Today, we are providing an update on our product roadmap for Microsoft Exchange Server, and our next milestones in the Exchange Server journey to support the specific needs of our on-premises customers, hosted services providers, and other partners. Here’s what’s ahead: We will release one final Cumulative Update (CU) for Exchange Server 2019—the 2024 H2 CU aka CU15—later this year. We will release Exchange Server Subscription Edition (Exchange Server SE) early in the third quarter of calendar year 2025. We will release the first CU for Exchange Server SE—CU1—in late 2025. Exchange Server 20 ..read more

Microsoft has released Hotfix Updates (HUs) that enable support for new functionality and address issues in the March 2024 Security Update (SU). The April 2024 HU is available for the following builds of Exchange Server: Exchange Server 2019 CU13 and CU14 Exchange Server 2016 CU23 New Features The April 2024 HU introduce support for elliptic curve cryptography (ECC) certificates and hybrid modern authentication for Outlook on the web and ECP. Support for ECC certificates Starting with April 2024 HU, Exchange Server 2016 and Exchange Server 2019 now support ECC certificate ..read more

Today, we are announcing that Exchange Online will permanently remove support for Basic authentication with Client Submission (SMTP AUTH) in September 2025. After this time, applications and devices will no longer be able to use Basic auth as an authentication method and must use OAuth when using SMTP AUTH to send email. In 2019, Exchange Online began a multi-year effort to disable Basic auth. This process completed in late 2022, with Client Submission (SMTP AUTH) being the only exception. We are now removing Basic auth from Client Submission. Basic auth is a legacy authentication method that ..read more

Today, we are announcing that, beginning in January 2025, Exchange Online will begin enforcing an external recipient rate limit of 2,000 recipients in 24 hours. Exchange Online does not support bulk or high-volume transactional email. We have not enforced limiting of bulk email until now, but we plan on doing so with the introduction of an External Recipient Rate (ERR) limit. The ERR limit is being introduced to help reduce unfair usage and abuse of Exchange Online resources. What about the Recipient Rate Limit? Exchange Online enforces a Recipient Rate limit of 10,000 recipients. The 2,000 ER ..read more

We wanted to make everyone aware of the blog post that went live on the Microsoft Dev blog, talking about new Nested App Authentication for Office Add-ins requirement that is going to be mandatory for Outlook add-ins by October 2024. While this post is quite dev-focused, we wanted to make sure people in the Outlook community working or creating Outlook add-ins see it. Please go here to read more: New Nested App Authentication for Office Add-ins: Legacy Exchange tokens off by default in October 2024. The Exchange Team ..read more

Today we’re thrilled to announce the public preview of High Volume Email (HVE) for Microsoft 365. HVE is a new service designed primarily for line of business applications and other high-volume SMTP Auth submissions that enables you to send internal messages beyond the current limits of Exchange Online. Customers using on-premises servers in an Exchange hybrid configuration to send a large volume of internal messages can use this service instead and decommission their on-premises servers. We’re rolling out HVE to all WW customers starting April 1 and we expect rollout to be complete by the end ..read more

Thank you for joining me on this journey – hope you have enjoyed reading part 1 of this blog series. You are half-way done if you have reached Part 2 of this series. I’ll continue by calling out the categorization we had done in our last post when defining the problem statement when it comes to RBAC and permissions: Minimize the chance of granting more permissions than necessary (part 1 post). Ensure the team only accesses the resources to which they are authorized (this post). Let’s continue! Ensure that the team only accesses the resources to which they are authorized My bank customer (con ..read more

EHLO, folks! Here’s a story from my work with customers, that’s coming out as a blog post series. One of my banking customers raised a request regarding RBAC (Role Based Access Control) permissions for their Service Desk Team. Upon analysis, it came to our attention they had lots of unwanted RBAC permissions granted to their Service Desk team. The problem: giving too many RBAC permissions to users can result in accidental modifications of accounts. The way to deal with this is to customize the Role Groups and Management Roles. I’ll begin with an overview of how RBAC works. It is a method of re ..read more

In April 2022, we released an update to Exchange Server 2019 Management Tools that enables organizations that use Azure AD Connect and sync their Active Directory to manage Exchange recipients without the need for a running Exchange Server on-premises.  If you have one or more Exchange servers that are used only for recipient management (often referred to as Last Exchange Server - LES), you can install the updated tools on a domain-joined machine and shut down your last Exchange Server. For more information, see Manage recipients in Exchange Server 2019 Hybrid environments.  We want ..read more

Microsoft has released Security Updates (SUs) for vulnerabilities found in: Exchange Server 2019 Exchange Server 2016 SUs are available for the following specific versions of Exchange Server: Exchange Server 2019 CU13 and CU14 Exchange Server 2016 CU23 The March 2024 SUs address vulnerabilities responsibly reported to Microsoft by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to immediately install these updates to protect your environment. These vulnerabilities aff ..read more