MC734278: Throttling and Blocking of Out-of-date Connecting On-premises Exchange 2016 Servers

Announcement ID	MC734278	Published Date	03-12-2024
Service	Exchange	Last Updated	03-12-2024
Category	Prevent or fix issues	Expiration Date	12-31-2024
Roadmap ID		Action Required by Date
Tags	Admin impact, User impact

Summary
Microsoft will soon start throttling and blocking messages sent from out-of-date on-premises Exchange 2016 servers over an Exchange Online inbound connector of type OnPremises. Starting between March 24, 2024, and April 5, 2024, when a non-compliant Exchange 2016 server is detected, it will appear in the report in the Exchange admin center (EAC). To prevent mail delays and bounced messages from on-prem, make sure your connecting Exchange 2016 servers that are sending mail over an Exchange Online inbound connector of type OnPremises are kept up to date with the latest cumulative and security updates.

Summary

Microsoft will soon start throttling and blocking messages sent from out-of-date on-premises Exchange 2016 servers over an Exchange Online inbound connector of type OnPremises. Starting between March 24, 2024, and April 5, 2024, when a non-compliant Exchange 2016 server is detected, it will appear in the report in the Exchange admin center (EAC). To prevent mail delays and bounced messages from on-prem, make sure your connecting Exchange 2016 servers that are sending mail over an Exchange Online inbound connector of type OnPremises are kept up to date with the latest cumulative and security updates.

More Information

More Information
You appear to be using Exchange Server 2016 to send mail from on-premises to Exchange Online. As communicated last May in Message center post MC551017, for security reasons we'll soon start throttling and blocking messages sent from out-of-date on-premises Exchange 2016 servers over an Exchange Online inbound connector of type OnPremises. If your connecting Exchange servers aren't kept up to date with the latest cumulative and security updates, they could be subject to throttling and blocking, resulting in mail delays and bounced messages. How this will affect your organization: Starting between March 24, 2024, and April 5, 2024, when a non-compliant Exchange 2016 server is detected, it will appear in the following report in the Exchange admin center (EAC): Reports > Mail flow > Out-of-date connecting on-premises Exchange servers. Over the subsequent 90 days we'll apply progressively aggressive enforcement actions: The first 30 days is reporting-only (no throttling or blocking), followed by 30 days of message throttling (up to 30 minutes per hour), then 30 days of combined throttling and blocking (some messages still allowed through). After this 90-day period, all messages from the out-of-date Exchange server will be blocked until we detect that the server has been updated with the latest cumulative and security updates. What you need to do to prepare: To prevent mail delays and bounced messages from on-prem, make sure your connecting Exchange 2016 servers that are sending mail over an Exchange Online inbound connector of type OnPremises are kept up to date with the latest cumulative and security updates. Between March 24th and April 5th, check the report in the EAC to see if we've detected any non-compliant servers. You can also use Exchange Online PowerShell: `Get-OnPremServerReportInfo` Only out-of-date servers will appear in the report or in the output of the cmdlet, and only those servers will be subject to throttling and blocking. If your connecting Exchange 2016 servers are not listed in the report or cmdlet output, then mail coming into Exchange Online directly from those servers won't be throttled or blocked. In addition to the 30 days reporting-only grace period, you can also pause enforcement for up to 90 days each calendar year using the Enforcement pause option, a link for which appears in the report if any out-of-date servers are detected. Or you can run this cmdlet to pause enforcement instead: `New-TenantExemptionInfo -BlockingScenario UnpatchedOnPremServer -NumberOfDays <# of days>` And you can run this cmdlet to view the details of enforcement pauses you've created: `Get-TenantExemptionInfo -BlockingScenario UnpatchedOnPremServer` Note: When you pause enforcement it starts immediately for your entire tenant, even if it's during the reporting-only period when neither throttling nor blocking is taking place. You cannot schedule an enforcement pause for a future date. To make the best use of your 90 enforcement pause days per year consider the following tips: Don't pause enforcement during the initial 30-day reporting period when neither throttling nor blocking occur - wait until near the start of the 30-day throttling period or later. The Details column in the servers table in the EAC report will show when throttling will start for each out-of-date server. You can't cancel a pause mid-way through its duration and get the remaining days back to use again later. So when you create an enforcement pause, use only the number of pause days you think you'll need to finish installing the updates. If mid-way through the pause you realize you need more time to finish the updates, you can extend the existing pause by creating a new enforcement pause. The new pause will automatically start when the previous one ends.

