Application Launcher

Date Published: February 6, 2025

Microsoft Outlook, when configured in an Enterprise setting with Microsoft Exchange or Outlook 365 (Exchange in the Cloud), uses a series of different methods to attempt to configure the users email settings automatically from Exchange.

The Auto Discover methods employed by Outlook are:

SCP lookup to Active Directory
HTTPS root domain query to https://example.com/autodiscover/autodiscover.xml
HTTPS Autodiscover domain query to https://autodiscover.example.com/autodiscover/autodiscover.xml
HTTP redirect method
SRV record query
Local XML file
Cached URL in the Outlook profile (new for Outlook 2013)

In a scenario where example.com is hosted on Acquia Cloud, but also used for email by Exchange based users, it is common for customers to see uncacheable POST requests to https://example.com/autodiscover/autodiscover.xml from clients which identify themselves as Outlook. Sometimes the volume of these requests can grow over time as the email user base grows, or in certain circumstances when a large volume of clients are deployed or provisioned there may be a rush of traffic.

To mitigate this traffic from hitting your application there are a number of solutions depending on availability and access to products and services.

1) Block these requests with a WAF

As these requests may incur usage, utilisation or unnecessary processing to handle in your application (eg. with .htaccess), it is potentially beneficial to block them entirely before they reach Drupal. A WAF (Akamai, Cloudflare or similar) can be configured with a custom firewall rule to block these requests. This won't affect the Outlook client (which will just move on to another method of configuration), and will stop these requests entirely.

An example Cloudflare custom firewall rule expression might look as follows:

(http.request.uri.path matches "/autodiscover\.xml$") or (http.request.uri.path matches "/autodiscover\.src/") or (lower(http.request.uri.path) matches "/autodiscover/autodiscover\.xml$")

See https://developers.cloudflare.com/waf/custom-rules/ for more documentation on creating custom firewall rules.

2) Update .htaccess

This kind of traffic can be handled by following the recommendations in our related article: Avoiding 404 error messages in your logs

This method suggests updating your .htaccess file to specifically block these POST requests. This doesn't prevent the requests from hitting Apache, but does avoid them bootstrapping Drupal (and is entirely harmless to any clients).

Example:

  # Place this below the line: "RewriteEngine ON" on your docroot/.htaccess file.
  RewriteCond %{REQUEST_URI} ^/autodiscover/autodiscover.xml [NC]
  RewriteRule .* - [F,L]

3) Update DNS CNAME

In some ways this is the ideal method, as it assists Outlook to correctly reach the location it requires first time, whilst removing unrequired requests to the web servers. If you are able to modify the DNS for the domain, you may be able to add a specific autodiscover hostname:
https://docs.microsoft.com/en-us/exchange/architecture/client-access/autodiscover?view=exchserver-2019#autodiscover-in-dns

Adding a DNS record can be achieved by simply creating the following:

Name: autodiscover
TTL: 3600
CNAME Target: <FQDN of mail server>

4) Configuration change to Outlook clients

Whilst it is technically possible to set a configuration on desktop Windows machines running the Outlook clients to stop this behavior, this may not be possible. Your Enterprise IT or email administration teams would need to make modifications to configuration, and it will depend on how desktop machines are configured, which versions of Outlook are in use, and whether local machines can be updated with a GPO to set keys in local registries. See the registry key for "ExcludeHttpsRootDomain".

Why does my site receive lots of requests to autodiscover.xml?

1) Block these requests with a WAF

2) Update .htaccess

3) Update DNS CNAME

4) Configuration change to Outlook clients