Microsoft Extends Basic Authentication Support for High Volume Email Service Until 2028 with Key Updates

Microsoft Extends Basic Authentication Support for High Volume Email Service Until 2028 with Key Updates

Microsoft has announced significant updates to its High Volume Email (HVE) service within Microsoft 365, including an extension of Basic Authentication support until September 2028 and changes to the service's functionality. These updates aim to provide organizations with additional time to transition to more secure authentication methods and to streamline email services within the Microsoft 365 ecosystem.

HVE is designed to enable Microsoft 365 customers to send large volumes of email to internal recipients without recipient rate limits. The public preview of HVE was released on April 1, 2024, with general availability targeted for September 2025. (techcommunity.microsoft.com)

Continued Support for Basic Authentication

Microsoft has announced the continued support for Basic Authentication in HVE until September 2028. This decision acknowledges that certain line-of-business (LOB) applications and devices may not yet support modern authentication methods such as OAuth. While Microsoft strongly recommends transitioning to modern authentication for enhanced security, this extension provides organizations with additional time to make the necessary changes. (techcommunity.microsoft.com)

Modern authentication methods, such as OAuth, offer several security benefits over Basic Authentication:

• Enhanced Security: Modern authentication provides multiple layers of protection beyond simple username and password combinations, reducing the risk of credential theft and reuse.
• Dynamic Token Management: Short-lived access tokens expire quickly and can be instantly revoked if compromised.
• Conditional Access Policies: Modern authentication enables intelligent decisions about who is trying to access what, from where, and on which device, providing more precise and granular access controls.

Microsoft encourages organizations to start planning their migration to OAuth to benefit from these enhanced security features. (techcommunity.microsoft.com)

Focus on Exclusively Internal Recipients

Effective June 2025, HVE will support exclusively internal (within the tenant) messaging capabilities. The ability to send email to external recipients will be removed. This change is intended to simplify Microsoft's email offerings and clearly define HVE's purpose within the Microsoft 365 ecosystem. For scenarios requiring high-volume email to external recipients, Microsoft recommends using Azure Communication Services (ACS) for email. (techcommunity.microsoft.com)

Removal of Public Preview Limits

Microsoft has announced the removal of public preview limitations for HVE. Once these changes roll out, organizations will be able to create up to 100 HVE accounts, and internal recipient rate limits will be eliminated. These changes will be implemented over the coming weeks, allowing organizations to fully leverage and explore the capabilities of HVE for internal communication needs. (techcommunity.microsoft.com)

These updates have several implications for organizations using HVE:

• Security Enhancements: The extension of Basic Authentication support provides additional time for organizations to transition to more secure authentication methods, reducing the risk of credential theft and other security threats.
• Operational Changes: The restriction of HVE to internal recipients may require organizations to adjust their email strategies and consider alternative solutions, such as ACS, for external communications.
• Increased Flexibility: The removal of public preview limitations allows organizations to scale their internal email communications more effectively, with the ability to create more HVE accounts and send emails without recipient rate limits.

Organizations should be aware of the following technical details related to these updates:

• Authentication Methods: While Basic Authentication will be supported until September 2028, organizations are encouraged to implement OAuth for enhanced security. Detailed guidance on implementing OAuth with HVE is available in Microsoft's documentation. (techcommunity.microsoft.com)
• Service Limitations: Starting in June 2025, HVE will no longer support sending emails to external recipients. Organizations should plan to transition to ACS or other solutions for external email communications.
• Account Management: With the removal of public preview limitations, organizations can create up to 100 HVE accounts, providing greater flexibility in managing internal email communications.

Microsoft's updates to the HVE service reflect a commitment to enhancing security and streamlining email services within Microsoft 365. Organizations are encouraged to take proactive steps to transition to modern authentication methods and to adjust their email strategies in response to these changes. By doing so, they can ensure a smooth transition and maintain effective communication channels within their networks.

• High Volume Email: Continued support for Basic Authentication & other important updates | Microsoft Community Hub (techcommunity.microsoft.com)
• Exchange Online to retire Basic auth for Client Submission (SMTP AUTH) | Microsoft Community Hub (techcommunity.microsoft.com)
• Deprecation of Basic authentication in Exchange Online | Microsoft Learn (learn.microsoft.com)
• Microsoft 365 introduces changes to High Volume Email and extends Basic Authentication | Neowin (neowin.net)
• Microsoft extends Basic Authentication for HVE in Microsoft 365 until 2028 | Windows Report (windowsreport.com)