On Feb. 20, 2025, Microsoft began restricting and eventually blocking emails coming from unsupported or unpatched Exchange servers in Exchange Online. This move was intended to strengthen the security of their cloud services and reduce the risk of security incidents. This had a direct impact on many organizations.
What does this mean for your organization?
Does your organization have a hybrid Exchange setup? If so, it is crucial that on-premises Exchange servers are constantly updated with the latest security updates. Microsoft sees servers without recent updates as a security risk and will incrementally restrict e-mail traffic from on-premises to Exchange Online and eventually block it completely.
How does the enforcement process work?
Microsoft uses a phased process in which Exchange Online progressively reduces the flow of e-mail from incompatible servers in eight phases:
1. Report
Administrators will receive notifications in a new report within the Exchange Administration Center listing outdated or unpatched on-premises Exchange servers. This gives administrators an opportunity to prioritize updates.
2. Throttling (slowing down emails).
After 30 days, Microsoft starts throttling the flow of e-mail from on-premises servers to Exchange Online. This occurs in three phases (Phases 2-4) with the degree of throttling increasing every 10 days. This means that emails are temporarily delayed due to an SMTP 450 error, but will be offered again later.
3. Block
If the server is still not updated after 60 days, partial blocking (Phases 5-7) starts. This means that an increasing number of messages are permanently rejected due to an SMTP 550 error, resulting in a non-delivery report (NDR) to the sender. Every 10 days, the blocking becomes more severe.
4. Full blocking
After 90 days, the server will be completely excluded from e-mail traffic with Exchange Online (Phase 8). From this point on, no messages will be accepted from this server.
Phases of the enforcement system:
Total lead time: 90 days from first detection to full blocking
What if you can’t update right away?
Microsoft allows organizations to pause enforcement for up to 90 days per calendar year. This can be done through the Exchange management center or with PowerShell commands. This gives additional time to perform updates or migrations without directly impacting the email flow.
Conclusion
Microsoft’s new enforcement measures make it essential to update Exchange servers in a timely manner. Administrators must act proactively to avoid interruptions in email traffic and strengthen the security of their IT environment. Don’t wait – check and update your servers today!