What’s changing?

We are adding a screen to the onboarding workflow of new tenants. On that screen, you will be able to choose between three email security modes:

• MX is the previous default mode when onboarding a new tenant. In this mode, we analyze and filter emails only before their reception

• API is a new mode that does not require changing the tenant’s MX records. In this mode, we analyze emails only after reception thanks to journaling rules set on the M365 tenants and Microsoft’s Graph API

• Hybrid is the best of the MX and API modes. In the mode, we analyze and filter emails both before and after reception. The technical difference between MX and Hybrid modes is the AutoRemediate feature, that gives us the ability to rescan inboxes in M365.

Hybrid is the recommended mode thanks to its superior protection.

Limitations of MX and API modes

• A tenant in MX mode does not benefit from AutoRemediate

• A tenant in API mode cannot benefit from the following products

  • Email Encryption

  • Email Signature & Disclaimer

  • Email Archiving

  • Email Continuity

Visibility of the email security modes

It is possible that some customers or partners do not see all three security modes due to specific sales or distribution agreements. If you believe this is a mistake, please reach out to your sales representative.

Microsoft permissions requested for each mode

MX

• Sign in and read user profile

• Read directory data

API

• Sign in and read user profile

• Read basic mail in all mailboxes

• Read and write all directory RBAC settings

• Read all users' full profiles

• Read and write all applications

• Read and write mail in all mailboxes

• Read directory data

• Manage app permission grants and app role assignments

Hybrid

• Sign in and read user profile

• Read directory data

• Read basic mail in all mailboxes

• Read all users' full profiles

• Read and write mail in all mailboxes

• Read and write all directory RBAC settings