GA date for this feature has been moved to March 2026
High Volume Email (HVE) for Microsoft 365 enables customers to send large volumes of email to internal recipients without recipient rate limits...
Updated Oct 06, 2025
Version 2.0
Blog Post
3 MIN READ
High Volume Email: Continued support for Basic Authentication & other important updates
We're trying to understand the sign-in logs of our HVE accounts. Source IPs are not ours, seem to be Microsoft IPs, but from many different geo-locations than the location IP address of where we use the account. Also, the apps listed is not clear. Hopefully my attached image will come with this post where it shows signed in apps SmtpBasicAuthApp and Office 365 Exchange Online, sometimes at the near same point in time, but sometimes just 1 by itself. And then occasionally there is app TEST-SMTPBasicAuthApp that gets logged. These 3 apps seem reasonable considering the purpose of HVE, and still in a preview test phase. The question is, if ever we see an HVE account logging into any other app, then does that mean the account is compromised? Is there a way to determine our source public IP of an HVE sign-in, for those HVEs we use at multiple locations with their own internet point of presence? The attached screenshot is for 1 of our HVE accounts used at 1 location. Thank you.
Simone_LiebalMicrosoft
gmorrissui, Huw_w and hardwarelooker
Well spotted and thank you all for sharing your experiences, this feedback is very helpful as we continue to refine HVE!We’re currently rolling out some improvements to the underlying Basic Authentication flow, and this work is causing some of the behaviors you’ve noticed in the sign‑in logs. During this transition period, it’s expected that you may continue to see sign‑ins attributed to SmtpBasicAuthApp and Office 365 Exchange Online, sometimes close together in time. These are both valid for HVE scenarios. The TEST‑SmtpBasicAuthApp entry you’ve seen was linked to internal testing and has now been corrected, so it should no longer appear going forward.
Regarding source IP addresses: at this stage we aren’t able to provide a fixed list of IPs for HVE traffic. Some variability is expected due to how backend authentication and routing occur. That said, we are working on improving documentation around HVE IP ranges where possible to provide you better clarity.
Huw_w to address a related question, that you've brought up: HVE accounts do need to authenticate in order to send email, so even in scenarios where Conditional Access policies block some attempts, a successful authentication must have gone through for mail to be delivered.
Thank you very much Simone_Liebal for your time and help! I understand that previews and transition periods may have anomalous and temporary behaviors. It's good to get an explanation of what's expected and not, so we appreciate that from you.
To follow up on source IP addresses in the sign-in logs, it is our desire and expectation that we see the public source IP address from where the authentication originates, as seen with all the other 365 application types. In our case, our HVE authentications originate within our data centers, so the expectation is their logged sign-in source IP addresses will be one of our public egress IP addresses, and therefore a logged source IP address that is not one of our addresses will be considered an indicator of compromise. Please keep us updated as to when we can expect the logged source IP address to truly reflect the originating source. Thank you!Simone_Liebal Thanks for the info. We are seeing HVE accounts getting blocked in the EU by risk based polices because of this change. I agree with gmorrissui the sign-in logs really need to show connecting client source IP address. I'm also not seeing the IP's (dns also) included here. I assume this might need updating. https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
Thank you for your reply! May I ask how the authentication flow will look after the transition period? Will we continue to see sign-ins originating from our own IP addresses, as is currently the case with Office 365 Exchange Online, or will sign-ins come from Microsoft IP addresses, similar to what we see with SmtpBasicAuthApp?
At the moment, sign-ins coming from Microsoft IP addresses via SmtpBasicAuthApp are triggering risk detections. Just this week, I had multiple users flagged as risky due to this behavior.
Will it be possible to block sign-ins based on the source IP address using Conditional Access? For us, this is an absolute requirement, as MFA is not possible in this scenario. We need to rely on the source IP address as a second factor.
Thanks for this. As we only operate in the UK, we have a CA policy that blocks access from any non UK IP addresses. The logins from the photocopiers all show as Office 365 Exchange, and all have known UK IP addresses so all pass the CA policy. The SmtpBasicAuthApp logins are all coming from outside the UK so all are blocked by the CA Policy.
Do you have any thoughts on the 10M email size limit? Our copiers/scanners frequently produce emails that are larger than this and submission fails.
I've noticed these too. We have a Conditional Access policy that blocks logins from outside the UK, so all of these extra logins fail. This doesn't seam to stop any emails coming through!
All our HVE account logs look the same. We recently started using HVE accounts, and I cannot recall seeing SmtpBasicAuthApp logins in the beginning. Even worse, due to the vastly changing IP addresses, these logins regularly flag our HVE accounts as risky.
