By default, Exchange Online always uses opportunistic TLS. Which means Exchange Online always tries to encrypt connections with the most secure version of TLS first, then by default the message will be sent unencrypted if the recipient organization doesn’t support TLS encryption. Unless you have configured Exchange Online to ensure that messages to that recipient are only sent through secure connections, Opportunistic TLS is sufficient for most businesses.
If business that have compliance requirements such as medical, banking, or government organizations, you can configure forced TLS for Exchange Online.
If you decide to configure TLS between your organization and a trusted partner organization, Exchange Online can use forced TLS to create trusted channels of communication. Forced TLS requires your partner organization to authenticate to Exchange Online with a security certificate in order to send mail to you.Your partner will need to manage their own certificates in order to do this. In Exchange Online, we use connectors to protect messages that you send from unauthorized access before they arrive at the recipient’s email provider.
1. Configuring Forced TLS from EOP to Partner
Login to https://outlook.office365.com/ecp –> Mail flow –> Connectors –> Click on Add
Select From: Office 365 and Select To:Partner Organization and click Next
Give Name for the Connector and Click Next
You can use the Connector for the transport rule or add the domain in the connector as well, I have added the domains in my case.
Select Use the MX record associated with the partner’s domain and Click Next
Select the Always use Transport Layer Security(TLS) to secure the connection and Select issued by a trusted Certificate authority (CA)
Click Next
Add the partner Domain test Email address to validate the connector
Click on Validate
In my case, Test Status failed since there is no TLS connection available for the added domain. but you need to get success in the test case.
Click on save once the domain TLS Validation completed.
2. Configuring Forced TLS from Partner to EOP
This Enforcement will enable the TLS mail flow from the Partner to EOP.
Login to https://outlook.office365.com/ecp –> Mail flow –> Connectors –> Click on Add
Select From: Partner Organization and To: Office 365
Give the name for the Connector and Click Next
Select Use the sender’s domain
Add domain
Click Next
Select the Subject name in the TLS Certificate of the Exchange Online Protection. it is required to be properly validated and updated. if this name not matches, mails will not reach Office 365.
EOP’s Certificate Name as mentioned below in the below, Please refer the Article for more information.
Click on Save