You appear to be using Exchange Server 2016 to send mail from on-premises to Exchange Online. As communicated last May in Message center post MC551017, for security reasons we'll soon start throttling and blocking messages sent from out-of-date on-premises Exchange 2016 servers over an Exchange Online inbound connector of type OnPremises. If your connecting Exchange servers aren't kept up to date with the latest cumulative and security updates, they could be subject to throttling and blocking, resulting in mail delays and bounced messages.

How this will affect your organization:

Starting between March 24, 2024, and April 5, 2024, when a non-compliant Exchange 2016 server is detected, it will appear in the following report in the Exchange admin center (EAC): Reports > Mail flow > Out-of-date connecting on-premises Exchange servers. Over the subsequent 90 days we'll apply progressively aggressive enforcement actions: The first 30 days is reporting-only (no throttling or blocking), followed by 30 days of message throttling (up to 30 minutes per hour), then 30 days of combined throttling and blocking (some messages still allowed through). After this 90-day period, all messages from the out-of-date Exchange server will be blocked until we detect that the server has been updated with the latest cumulative and security updates.

What you need to do to prepare:

To prevent mail delays and bounced messages from on-prem, make sure your connecting Exchange 2016 servers that are sending mail over an Exchange Online inbound connector of type OnPremises are kept up to date with the latest cumulative and security updates.

Between March 24th and April 5th, check the report in the EAC to see if we've detected any non-compliant servers. You can also use Exchange Online PowerShell:

Get-OnPremServerReportInfo

Only out-of-date servers will appear in the report or in the output of the cmdlet, and only those servers will be subject to throttling and blocking. If your connecting Exchange 2016 servers are not listed in the report or cmdlet output, then mail coming into Exchange Online directly from those servers won't be throttled or blocked.

In addition to the 30 days reporting-only grace period, you can also pause enforcement for up to 90 days each calendar year using the Enforcement pause option, a link for which appears in the report if any out-of-date servers are detected. Or you can run this cmdlet to pause enforcement instead:

New-TenantExemptionInfo -BlockingScenario UnpatchedOnPremServer -NumberOfDays <# of days>

And you can run this cmdlet to view the details of enforcement pauses you've created:

Get-TenantExemptionInfo -BlockingScenario UnpatchedOnPremServer

Note: When you pause enforcement it starts immediately for your entire tenant, even if it's during the reporting-only period when neither throttling nor blocking is taking place. You cannot schedule an enforcement pause for a future date. To make the best use of your 90 enforcement pause days per year consider the following tips:

Don't pause enforcement during the initial 30-day reporting period when neither throttling nor blocking occur - wait until near the start of the 30-day throttling period or later. The Details column in the servers table in the EAC report will show when throttling will start for each out-of-date server.

You can't cancel a pause mid-way through its duration and get the remaining days back to use again later. So when you create an enforcement pause, use only the number of pause days you think you'll need to finish installing the updates. If mid-way through the pause you realize you need more time to finish the updates, you can extend the existing pause by creating a new enforcement pause. The new pause will automatically start when the previous one ends.

Top News

MC878427: Restricted Content Discoverability for SharePoint Sites

MC761227: Microsoft Teams Phone devices: Advanced calling and contact management on non-touch phones

MC721853: Microsoft New feedback button

MC891238: Microsoft SharePoint and Microsoft Teams: Update on new Microsoft Lists rollout

MC797119: A new Start experience

MC888034: Accept Apple's new terms and conditions to ensure Intune can communicate with Apple as expected

Removing the Default Exchange Server Database: A Step-by-Step Guide

Create and Manage Exchange Groups

Creating a Mailbox in Exchange Server 2013 Using PowerShell

MC888036: Prevent/Fix: PnP PowerShell authentication failures

MC734278: Throttling and Blocking of Out-of-date Connecting On-premises Exchange 2016 Servers

Contact Form

Top News

MC734278: Throttling and Blocking of Out-of-date Connecting On-premises Exchange 2016 Servers

You Might Like

Contact Form