Applies to: Exchange Online, Exchange Online Protection

Topic Last Modified: 2017-10-20

This cmdlet is available only in the cloud-based service.

Use the Set-InboundConnector cmdlet to change an existing Inbound connector in your cloud-based organization.

For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.

Set-InboundConnector -Identity <InboundConnectorIdParameter> [-AssociatedAcceptedDomains <MultiValuedProperty>] [-CloudServicesMailEnabled <$true | $false>] [-Comment <String>] [-Confirm [<SwitchParameter>]] [-ConnectorSource <Default | Migrated | HybridWizard | AdminUI>] [-ConnectorType <OnPremises | Partner>] [-Enabled <$true | $false>] [-Name <String>] [-RequireTls <$true | $false>] [-RestrictDomainsToCertificate <$true | $false>] [-RestrictDomainsToIPAddresses <$true | $false>] [-SenderDomains <MultiValuedProperty>] [-SenderIPAddresses <MultiValuedProperty>] [-TlsSenderCertificateName <TlsCertificate>] [-TreatMessagesAsInternal <$true | $false>] [-WhatIf [<SwitchParameter>]]

This example makes the following configuration changes to the existing Inbound connector named Inbound Connector.

  • Require TLS transmission for all incoming messages on the connector.

  • Require that the TLS certificate that is used to encrypt communications contain the domain name

Set-InboundConnector "Contoso Inbound Connector" -RequireTls $true -TlsSenderCertificateName

Inbound connectors accept email messages from remote domains that require specific configuration options.

You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are listed in this topic, you may not have access to some parameters if they're not included in the permissions assigned to you. To see what permissions you need, see the "Inbound and Outbound connectors" entry in the Feature permissions in Exchange Online topic.


Parameter Required Type Description




The Identity parameter specifies the Inbound connector you want to change.




The AssociatedAcceptedDomains parameter specifies the accepted domains that the connector applies to, thereby limiting its scope. For example, you can apply the connector to a specific accepted domain in your organization, such as




Note:   We recommend that you don't use this parameter unless you are directed to do so by Microsoft Customer Service and Support, or by specific product documentation. Instead, use the Hybrid Configuration wizard to configure mail flow between your on-premises and cloud organizations. For more information, see Hybrid Configuration wizard.

The CloudServicesMailEnabled parameter specifies whether the connector is used for hybrid mail flow between an on-premises Exchange environment and Microsoft Office 365. Specifically, this parameter controls how certain internal X-MS-Exchange-Organization-* message headers are handled in messages that are sent between accepted domains in the on-premises and cloud organizations. These headers are collectively known as cross-premises headers.

Valid values are:

  • $true   The connector is used for mail flow in hybrid organizations, so cross-premises headers are preserved or promoted in messages that flow through the connector. This is the default value for connectors that are created by the Hybrid Configuration wizard.

    Preserved for outbound messages   Certain X-MS-Exchange-Organization-* headers in outbound messages that are sent from one side of the hybrid organization to the other are converted to X-MS-Exchange-CrossPremises-* headers and are thereby preserved in messages.

    Promoted for inbound messages   X-MS-Exchange-CrossPremises-* headers in inbound messages that are received on one side of the hybrid organization from the other are promoted to X-MS-Exchange-Organization-* headers. These promoted headers replace any instances of the same X-MS-Exchange-Organization-* headers that already exist in messages.

  • $false   The connector isn't used for mail flow in hybrid organizations, so any cross-premises headers are removed from messages that flow through the connector.




The Comment parameter specifies an optional comment. If you specify a value that contains spaces, enclose the value in quotation marks ("), for example: "This is an admin note".




The Confirm switch specifies whether to show or hide the confirmation prompt. How this switch affects the cmdlet depends on if the cmdlet requires confirmation before proceeding.

  • Destructive cmdlets (for example, Remove-* cmdlets) have a built-in pause that forces you to acknowledge the command before proceeding. For these cmdlets, you can skip the confirmation prompt by using this exact syntax: -Confirm:$false.

  • Most other cmdlets (for example, New-* and Set-* cmdlets) don't have a built-in pause. For these cmdlets, specifying the Confirm switch without a value introduces a pause that forces you acknowledge the command before proceeding.




The ConnectorSource parameter specifies how the connector was created. Valid input for this parameter includes the following values:

  • Default   The connector is manually created.

  • HybridWizard   The connector is created automatically by the Hybrid Configuration Wizard.

  • Migrated   The connector was originally created in Microsoft Forefront Online Protection for Exchange.

The default value for connectors you create is Default. It isn't recommended that you change this value.




The ConnectorType parameter specifies a category for the domains that are serviced by the connector. Valid input for this parameter includes the following values:

  • Partner   The connector services domains that are external to your organization.

  • OnPremises   The connector services domains that are used by your on-premises organization. Use this value for accepted domains in your cloud-based organization that are also specified by the SenderDomains parameter.




The Enabled parameter enables or disables the connector. Valid input for this parameter is $true or $false. The default value is $true.




The Name parameter specifies a descriptive name for the connector.




The RequireTLS parameter specifies that all messages received by this connector require TLS transmission. Valid values for this parameter are $true or $false. The default value is $false. When the RequireTLS parameter is set to $true, all messages received by this connector require TLS transmission.




The RestrictDomainsToCertificate parameter, when set to $true, causes the connector to reject mail that originates from a namespace not specified by the TlsSenderCertificateName parameter.




The RestrictDomainsToIPAddresses parameter, when set to $true, automatically rejects mail from the domains specified by the SenderDomains parameter if the mail originates from an IP address that isn't specified by the SenderIPAddresses parameter.

Valid input for this parameter is $true or $false. The default value is $false.




The SenderDomains parameter specifies the remote domains from which this connector accepts messages, thereby limiting its scope. You can use a wildcard character to specify all subdomains of a specified domain, as shown in the following example: * However, you can't embed a wildcard character, as shown in the following example: domain.*

You can specify multiple domains separated by commas.




The SenderIPAddresses parameter specifies the remote IP addresses from which this connector accepts messages. You enter the IP addresses using the following syntax:

  • Single IP   For example,

  • CIDR IP   You can use Classless InterDomain Routing (CIDR). For example,

You can specify multiple IP addresses separated by commas.




The TlsSenderCertificateName parameter specifies the certificate used by the sender's domain when the RequireTls parameter is set to $true. Valid input for the TlsSenderCertificateName parameter is an SMTP domain. You can use a wildcard character to specify all subdomains of a specified domain, as shown in the following example: *

You can't embed a wildcard character, as shown in the following example: domain.*




The TreatMessagesAsInternal parameter specifies an alternative method to identify messages sent from an on-premises organization as internal messages. You should only consider using this parameter when your on-premises organization doesn't use Exchange. Valid values are:

  • $true  Messages are considered internal if the sender's domain matches a domain that's configured in Office 365. This setting allows internal mail flow between Office 365 and on-premises organizations that don't have Exchange Server 2010 or later installed. However, this setting has potential security risks (for example, internal messages bypass antispam filtering), so use caution when configuring this setting.

  • $false   Messages aren't considered internal. This is the default value.

In hybrid environments, you don't need to use this parameter, because the Hybrid Configuration wizard automatically configures the required settings on the Inbound connector in Office 365 and the Send connector in the on-premises Exchange organization (the CloudServicesMailEnabled parameter).




The WhatIf switch simulates the actions of the command. You can use this switch to view the changes that would occur without actually applying those changes. You don't need to specify a value with this switch.

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn’t accept input data.

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn’t return data.