Implementing High Volume Email with Exchange Online


High Volume Email (HVE) is a new service from Microsoft to allow the sending of up to 100,000 internal emails per day (with a small number external) which is in excess of the current limits of 10,000 per day (depending upon your licence).

Here are my initial observations on setting this service up. During preview this service is free, and I might come back here and update this blog post for the pricing when it is available. Also during preview this is a USA based service only, other locations will be available later.

So what do you need to do. You need to create a HVE dedicated account, then configure any requirements to allow legacy or basic auth to work (that is, Conditional Access rules or Exchange Online Authentication Policies) and then test it out.

So, creating the dedicated HVE account. Note that you cannot convert an existing account and mailbox to a HVE account but need to make a new account with a new email address. If you want to use an existing email address then you need to delete that old account first (or at least change the email address so its not in use for email or login) and then assign the email address to your new HVE account.

To make a HVE dedicated account, visit the Exchange Online Admin Center > Mail Flow > High Volume Email. Click Add an HVE account and fill out the form

Click Next and the account is reviewed and then created. Its really easy!

The list of HVE accounts will update to show your new account, and shortly this account will appear in Entra ID as well.

If you have Conditional Access rules that block Legacy Authentication and you are using basic SMTP auth then you need to exempt this account from those rules. So either add the new user account to a group that exempts these rules via Entra ID > Groups or exempt the account directly in the Conditional Access rule.

If you have a custom Authentication Policy in Exchange Online that blocks legacy auth you need to create a new policy that has AllowBasicAuthSmtp enabled and then apply that policy to the HVE account using PowerShell – for example below we create a policy called “Block Legacy Authentication For All Except AuthSMTP” and assign it to the HVE user account. The last cmdlet sets the users sign in token expiry time to one day ago and updates the Authentication Policy. This means the policy takes effect immediately:

Get-AuthenticationPolicy | fl Name

New-AuthenticationPolicy "Block Legacy Authentication For All Except AuthSMTP" -AllowBasicAuthSmtp

Set-User hve@domain.com -AuthenticationPolicy "Block Legacy Authentication For All Except AuthSMTP" -StsRefreshTokensValidFrom ([DateTime]::Now.AddHours(-24))

Finally you can send the email for testing. This uses a new endpoint, so it needs to be open on any firewalls etc. Here is an example of using the depreciated Send-MailMessage PowerShell cmdlet to send an email:

$hve = Get-Credential

Send-MailMessage -From hve@domain.com -To breid@domain.com -Subject "Hello - HVE Testing" -Body "This is a test email to prove HVE delivery." -SmtpServer smtp-hve.office365.com -UseSsl -Port 587 -Credential $hve

If it does not work you will get an error back. Here are two errors I have seen:

Send-MailMessage: The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.7.57 Client not authenticated to send mail. Error: 535 5.7.139 Authentication unsuccessful, basic auth is blocked. Contact your administrator.“.

If you get this, the place to check is the Entra ID Sign-In logs for this user, assuming you have not blocked legacy auth in Exchange Online and not updated the Authentication Policy. If you have changed the Authentication Policy, wait 24 hours and try again.

Or “535 5.7.139 Authentication unsuccessful, the organization configuration does not allow this authentication request. Visit https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-error-codes for more information. Error code: AADSTS53003

This error means BlockedByConditionalAccess – Access has been blocked by Conditional Access policies. The access policy does not allow token issuance and so you need to check the sign-in logs for the HVE user to see what the logs show has happened and which rule is blocking your login.

You can also use Conditional Access > What If to check your Conditional Access rules before attempting to send an email. With What If you see to select your HVE user, the “Office 365 Exchange Online” app and “Mobile apps and desktop clients – Other clients” to perform your “What If” test. Do not select a Device Platform:

For example, if you have a Conditional Access rule that blocks unknown device platforms then HVE accounts will fail as the SMTP Legacy Auth session does not report a device platform. Exempting

Once you have it working, it is time for the real work – that is updating all your larger internal email sender applications to use the new endpoint and credentials!

Finally, just out of interest – HVE does not use SMTP internal to Exchange Online, but uses HTTP Submission to inject the messages into the mailbox. External messages (the few that you are allowed) do use SMTP.

Photo by Ylanite Koppens: https://www.pexels.com/photo/letters-and-an-eyeglass-on-table-1809342/

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.