Connect Microsoft Exchange and Enterprise DLP

Table of Contents

After you create the email transport rules, you must connect Microsoft Exchange and Enterprise Data Loss Prevention (E-DLP) to complete onboarding.

On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP addresses to improve performance and expand availability for these services globally.

You must allow these new service IP addresses on your network to avoid disruptions for these services. Review the Enterprise DLP Release Notes for more information.

Where Can I Use This?	What Do I Need?
Data Security	One of the following licenses that include the Enterprise DLP license Review the Supported Platforms for details on the required license for each enforcement point. Prisma Access CASB license Next-Generation CASB for Prisma Access and NGFW (CASB-X) license Data Security license Email DLP license

Connect Microsoft Exchange to Enterprise Data Loss Prevention (E-DLP) through SaaS Security on Strata Cloud Manager to complete the onboarding.

Before you begin connecting Microsoft Exchange to Enterprise DLP, ensure that the admin performing the connection has at least Email Administrator access for Microsoft Exchange. Microsoft Exchange requires this minimum access privilege to allow Enterprise DLP API access to Microsoft Exchange.

Contact your email domain provider to update your SPF record to add the required Enterprise DLP service IP addresses.
Add the IP addresses for the region where you host your email domain. You can update your SPF record with multiple regional IP addresses if you have email domains hosted in multiple regions.
- APAC
  
  35.186.151.226 and 34.87.43.120
- Australia
  
  35.197.179.113 and 35.244.122.65
- Europe
  
  34.141.90.172 and 34.107.47.119
- India
  
  34.93.185.212 and 35.200.159.173
- Japan
  
  34.84.8.170 and 35.221.111.27
- United Kingdom
  
  34.105.128.121 and 34.89.40.221
- United States
  
  34.168.197.200 and 34.83.143.116
(Best Practices) Confirm that Active Directory is properly configured so that email senders have a manager to approve or reject quarantined emails.

Microsoft Exchange Active Directory is required to assign a manager to a sender. You can create a transport rule to quarantine and send the email for approval by the sender's manager. To successfully quarantine a sender's email if sensitive data is detected by Enterprise DLP, a sender must have a manager assigned.

If you did not assign a manager to a user, then Microsoft Exchange sends the quarantined email to the intended recipient. Microsoft Exchange requires that you assign a user a manager to approve or reject the email.
(Best Practices) Save Evidence for Investigative Analysis with Enterprise DLP.

Palo Alto Networks recommends configuring evidence storage so you can download emails for investigative analysis when your review Email DLP incidents.
Set up the Cloud Identity Engine (CIE).

Palo Alto Networks recommends using CIE so you can create targeted Email DLP policies.
Create the Microsoft Exchange connectors and transport rules, and create the Email DLP Policy.

Palo Alto Networks recommends setting up all connectors, transport rules, and Email DLP policy rules to ensure enforcement begins as soon as you successfully connect Microsoft Exchange Online to Enterprise DLP.
- Create a Microsoft Exchange Outbound Connector
  The outbound connector controls the flow of emails forwarded from Microsoft Exchange to Enterprise DLP.
- Create a Microsoft Exchange Inbound Connector
  The inbound connector controls the flow of emails forwarded to Enterprise DLP back to Microsoft Exchange.
- Create Microsoft Exchange Transport Rules
  Transport rules allow Microsoft Exchange to forward emails to Enterprise DLP and specify the actions Microsoft Exchange takes based on the hosted quarantine, admin approval, manager approval, encrypt, or block transport rules verdicts rendered by Enterprise DLP.
- Add a Enterprise DLP Email Policy
  The DLP email policy specifies the incident severity and the action Enterprise DLP takes when matching traffic is inspected and sensitive data is detected.
Obtain Your Microsoft Exchange Domain and Relay Host.
Log in to Strata Cloud Manager.
Select ManageConfigurationSaaS SecuritySettingsApps Onboarding.
Search for Exchange and click Microsoft Exchange.
In the Email DLP Instance, click Add Instance.
In the Setup Connectors and Rules page, click Continue to Next Section since you have already configured the outbound connector, inbound connector, and transport rules.
In the Configure Smart Host page, add the email domains and relay hosts.

Enterprise DLP requires adding one or more email domains and relay hosts to ensure Enterprise DLP can successfully forward inspect emails back to Microsoft Exchange.
1. Enter an Email Domain and its corresponding Relay Host you obtained in the previous step.
  Obtain Your Microsoft Exchange Domain and Relay Host if you don't have the Microsoft Exchange email domain and relay host immediately available.
2. (Optional) Add any additional email domains and relay hosts as needed.
3. Connect.
Microsoft Exchange is now successfully connected and onboarded.
Configure the Email DLP settings.
- Edit the snippet settings to configure if and how Enterprise DLP stores and masks snippets of sensitive data that match your data pattern match criteria.
- Edit the policy evaluation timeout settings to configure what Enterprise DLP does when Email DLP policy evaluation exceeds the configured timeout.
- Configure evidence storage to save evidence for investigative analysis.

Onboard Microsoft Exchange Online

Create Microsoft Exchange Connectors

Enterprise DLP Docs

Connect Microsoft Exchange and Enterprise DLP

Enterprise DLP Docs

Connect Microsoft Exchange and Enterprise DLP

Activation & Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Endpoints

Visibility & Monitoring

Best Practices

Experts Corner

Technical Documentation

Company

Legal Notices