We have a Microsoft Azure/Entra domain or 'tenant', originally converted from a "Work Account" self-signup into a fully-managed one with free plan (academic), therefore it has our base domain (i.e. example.com as opposed to something like ad.example.com) as the primary domain.
We don't use Azure much, but now we're adding a few accounts for Teams one-by-one. So far, we've chosen the account names to match the on-premises email addresses – e.g. my work email address is [email protected] so likewise my Entra account for Teams is [email protected].
But I've noticed that if Teams sends an invitation email to [email protected], it never arrives at our on-premises email server – instead, we find that email in an O365 mailbox when I open it via https://outlook.com and sign in with my Azure account.
I didn't know we had mailboxes as part of our free plan, but more to the point, can I make it send mail to our on-premises email server as the MX records already indicate? We don't use O365 mail at all (yet?), so I don't need it per-mailbox, but for the entire domain – at least for the time being. And if yes: how do I make it do that?
(Edit: We assign users "Office 365 A1 for Faculty" licenses, as not doing so seemed to completely break Teams in the past (to the extent of having to delete the account and re-create it), but I guess that is also what grants them an O365 mailbox as well.)
Or should we just switch the Azure tenant to use a different DNS subdomain as primary (like az.example.com) and then remove the old base domain? I'm hesitant to do so, as I don't want to accidentally end up with someone creating another ghost tenant via self signup like already happened before.
Please excuse the mess of terminology; our IT team of two people has almost zero experience with Microsoft's cloud stuff.
After asking elsewhere and effectively getting told "this is a Big Sysadmins forum so piss off and go ask ChatGPT instead", I managed to figure out a working configuration:
Go to the Exchange Admin Center at https://admin.cloud.microsoft/exchange.
Under "Mail flow > Accepted domains", switch the desired domain from 'Authoritative' to 'Internal Relay'. (Now ChatGPT tells me to select 'External Relay', but according to documentation, that option only exists in on-prem Exchange, not in O365.)
Under "Mail flow > Connector", create a connector from "O365" to "Your org", specifying the local SMTP server. Make sure to select "Use only when I have a transport rule" (not "Use only when sending these domains" even if that seems like the obvious option).
The validation step will attempt to send a message addressed from your own domain – which your local SMTP server will of course reject as spoofed – so make sure to exempt the Exchange Online IP addresses from such checks (a list of CIDRs is published by Microsoft), then retry validation.
It doesn't seem like there is any way to make an Exchange Online "send connector" speak SMTP AUTH to the on-premises server – at least not when creating one through the Admin Center.
Under "Mail flow > Rules", create a rule:
The recipientdomain isthe domain in questionRedirect messageto connectorthe connector created in the previous stepNot auditTest by creating a Teams meeting with your boss to see if the email arrives.