I need to enable SMTP port 25 outgoing messages from my VMs

Question

I need to enable SMTP port 25 outgoing messages from my VMs

Jesús San Miguel 0

I changed subscriptions, and I need to remove the default restriction for outgoing SMTP messages.

My application (PRTG) does not support oauth2 required by my 365 mail server.

Temporarily enabling submission/auth port is not a solution, since MS has already announced its demise this autumn.

Priya ranjan Jena 2,295 Reputation points Microsoft External Staff Moderator

2025-10-24T10:52:29.1666667+00:00

Hi Jesús San Miguel,

Welcome to Microsoft Q&A forum.

We are currently assessing your issue , we will update you soon to help you resolve the same.

Thanks
Jesús San Miguel 0 Reputation points

2025-10-24T13:10:42.1766667+00:00

I'm afraid that's not very helpfull... been there, done that.

After running the diagnostic, the result is this:

Subscription diagnostic

This diagnostic checks your subscription type against current Microsoft policy to determine the eligibility to send outbound traffic on port 25. It will take just a few minutes.

The diagnostic did not detect any issues

Which would seem to indicate that my subscription is eligible to send outbound traffic and so after restarting my VM, all should be good, but on the contrary, after restarting the VM, the restriction persists.

Your recommendations about enabling SMTP relay services do not take into account that Microsoft is shutting down their submission service and suggesting oauthv2, which my application does not support.
Priya ranjan Jena 2,295 Reputation points Microsoft External Staff Moderator

2025-10-24T13:31:39.0933333+00:00

Jesús San Miguel

Thanks for the reply

Could you please validate the below as well?

If the virtual network owned by the exempted subscription has a delegated subnet (to an App Service Environment for example), you must add and remove a new temporary subnet in the Virtual Network. The exemption applies only to the subscription requested and only to VM traffic that is routed directly to the internet.

Thanks
Jesús San Miguel 0 Reputation points

2025-10-24T13:40:10.4766667+00:00

No delegated subnet there, just a plain old VM with a public IP address.
Priya ranjan Jena 2,295 Reputation points Microsoft External Staff Moderator

2025-10-24T14:54:11.6933333+00:00

Jesús San Miguel,

Could you please share what is your subscription type currently?

Thanks

3 answers

Your answer

Priya ranjan Jena 2,295 Reputation points Microsoft External Staff Moderator

2025-10-24T10:52:29.1666667+00:00

Hi Jesús San Miguel,

Welcome to Microsoft Q&A forum.

We are currently assessing your issue , we will update you soon to help you resolve the same.

Thanks
Jesús San Miguel 0 Reputation points

2025-10-24T13:10:42.1766667+00:00

I'm afraid that's not very helpfull... been there, done that.

After running the diagnostic, the result is this:

Subscription diagnostic

This diagnostic checks your subscription type against current Microsoft policy to determine the eligibility to send outbound traffic on port 25. It will take just a few minutes.

The diagnostic did not detect any issues

Which would seem to indicate that my subscription is eligible to send outbound traffic and so after restarting my VM, all should be good, but on the contrary, after restarting the VM, the restriction persists.

Your recommendations about enabling SMTP relay services do not take into account that Microsoft is shutting down their submission service and suggesting oauthv2, which my application does not support.
Priya ranjan Jena 2,295 Reputation points Microsoft External Staff Moderator

2025-10-24T13:31:39.0933333+00:00

Jesús San Miguel

Thanks for the reply

Could you please validate the below as well?

If the virtual network owned by the exempted subscription has a delegated subnet (to an App Service Environment for example), you must add and remove a new temporary subnet in the Virtual Network. The exemption applies only to the subscription requested and only to VM traffic that is routed directly to the internet.

Thanks
Jesús San Miguel 0 Reputation points

2025-10-24T13:40:10.4766667+00:00

No delegated subnet there, just a plain old VM with a public IP address.
Priya ranjan Jena 2,295 Reputation points Microsoft External Staff Moderator

2025-10-24T14:54:11.6933333+00:00

Jesús San Miguel,

Could you please share what is your subscription type currently?

Thanks

Answer 1

Hi Jesús San Miguel,

Welcome to Microsoft Q&A forum

We understand you're looking to have SMTP port 25 opened for your virtual machine in the Azure environment. Please note that Azure blocks outbound SMTP connections on TCP port 25 by default for most subscriptions, including Enterprise Dev/Test, as a security precaution.

If you require access to SMTP port 25, you'll need an enterprise subscription. This port is not blocked for Enterprise Agreement (EA) or Microsoft Customer Agreement for Enterprise (MCA-E) subscriptions, though external domains may still be filtered.

Go to the Virtual Network resource linked to your VM
Open the "Diagnose and Solve Problems" section.
Select “Cannot send email (SMTP-Port 25)”.
Once the block is removed, you'll need to stop and restart your virtual machine to apply the new network policy, all VMs in that subscription are exempted going forward.

If the virtual network owned by the exempted subscription has a delegated subnet (to an App Service Environment for example), you must add and remove a new temporary subnet in the Virtual Network. The exemption applies only to the subscription requested and only to VM traffic that is routed directly to the internet.

We recommend you use authenticated SMTP relay services to send email from Azure VMs or from Azure App Service. Connections to authenticated SMTP relay services are typically on TCP port 587 and isn't blocked. These services are used in part to maintain IP reputation that is critical for delivery reliability.

Reference link for better understanding: https://learn.microsoft.com/en-us/azure/virtual-network/troubleshoot-outbound-smtp-connectivity

Hope you find this comment helpful ,if yes, please “up-vote” for the information provided , this can be beneficial to community members.

Kindly let us know if you have any additional questions.

Thanks

Answer 2

Jesús San Miguel 0

It is a benefit of our AI Cloud Partner Program (MS-AZR-0036P)

Answer 3

Hi Jesús San Miguel

The backend team has confirmed that, starting November 15th, 2017, sending outbound email directly to external domains (such as outlook.com, gmail.com) from a Virtual machine (VM) was made available only to certain subscription types.

In March 2022, the policy was further changed so that we will no longer allow exceptions to the block on outbound port 25 (SMTP) for Pay as you go or CSP subscription types. Existing customers and subscriptions with existing exceptions will continue to be allowed so we will not break existing customers. However, no new exemptions will be granted for these subscription types.

Even if you have a subscription with an existing exemption and need a new subscription exempted, this cannot be done due to our policy outlined publicly. You can continue to deploy new resources in your existing subscription that has already been exempted, if available.

The only subscription type that can be exempted is Enterprise Agreement MSDN.

Hope you find this comment helpful ,if yes, please “up-vote” for the information provided , this can be beneficial to community members.

Thanks

Share via

I need to enable SMTP port 25 outgoing messages from my VMs

3 answers

Your answer