Graph and PowerShell Blog

Microsoft has documentation for removing the last Exchange server in a Hybrid setup but until now never really addressed how mail relay for applications would be replaced. Some admins have installed a Linux mail server on-prem with a routing group connector to O365, but that still leaves you with at least one on-prem server.

Finally, we have a solution, High Volume Email (HVE) which allows for 20 accounts that can relay email using basic authentication. SMTP basic authentication will be turned off for regular accounts in 2025, but these HVE accounts will be allowed to use basic auth after this by relaying to a different address: smtp-hve.office365.com.

Currently, this is in general preview, so we won't know the final details until September 2024. Microsoft has not said if there will be a cost for this service, but if I had to guess I would say it would remain free with 20 accounts. There is also a limit on how many external mails can be sent, which could be a problem with scanned documents sent via mail.

With all this in mind, I decided to take an inventory of existing applications relaying mail. First I found we had over 40 apps relaying, so with only 20 addresses to choose from this means some apps will need to share.
Second I checked what apps would support client submissions for relay, nearly all of them did just a couple of legacy apps would only support simple SMTP relay
Finally, I checked what apps could use OAuth or Graph, again this was a small number, one app supported Graph, and two apps supported Client Submission with OAuth.

After taking the inventory it was time to setup an account and create a firewall rule for access, both for the LAN and the New World Landing Zone in Azure. The firewall rules were quite straightforward, port 587 allowed out to smtp-hve.office365.com.
With this setup it was time to test with a PowerShell script, but an error came back:

↑ Authentication error - Error: 535 5.7.139

This is because basic authentication is turned off for all accounts by default. The solution was to apply a policy that allows for Basic Authentication with ExchangeOnline PowerShell:

set-user hve@domain.com -AuthenticationPolicy "Allow SMTP Basic Auth"

Trying the script again, we seem to get the same error:

↑ Another authentication error.

Slight difference in the error message, and if you look up the error code it gives a hint as to where the problem lies:

↑ Error Code 53003 points to Conditional Access.

It's best to check the account activity in Azure to find what Conditional Access rules were blocking this. In our case, two rules blocked the access, MFA and Block Basic Auth.

After allowing an exception the mail was sent via HVE.

Update August 2024: After using HVE for three months, I encountered a new issue: the password expired on the Azure Entra account. Normally with on-prem service accounts, I would tick the AD 'password never expires' checkbox, but as these exist only in Entra there was no option. Instead, you need to assign a predefined Password Policy.

#connect with correct permissions
Connect-MgGraph -Scopes "User.ReadWrite.All"

# check if already set
Get-MGuser -UserId hve_account@domain.com -Property UserPrincipalName, PasswordPolicies | Select-Object UserPrincipalName,@{N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"}}

# update user
update-mguser -UserId hve_account@domain.com -PasswordPolicies DisablePasswordExpiration

Graph and PowerShell Blog	Articles 2024 Installing Exchange 2019 in Azure Landing Zone Upgrading PHP on Windows Adding a Postfix server for relay to O365 O365 Integrated Apps troubleshooting Domino and O365 Co-existence Delegate Control in AD App mail relay via HVE Setting up Mail Relay with HVE Getting BIMI certified Orbea Occam SL H30 Installing FreeSat and Saorview Changing broadband provider Replacing a DIN timer on fuseboard Outlook Desktop Notifications stop working Outlook folders keep moving sort order Teams report uploading to SharePoint with Runbooks Teams PowerShell module can't run CS cmd as App 2023 Cannot map new Shared Mailboxes in O365 Renewing an Exchange 2016 certificate Connect to Compliance PowerShell behind a Proxy Sensitivity Label not shown in Outlook Client Room Finder Error in Outlook Teams not showing Rooms Teams unable to open file Unable to review quarantined mails for shared mailbox Set Locale for various Apps Delegate Sent Items placed into external Tenant Overview of Microsoft Support cases When centralized mail sends via O365 Cleaning up your Windows DNS server Set OneDrive for Business Locale O365 Migration Tips Reporting on successful Azure logons IIS Mapi Queue full with NetScaler Secure Office365 reports with a certificate Using Graph to send emails with inline images Visualizing Graph data with Google Charts Keeping a log of NetScaler AlwaysON connections \| About \| Links

Setting up Mail Relay with HVE 16-May-24 Microsoft has documentation for removing the last Exchange server in a Hybrid setup but until now never really addressed how mail relay for applications would be replaced. Some admins have installed a Linux mail server on-prem with a routing group connector to O365, but that still leaves you with at least one on-prem server. Finally, we have a solution, High Volume Email (HVE) which allows for 20 accounts that can relay email using basic authentication. SMTP basic authentication will be turned off for regular accounts in 2025, but these HVE accounts will be allowed to use basic auth after this by relaying to a different address: smtp-hve.office365.com. Currently, this is in general preview, so we won't know the final details until September 2024. Microsoft has not said if there will be a cost for this service, but if I had to guess I would say it would remain free with 20 accounts. There is also a limit on how many external mails can be sent, which could be a problem with scanned documents sent via mail. With all this in mind, I decided to take an inventory of existing applications relaying mail. First I found we had over 40 apps relaying, so with only 20 addresses to choose from this means some apps will need to share. Second I checked what apps would support client submissions for relay, nearly all of them did just a couple of legacy apps would only support simple SMTP relay Finally, I checked what apps could use OAuth or Graph, again this was a small number, one app supported Graph, and two apps supported Client Submission with OAuth. After taking the inventory it was time to setup an account and create a firewall rule for access, both for the LAN and the New World Landing Zone in Azure. The firewall rules were quite straightforward, port 587 allowed out to smtp-hve.office365.com. With this setup it was time to test with a PowerShell script, but an error came back: ↑ Authentication error - Error: 535 5.7.139 This is because basic authentication is turned off for all accounts by default. The solution was to apply a policy that allows for Basic Authentication with ExchangeOnline PowerShell: set-user hve@domain.com -AuthenticationPolicy "Allow SMTP Basic Auth" Trying the script again, we seem to get the same error: ↑ Another authentication error. Slight difference in the error message, and if you look up the error code it gives a hint as to where the problem lies: ↑ Error Code 53003 points to Conditional Access. It's best to check the account activity in Azure to find what Conditional Access rules were blocking this. In our case, two rules blocked the access, MFA and Block Basic Auth. After allowing an exception the mail was sent via HVE. Update August 2024: After using HVE for three months, I encountered a new issue: the password expired on the Azure Entra account. Normally with on-prem service accounts, I would tick the AD 'password never expires' checkbox, but as these exist only in Entra there was no option. Instead, you need to assign a predefined Password Policy. #connect with correct permissions Connect-MgGraph -Scopes "User.ReadWrite.All" # check if already set Get-MGuser -UserId hve_account@domain.com -Property UserPrincipalName, PasswordPolicies \| Select-Object UserPrincipalName,@{N="PasswordNeverExpires";E={$_.PasswordPolicies -contains "DisablePasswordExpiration"}} # update user update-mguser -UserId hve_account@domain.com -PasswordPolicies DisablePasswordExpiration