This has different permissions and uses Graph API to quarantine suspicious messages.

If you aren't using Post delivery protection, we don't create this application.