MC734278: Throttling and Blocking of Out-of-date Connecting On-premises Exchange 2016 Servers

Announcement IDMC734278 Published Date03-12-2024
ServiceExchangeLast Updated 03-12-2024
CategoryPrevent or fix issuesExpiration Date 12-31-2024
Roadmap IDAction Required by Date
TagsAdmin impact, User impact


Summary
                Microsoft will soon start throttling and blocking messages sent from out-of-date on-premises Exchange 2016 servers over an Exchange Online inbound connector of type OnPremises. Starting between March 24, 2024, and April 5, 2024, when a non-compliant Exchange 2016 server is detected, it will appear in the report in the Exchange admin center (EAC). To prevent mail delays and bounced messages from on-prem, make sure your connecting Exchange 2016 servers that are sending mail over an Exchange Online inbound connector of type OnPremises are kept up to date with the latest cumulative and security updates.


More Information

You appear to be using Exchange Server 2016 to send mail from on-premises to Exchange Online. As communicated last May in Message center post MC551017, for security reasons we'll soon start throttling and blocking messages sent from out-of-date on-premises Exchange 2016 servers over an Exchange Online inbound connector of type OnPremises. If your connecting Exchange servers aren't kept up to date with the latest cumulative and security updates, they could be subject to throttling and blocking, resulting in mail delays and bounced messages.

How this will affect your organization:

Starting between March 24, 2024, and April 5, 2024, when a non-compliant Exchange 2016 server is detected, it will appear in the following report in the Exchange admin center (EAC): Reports > Mail flow > Out-of-date connecting on-premises Exchange servers. Over the subsequent 90 days we'll apply progressively aggressive enforcement actions: The first 30 days is reporting-only (no throttling or blocking), followed by 30 days of message throttling (up to 30 minutes per hour), then 30 days of combined throttling and blocking (some messages still allowed through). After this 90-day period, all messages from the out-of-date Exchange server will be blocked until we detect that the server has been updated with the latest cumulative and security updates.

What you need to do to prepare:

To prevent mail delays and bounced messages from on-prem, make sure your connecting Exchange 2016 servers that are sending mail over an Exchange Online inbound connector of type OnPremises are kept up to date with the latest cumulative and security updates.

Between March 24th and April 5th, check the report in the EAC to see if we've detected any non-compliant servers. You can also use Exchange Online PowerShell:

Get-OnPremServerReportInfo

Only out-of-date servers will appear in the report or in the output of the cmdlet, and only those servers will be subject to throttling and blocking. If your connecting Exchange 2016 servers are not listed in the report or cmdlet output, then mail coming into Exchange Online directly from those servers won't be throttled or blocked.

In addition to the 30 days reporting-only grace period, you can also pause enforcement for up to 90 days each calendar year using the Enforcement pause option, a link for which appears in the report if any out-of-date servers are detected. Or you can run this cmdlet to pause enforcement instead:

New-TenantExemptionInfo -BlockingScenario UnpatchedOnPremServer -NumberOfDays <# of days>

And you can run this cmdlet to view the details of enforcement pauses you've created:

Get-TenantExemptionInfo -BlockingScenario UnpatchedOnPremServer

Note: When you pause enforcement it starts immediately for your entire tenant, even if it's during the reporting-only period when neither throttling nor blocking is taking place. You cannot schedule an enforcement pause for a future date. To make the best use of your 90 enforcement pause days per year consider the following tips:

Don't pause enforcement during the initial 30-day reporting period when neither throttling nor blocking occur - wait until near the start of the 30-day throttling period or later. The Details column in the servers table in the EAC report will show when throttling will start for each out-of-date server.

You can't cancel a pause mid-way through its duration and get the remaining days back to use again later. So when you create an enforcement pause, use only the number of pause days you think you'll need to finish installing the updates. If mid-way through the pause you realize you need more time to finish the updates, you can extend the existing pause by creating a new enforcement pause. The new pause will automatically start when the previous one ends.


Previous Post Next Post