This guide is intended for MSPs setting up new Proofpoint Essentials clients. The integrated deployment option is only available to Microsoft 365 environments.


About Integrated Deployment


This option can be used to deploy Proofpoint without making any MX record changes. The only DNS change that will still be required is updating the client's SPF record. Unlike a traditional email gateway deployment, this approach allows inbound mail to be sent to Microsoft first, then scanned by Proofpoint before delivery to end users.


These are the prerequisites for the integrated deployment option:

  • Client must be on Microsoft 365
  • Must have a global administrator account on the client's Microsoft 365 tenant
  • Updating the SPF record before setup is recommended, but this can also be done later before enabling outbound mail flow
  • This deployment type is not compatible with Professional or Professional+ packages.


Setting Up New Customers With Integrated Deployment


Creating a New Customer

  1. In the Proofpoint portal, navigate to Customer Management > Customers, then click Add a Customer.
  2. Fill in product / licensing info and company details for the new client.
  3. Fill in the client's primary domain and an administrator contact address. This email address will receive a notification later when the domain is ready to go live.
  4. When prompted to choose a deployment method, select Integrated with Microsoft 365.
  5. For configuration type, select Automated Configuration, then click Connect to Microsoft.


Microsoft 365 Integration

  1. After clicking Connect to Microsoft, choose a global administrator account to log into Microsoft 365.
  2. Accept API permissions when prompted.
  3. From this point, Proofpoint will automatically work on making the following changes (this will not impact mail flow):
    • Create Azure sync
    • Pull in and verify domains from Microsoft 365
    • Create required connectors and rules
  4. You can finish creating the customer while these processes run in the background. It will take around an hour for Proofpoint to be ready.
  5. When these processes are complete, the account's tech contact will receive an email notification. Inbound relaying will begin automatically once Proofpoint detects that the customer's environment is ready.
  6. Update the customer's SPF record to include Proofpoint if you have not done so already. Once this is done, manually turn on the outbound connector in the Exchange Admin Center to enable outbound relaying.