Troubleshoot issues with High Volume Email (HVE) for Microsoft 365

Issue: I set up my printer or LOB app for HVE, but it still can't send email

  1. Verify the settings that were entered directly into the printer are correct:

    Printer setting Value
    Server/smart host smtp.hve.mx.microsoft (recommended) or smtp-hve.office365.com (will be deprecated in the future)
    Port Port 587
    TLS/StartTLS Enabled
    Authentication HVE account credentials or OAuth token

  2. Depending on your chosen authentication, check if HVE account credentials are correct or OAuth token is valid.

  3. Validate that your HVE account and service is working correctly. You can use SMTP component in the Power Automate platform: SMTP - Connectors.

Error: Authentication unsuccessful

If you receive one of the following errors:

  • 535 5.7.3 Authentication unsuccessful
  • 535 5.7.139 Authentication unsuccessful, the organization configuration doesn't allow this authentication request.
  1. Disable the Azure Security Defaults by toggling the Enable Security Defaults to No:
    1. Sign in to the Azure portal as a Security administrator or Conditional Access administrator.
    2. Navigate to Microsoft Entra ID > Properties.
    3. Select Manage security defaults.
    4. Set the Enable security defaults toggle to No.
    5. Select Save.
  2. HVE accounts can operate even if SMTPClientAuthenticationDisabled is set to True within TransportConfig due to the use of a custom endpoint.
  3. To avoid any impact from authentication policies, if these are being utilized, it's important for customers to ensure AllowBasicAuthSmtp is enabled in the policy that applies to the HVE account. Custom authentication policies can be applied to the HVE accounts as needed.

Troubleshoot billing‑related issues

High Volume Email uses M365 pay‑as‑you‑go billing. If an HVE account doesn’t have a valid billing policy assigned, or if there’s an issue with the associated Azure subscription, the account cannot send email.

Note

High Volume Email billing will begin June 1st, 2026. Until then, usage will not be billed. Billing policies can be configured beforehand, but they will only become required starting June 1, 2026, when usage billing begins.

You can view billing status and errors for HVE accounts in the Exchange admin center on the High Volume Email page or by viewing the billing policy associated with a specified HVE account using the Exchange Online PowerShell.

  • On the High Volume Email page in the Exchange admin center, billing policy information for each HVE account is shown in the Billing policy column.
  • In Exchange Online PowerShell, the BillingPolicyStatus property returned by Get-HVEAccountBillingPolicy reflects the billing status of the HVE account. If an issue exists, the FailureReason property provides additional details about the billing policy or associated subscription.

The following table shows how billing policy states are represented in the Exchange admin center and Exchange Online PowerShell, along with their underlying causes:

Exchange Admin Center (Billing policy column) Exchange Online PowerShell (BillingPolicyStatus) Description
Name of the billing policy BillingPolicyValid A valid billing policy is assigned and the subscription is active.
"Connect a policy" link NoProperBillingPolicyStored No billing policy is assigned to the account.
Policy deleted BillingPolicyNotFound The assigned billing policy no longer exists.
N/A BillingPolicyMismatched The billing policy retrieved doesn’t match the expected tenant or policy identity. This is an uncommon scenario.
Policy disconnected from service NoConnectedBillingPolicyFound The billing policy isn’t connected to High Volume Email.
Subscription inactive or deleted SubscriptionIsNotActive The subscription linked to the billing policy isn’t active.
N/A NoSPOLicenseFound No SharePoint Online license is available for the tenant, preventing billing policy validation.

Troubleshoot OAuth authentication issues for High Volume Email

With the support of OAuth authentication for High Volume Email, clients can now significantly enhance the security of their email operations. This article can help you troubleshoot authentication failures during the authentication stage.

As a first step to fixing any problems, check your configuration. See OAuth authentication for high volume emails for Microsoft 365 for the configuration options.

I received an authentication error when trying to authenticate with OAuth2

This error can be caused by different factors:

  • Expired Tokens: The token used for authentication or authorization may have expired.
  • Invalid Token: The format of the token doesn't match the OAuth2 format.
  • Incorrect API permissions: The API permission type mismatch causing OAuth2 failure occurs when the scopes or permissions requested by the client application don't align with the permissions configured or allowed on the authorization server.

OAuth SMTP Error Codes and Resolutions

This section provides explanation for common OAuth SMTP error codes and offers guidance on how to resolve them. If you encounter any of the following error codes, follow the recommended steps to address the issue.

Error Code Description Resolution
501 5.5.121 Invalid XOAUTH2 argument. Ensure that the authentication data after XOAUTH2 is encoded correctly in base64 format.
501 5.5.122 Invalid XOAUTH2 auth data. For example: the following format for auth data is incorrect:
auth=Bearer^Auser=EmailAddress OauthToken^A^A		 Ensure that the auth data encoded into base64 follows the format (angled brackets are used as placeholders):
user=EmailAddress^Aauth=Bearer OauthToken^A^A
501 5.5.123 Invalid XOAUTH2 auth data - No user address provided. For example: User email address is absent: user=^Aauth=Bearer OauthToken^A^A Ensure that the auth data encoded into base64 follows the format (angled brackets are used as placeholders):
user=EmailAddress^Aauth=Bearer OauthToken^A^A
501 5.5.124 Invalid XOAUTH2 auth data - User address provided isn't valid. For example: User email address is invalid user=InvalidEmailAddress^Aauth=Bearer OauthToken^A^A Ensure that the auth data encoded into base64 follows the format (angled brackets are used as placeholders):
user=EmailAddress^Aauth=Bearer OauthToken^A^A
501 5.5.125 Invalid XOAUTH2 auth data - Auth type data absent. For example: Bearer keyword is absent from the auth data user=EmailAddress^Aauth= OauthToken^A^A Ensure that the auth data encoded into base64 follows the format (angled brackets are used as placeholders):
user=EmailAddress^Aauth=Bearer OauthToken^A^A
501 5.5.126 Invalid XOAUTH2 auth data - Auth token absent. For example: OauthToken string is absent from the auth data user=EmailAddress^Aauth=Bearer ^A^A Ensure the auth data encoded into base64 follows the format (angled brackets are used as placeholders):
user=EmailAddress^Aauth=Bearer OauthToken^A^A
535 5.7.127 Authentication unsuccessful This is a generic authentication failure scenario. Refer to the document OAuth authentication for high volume emails for Microsoft 365 for the recommended setup.
535 5.7.142 XOAUTH2 authentication failed. Token will expire soon. Ensure that the session time doesn't exceed the token expiry time. Obtain a new OAuth token if possible.
535 5.7.143 XOAUTH2 authentication failed. Expired token. Check if the token is still valid, regenerate the user token to ensure the token is valid.
535 5.7.144 XOAUTH2 authentication failed. Invalid API permissions. Follow the document OAuth authentication for high volume emails for Microsoft 365 to check the configured permissions under API Permission section.
550 5.7.240 The application is not allowed for use with this High Volume Email account. Ensure the application is on the allowed applications list for this High Volume Email account. For more information on allowed applications, see OAuth authentication for high volume emails for Microsoft 365.

For more information on SMTP error codes, see Email non-delivery reports and SMTP errors in Exchange Online.

  • Last updated on