In hybrid Exchange environments, organizations often configure Centralized Mail Transport (CMT) to route all outbound mail from M365 through their on-premises Exchange servers with specific outbound connectors. This approach helps enforce compliance policies, such as Data Loss Prevention (DLP), and enables routing through third-party security appliances.
However, even with CMT in place, Microsoft 365 can sometimes send emails directly—bypassing the on-premises infrastructure. When this happens, those messages escape on-premises DLP policies and other security controls. This issue typically arises from how the hybrid setup configures connectors.
Why mail might bypass On-Premises routing
When you run the Hybrid Configuration Wizard (HCW), it creates connectors between Exchange Online and your on-premises Exchange environment. These connectors support basic mail flow and hybrid features. However, they don’t handle all outbound scenarios; especially when third-party applications or services send mail directly from Microsoft 365 or when forwards are configured.
In these cases, Exchange Online often selects the most direct route to deliver mail, skipping the on-premises servers entirely. This behavior can create compliance gaps if your organization depends on on-premises DLP or journaling solutions.
The importance of Partner Connectors
To ensure that all outbound mail from M365 is routed through your on-premises environment, you should manually create an additional outbound connector in Exchange Online. This connector should be of type “Partner”, and configured to route mail through your on-premises platform.
Below is a diagram that summarizes how Microsoft 365 selects the outbound connector when sending a message. It illustrates why it is crucial to always secure your Centralized Mail Transport (CMT) routing with a Partner-type connector. This visual representation helps clarify the decision-making process behind mail routing and highlights the potential risks of relying solely on the connectors created by the Hybrid Configuration Wizard.
By Lionel TRAVERSE
Microsoft 365 Certified Administrator Expert / Microsoft Certified Trainer