Configuring Outbound Protection


This is a "Pre-release" feature and is not considered an official release. Please review the Pre-release Disclaimer before using the feature.

The Outbound Protection feature supports scanning and taking actions on Exchange Online email messages before the messages are delivered to external domains. This feature allows you to effectively stop your users from accidentally or deliberately sending out sensitive data. Outbound Protection is part of the inline protection solution for Exchange Online.

Currently, this feature is available only for the EU, Japan, Australia and New Zealand, Singapore, US, and India serving sites.

Note: This feature is available only if your Exchange Online service account is provisioned using an access token. If you are using a Delegate Account, migrate the Delegate Account to Service Account. For details, see Migrating to Authorized Account for Exchange Online.
  1. Go to Administration > Global Settings > Inline Protection Settings for Exchange Online and click the Outbound Protection tab.
  2. Select your organization from the Current organization drop-down list.
  3. Grant Cloud App Security the permission to configure the Exchange mail flow.
    1. Click Click here at the end of step 1.
    2. On the Microsoft logon screen that appears, specify your Office 365 Global Administrator credentials and click Sign in.
    3. On the Exchange Online authorization screen that appears, click Accept to grant Cloud App Security permissions to configure mail flow in Exchange Online.

      During this process, Cloud App Security creates the Trend Micro Cloud App Security app on Exchange Online.

  4. Assign the Exchange administrator role to the Trend Micro Cloud App Security app.

    After assigned the role, this app can create required transport rule and connectors on Exchange Online to implement Outbound Protection.

    1. Go back to the Cloud App Security management console and copy the App Id in step 2.
    2. Log on to the Azure Active Directory portal as an Exchange Online administrator.
    3. In the left-side area, click Azure Active Directory, and select Roles and administrators under Manage.
    4. In the list on the Roles and administrators screen, click Exchange administrator.
    5. On the Exchange administrator screen that appears, click +Add assignments.

      The Add assignments screen appears.

    6. In the search box, paste the App Id you just copied and press Enter.
    7. Locate and select the app Trend Micro Cloud App Security, and then click Add.
  5. Return to the Cloud App Security management console and click Verify and Submit under step 3.
  6. Wait until the process is completed.

    During the process, the Trend Micro Cloud App Security app automatically creates the TMCAS Inbound Connector and TMCAS Outbound Connector connectors on Exchange Online. For details about the connectors, see the "TMCAS Outbound Connector" and "TMCAS Inbound Connector" sections in Connectors and Transport Rule on Exchange Online.


    To ensure that your users' emails can be successfully delivered, do not modify the two connectors.

  7. Add domains that you want to protect.
    1. On the screen that appears after Verify and Submit is completed, click Add.
    2. On the Add Domain and MX Record screen, select domains.

      Optionally click Click here to synchronize the domains under the current organization from Exchange Online.

    3. Click Save.

      The added domains appear in the list. The Configuration Status is In progress, indicating that Cloud App Security is configuring domain-related settings on Exchange Online.

    4. Wait until the configuration is completed.

      The configuration takes a while. During the process, the Trend Micro Cloud App Security app automatically creates the TMCAS Outgoing Transport Rule transport rule on Exchange Online and adds the domains to the rule. This rule is used to determine whether an email needs to be routed to Cloud App Security for scanning.

      For details about the transport rule, see the "Transport Rule" section in Connectors and Transport Rule on Exchange Online.


      To ensure that Outbound Protection works properly and your email delivery functions as expected, do not modify the transport rule.

      When the process is completed, a check mark appears under the Configuration Status column and Transport rule is enabled.


      To disable Outbound Protection, turn off Transport rule. The transport rule is disabled and outbound emails will not be routed to Cloud App Security for scanning.

  8. Select an action for Outbound Protection in an existing or new Data Loss Prevention policy.

    For details, see step 12 in Configuring Data Loss Prevention.

To remove Outbound Protection, deprovision the Exchange mail flow service account. For details, see Deprovisioning an Exchange Mail Flow Service Account.