Skip to content

Changes made in Microsoft 365 environments

Find out what changes are made in your Microsoft 365 environment when you connect to Sophos Mailflow.

Sophos Mailflow protects the mailboxes of Microsoft 365 (formerly Office 365) users. We use Microsoft's Graph APIs and Powershell commands to create mail flow rules in your Microsoft 365 environment. These rules route messages from Microsoft 365 to Sophos Mailflow for checking, then back again.

After you've set up Sophos Mailflow, you can sign in to your Microsoft Exchange admin center to see the applications, connectors, and rules that we've created. See Exchange admin center.

To find out more about Microsoft's mail flow rules (also known as transport rules), see Mail flow rules (transport rules) in Exchange Online.

What changes are made?

When you configure a new domain for Sophos Mailflow, we do the following in your Microsoft environment.

  1. You're asked to sign in to your Microsoft 365 domain, to confirm that you own it.

    The account you sign in with must have the Global admin role in your Microsoft domain.

  2. We synchronize the mailboxes, users, and groups in your Microsoft domain with Sophos Central.

  3. We create an application in your Microsoft 365 domain called “Sophos Email Mail flow”.
  4. You're asked to grant permissions for the application, so that it can manage mail flow rules.
  5. We create inbound and outbound connectors to Sophos Mailflow.
  6. We create mail flow rules that use the connectors to redirect inbound and outbound messages to Sophos Mailflow.

The permissions you grant won't expire. You can revoke them, if you need to, through the Microsoft Exchange admin center. Sophos Mailflow stops working if you revoke them.

Sophos Mailflow and Post delivery protection

If you use the Post delivery protection feature in Sophos M365 Security, we create a second application in Microsoft 365. This has different permissions and uses Graph API to quarantine suspicious messages.

If you aren't using Post delivery protection, we don't create this application.

Back to top