Today, we are announcing that Exchange Online will permanently remove support for Basic authentication with Client Submission (SMTP AUTH) in September 2025. After this time, applications and devices will no longer be able to use Basic auth as an authentication method and must use OAuth when using SMTP AUTH to send email. In 2019, Exchange Online began a multi-year effort to disable Basic auth. This process completed in late 2022, with Client Submission (SMTP AUTH) being the only exception. We are now removing Basic auth from Client Submission. Basic auth is a legacy authentication method that ..read more

Today, we are announcing that, beginning in January 2025, Exchange Online will begin enforcing an external recipient rate limit of 2,000 recipients in 24 hours. Exchange Online does not support bulk or high-volume transactional email. We have not enforced limiting of bulk email until now, but we plan on doing so with the introduction of an External Recipient Rate (ERR) limit. The ERR limit is being introduced to help reduce unfair usage and abuse of Exchange Online resources. What about the Recipient Rate Limit? Exchange Online enforces a Recipient Rate limit of 10,000 recipients. The 2,000 ER ..read more

We wanted to make everyone aware of the blog post that went live on the Microsoft Dev blog, talking about new Nested App Authentication for Office Add-ins requirement that is going to be mandatory for Outlook add-ins by October 2024. While this post is quite dev-focused, we wanted to make sure people in the Outlook community working or creating Outlook add-ins see it. Please go here to read more: New Nested App Authentication for Office Add-ins: Legacy Exchange tokens off by default in October 2024. The Exchange Team ..read more

Today we’re thrilled to announce the public preview of High Volume Email (HVE) for Microsoft 365. HVE is a new service designed primarily for line of business applications and other high-volume SMTP Auth submissions that enables you to send internal messages beyond the current limits of Exchange Online. Customers using on-premises servers in an Exchange hybrid configuration to send a large volume of internal messages can use this service instead and decommission their on-premises servers. We’re rolling out HVE to all WW customers starting April 1 and we expect rollout to be complete by the end ..read more

Thank you for joining me on this journey – hope you have enjoyed reading part 1 of this blog series. You are half-way done if you have reached Part 2 of this series. I’ll continue by calling out the categorization we had done in our last post when defining the problem statement when it comes to RBAC and permissions: Minimize the chance of granting more permissions than necessary (part 1 post). Ensure the team only accesses the resources to which they are authorized (this post). Let’s continue! Ensure that the team only accesses the resources to which they are authorized My bank customer (con ..read more

EHLO, folks! Here’s a story from my work with customers, that’s coming out as a blog post series. One of my banking customers raised a request regarding RBAC (Role Based Access Control) permissions for their Service Desk Team. Upon analysis, it came to our attention they had lots of unwanted RBAC permissions granted to their Service Desk team. The problem: giving too many RBAC permissions to users can result in accidental modifications of accounts. The way to deal with this is to customize the Role Groups and Management Roles. I’ll begin with an overview of how RBAC works. It is a method of re ..read more

In April 2022, we released an update to Exchange Server 2019 Management Tools that enables organizations that use Azure AD Connect and sync their Active Directory to manage Exchange recipients without the need for a running Exchange Server on-premises.  If you have one or more Exchange servers that are used only for recipient management (often referred to as Last Exchange Server - LES), you can install the updated tools on a domain-joined machine and shut down your last Exchange Server. For more information, see Manage recipients in Exchange Server 2019 Hybrid environments.  We want ..read more

Microsoft has released Security Updates (SUs) for vulnerabilities found in: Exchange Server 2019 Exchange Server 2016 SUs are available for the following specific versions of Exchange Server: Exchange Server 2019 CU13 and CU14 Exchange Server 2016 CU23 The March 2024 SUs address vulnerabilities responsibly reported to Microsoft by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to immediately install these updates to protect your environment. These vulnerabilities aff ..read more

When troubleshooting mail flow rules related to attachments, it’s crucial to ensure the rules are set up correctly. At times, rules may not work as expected either due to misconfiguration or because behavior related to certain attachments isn't immediately obvious. This blog will delve into some common issues encountered with attachment-related mail flow rules, provide a systematic approach to diagnosing issues, and offer practical solutions to rectify them.  To address an issue with a message that wasn’t evaluated correctly, first begin by saving the message as a file.  We’ll use th ..read more

TL;DR  MTA-STS is a standard that allows domain owners to specify how mail servers should handle the encryption and authentication of their SMTP connections.  MTA-STS can help prevent email spoofing, interception, and tampering by enforcing TLS encryption and certificate validation for your domains.  PS.MTA-STS is a new, open-source PowerShell module that simplifies the deployment and testing of MTA-STS for your Exchange Online domains.  PS.MTA-STS can export a list of your domains that support MTA-STS, configure an Azure function app to host the required MTA-STS policy fo ..read more