Microsoft Enhances High Volume Email Service with Internal-Only Focus and Extended Authentication Support

Microsoft Enhances High Volume Email Service with Internal-Only Focus and Extended Authentication Support

Microsoft has recently announced significant updates to its High Volume Email (HVE) service within Microsoft 365, introducing an internal-only email policy and extending support for Basic Authentication until September 2028. These changes aim to streamline email services and provide organizations with additional time to transition to more secure authentication methods.

Background on High Volume Email (HVE)

Introduced in April 2024, HVE is designed to enable organizations to send large volumes of emails, primarily to internal recipients, without the recipient rate limits typically imposed by Exchange Online. This service is particularly beneficial for line-of-business applications and automated systems that require efficient internal communication channels.

Key Updates to HVE

Effective June 2025, HVE will be restricted to sending emails exclusively within an organization's tenant. This means that HVE can no longer be utilized for sending emails to external recipients; its use will be confined to messages within the same tenant. Microsoft explained that this change aims to simplify email offerings and clearly define HVE's purpose within the Microsoft 365 ecosystem. For scenarios requiring high-volume email to external recipients, Microsoft recommends using Azure Communication Services (ACS) for email. External sending capabilities will be removed from HVE later in June 2025. (techcommunity.microsoft.com)

Microsoft has extended support for Basic Authentication in HVE until September 2028. This extension is intended to give businesses additional time to transition to modern authentication methods, such as OAuth. While this extension provides a longer runway, Microsoft strongly encourages organizations to adopt modern authentication protocols as soon as possible to enhance security. The company acknowledges that not all organizations are currently in a position to make this transition, which is the primary reason for extending the deadline. (techcommunity.microsoft.com)

Microsoft is removing previous limitations on the number of HVE accounts and internal recipient rate limits. Organizations will now be able to create up to 100 HVE accounts, and the internal recipient rate limits have been eliminated entirely. These enhancements provide greater flexibility for internal communications within organizations. (techcommunity.microsoft.com)

Implications for Organizations

These updates have several implications for organizations utilizing HVE:

• Internal Communication Enhancement: The removal of internal recipient rate limits allows organizations to send large volumes of internal emails without restrictions, improving communication efficiency.
• Transition Planning: Organizations that previously used HVE for external communications will need to plan a transition to Azure Communication Services or other solutions for their external email needs.
• Security Considerations: While the extension of Basic Authentication support provides additional time, organizations should prioritize migrating to modern authentication methods to enhance security and comply with future requirements.

Technical Details

During the public preview, HVE required SMTP Basic Authentication. With the extension, Basic Authentication will remain supported until September 2028. However, Microsoft has added support for OAuth, and organizations are encouraged to start planning their migration to OAuth to benefit from its enhanced security features. (techcommunity.microsoft.com)

• Server/Endpoint: INLINECODE0
• Port: 587
• TLS: STARTTLS (TLS 1.2 and TLS 1.3 are supported)
• Authentication: Username and password

Conclusion

Microsoft's recent updates to the High Volume Email service reflect a strategic move to enhance security and streamline email services within Microsoft 365. Organizations should assess their current email practices, plan for necessary transitions, and prioritize the adoption of modern authentication methods to ensure compliance and maintain effective communication channels.