S SignatureHub

← Blog

Centrally manage Microsoft 365 signatures — with the one-click installer

May 15, 2026

The one-click installer sets up the outbound/inbound connector and transport rule in under five minutes. Plus optional Entra ID sync and a manual PowerShell path for custom setups.

Microsoft 365 ships without a real central signature management. With SignatureHub, the one-click installer now handles it in under five minutes — the entire PowerShell setup happens in the background.

Architecture in one sentence

Exchange Online sends outbound mail via an outbound connector to SignatureHub. SignatureHub identifies the tenant, applies the rules, injects the signature, and routes the mail back via an inbound connector. A transport rule decides which mails take the path. A marker header prevents loops.

The fast path: one-click installer (recommended)

In the SignatureHub admin UI, create a new Microsoft 365 connector under "Connectors". The setup guide opens with the one-click installer as the recommended path. Three clicks:

  1. "Connect to M365": a Microsoft popup opens. Sign in as Global Admin, grant consent for Exchange Online management. The token is short-lived, no persistent access.
  2. "Run setup now": SignatureHub creates via the Exchange REST API: outbound connector on smtp.signaturehub.de, inbound connector with certificate on *.signaturehub.de, transport rule with loop exception on the X-SignatureHub-Processed header.
  3. Confirmation: the UI shows the three created artifacts. Status badge flips to "✓ Live". Done.

Pure click time: about one minute. Including Microsoft sign-in and consent page, under five minutes total — instead of 30–60 minutes with PowerShell.

Enable Entra ID sync (optional, strongly recommended)

The same connector setup has a second one-click step for Entra ID sync. Grant Microsoft consent again, and SignatureHub syncs employee master data (name, position, phone, mobile), employee photos (embedded as CID in every mail), proxyAddresses as aliases, and group memberships for rule-based signatures.

Test & go live

In the policy tester, enter a sample sender and external recipient — the system shows the matching rule and final signature. Optional: scope the transport rule to one test mailbox, send 20–30 test mails, then widen scope.

The manual path (for custom setups)

If compliance restrictions don't allow the one-click consent, the classic PowerShell path is still available. The three commands the installer issues under the hood:

New-OutboundConnector -Name "SignatureHub Outbound" -ConnectorType Partner -SmartHosts smtp.signaturehub.de -TlsSettings EncryptionOnly -CloudServicesMailEnabled $true -UseMXRecord $false
New-InboundConnector -Name "SignatureHub Inbound" -ConnectorType Partner -SenderDomains * -RequireTls $true -TlsSenderCertificateName "*.signaturehub.de"
New-TransportRule -Name "Route to SignatureHub" -FromScope InOrganization -SentToScope NotInOrganization -ExceptIfHeaderMatchesMessageHeader "X-SignatureHub-Processed" -ExceptIfHeaderMatchesPatterns ".+" -RouteMessageOutboundConnector "SignatureHub Outbound"

Common pitfalls

  • Missing Global Admin rights → one-click consent fails.
  • Conditional Access blocks the sign-in popup → add an exception for app.signaturehub.de up front.
  • Transport rule without loop exception (manual path only) → infinite loop.
  • Graph permissions too narrow → User.Read.All required for photo sync.

Done

With the one-click installer, M365 setup is now a five-minute affair. For hybrid setups (Exchange on-premises) an onboarding workshop with us pays off.