How to Set Up FOPE with Office 365 Using the Directory Synchronization Tool for Populating Users to Enable Directory Based Edge Blocking and Spam Quarantine Access
By creating a user list in Forefront Online Protection for Exchange, you can block email sent to email addresses not in your user list. The steps in this topic guide you through the process of using the FOPE Directory Sync tool to upload your user list to FOPE and enable directory-based edge blocking. Reading the following topics will introduce you to the concepts covered in this procedural topic and give you some context before you perform the steps:
Forefront Online Protection for Exchange (best overall reference for FOPE)
Using the Directory Sync Tool to Populate Users in FOPE
- Login with your Office 365 Global Admin account at the Office 365 portal. Do not log directly into the FOPE Administration Center while performing the subsequent steps to set up a user account. It will fail because it requires the single sign-on (SSO) redirect from Exchange Control Panel (ECP) in Office 365.
- Under Exchange Online, click the Manage option. This launches the Exchange Control Panel.
- Choose the Mail Control option from the left pane.
- On the right side, under Forefront Online Protection for Exchange, click the Configure IP safelisting, perimeter message tracing, and email policieslink. This launches the FOPE Administration Center and logs you in with your global admin account.
- Follow the steps in Configuring Filtering Settings to configure email notifications in the service settings section.
- In the FOPE Administration Center, click the Administration tab and then click the Users tab. On the right pane, click Add User under the Tasks box.
- In the Add new user dialog box, you are prompted for an email address. We recommend using an email address in your primary domain (for example,DST@contoso.com). Please remember, this is explicitly for Directory Synchronization Tool (DST) use and FOPE Administration Center access; it is not used for Office 365. Essentially, it is a FOPE Administration Center account only.
- After you click Save, it will take you to the user settings page. You must set the password first (make it complex). In the Security box on the right side, next to Password, click Change.
- In the Change Password dialog box, in the New Password and Confirm new password boxes, type in the same password twice and then click the Savebutton.
Note: If you see a third box at the top then you signed in incorrectly. Close all your browser sessions, ensure that you are signed out, and follow the instructions above on the proper method of signing in to set up this user.
- The next step is to click Grant in the Permissions section in the Security box. Choose the Administrator role for the company, and then click Grant.
- Enable the DST for the domains. By default, they are set to Exchange Online; however, for this process to work you have to change the user source list to:Directory Synchronization Tool.
- Click the Domains tab in the FOPE Administration Center. Click the domain to which you want to synchronize users. Under Service Settings, User List Settings is where you make the change. Click Edit and in the Select the user list source drop-down list, choose Directory Synchronization Tool. Leave Directory-Based Edge Blocking set to Disabled until you’ve completed your first synchronization. After you have completed synchronization, read Select a Directory-Based Edge Blocking Mode to understand edge-blocking modes. If you want to enable DBEB, edit theUser List Settings again, choosing an edge-blocking mode in the Configure edge blocking mode to help improve the effectiveness of your spam filtering service drop-down list. Click Save to save your changes.
- Repeat the previous steps for the domains you plan to synchronize from on-premises, if there are multiple domains.
- Identify the server on which to host the DST tool. This information can be found in FOPE Directory Sync Tool.
- Install the DST following the instructions in Installing the Directory Synchronization Tool. Note: Ensure that you are downloading the latest DST, and that you have installed the minimum system requirements prior to running the installation of the DST.
- Configure DST according to the instructions in Configuring the Directory Synchronization Tool. Set up the user name (DST@contoso.com) and password. You should then be prompted for a synchronization interval.
- The DST user interface displays green check boxes if everything is configured properly and synchronization is successful.
- In the FOPE Administration Center you can look at the user list and see the synchronized users.
- You are required to set a password for any user who wants to use the spam quarantine feature. (At this point it is not single sign-on (SSO) capable.) Give the link to the FOPE Administration Center and the password to the end user so they can access the same quarantine.
- Set the passwords the same way you set the other user account, as instructed earlier in this procedure.
- The end user should then navigate to the FOPE Administration Center and log in with the email address and password you provided. They will have a limited interface with a link to click that lets them access their own spam quarantine.
Note: At any step in this process, if you cannot login to the FOPE Quarantine, see Office 365 administrators cannot sign in to the Forefront Online Protection for Exchange (FOPE) Quarantine service to access mail quarantine for troubleshooting tips.