Why does my site receive lots of requests to autodiscover.xml?

Microsoft Outlook, when configured in an Enterprise setting with Microsoft Exchange or Outlook 365 (Exchange in the Cloud) uses a series of different methods to attempt to configure the users email settings automatically from Exchange.

The Auto Discover methods employed by Outlook are:

1. SCP lookup to Active Directory
2. HTTPS root domain query to https://example.com/autodiscover/autodiscover.xml
3. HTTPS Autodiscover domain query to https://autodiscover.example.com/autodiscover/autodiscover.xml
4. HTTP redirect method
5. SRV record query
6. Local XML file
7. Cached URL in the Outlook profile (new for Outlook 2013)

In a scenario where example.com is hosted on Acquia Cloud, but also used for email by Exchange based users, it is common for customers to see uncacheable POST requests to https://example.com/autodiscover/autodiscover.xml from clients which identify themselves as Outlook.  Sometimes the volume of these requests can grow over time as the email user base grows, or in certain circumstances when a large volume of clients are deployed or provisioned there may be a rush of traffic.

We recommend handling this kind of traffic in one of the ways recommended in our related article "Avoiding 404 error messages in your logs"

One quick method that can be used, which doesn't prevent the requests from hitting Apache, but does avoid them bootstrapping Drupal (and is entirely harmless to any clients), is to update your .htaccess file to specifically block these POST requests.

  RewriteCond %{REQUEST_METHOD} POST
  RewriteCond %{REQUEST_URI} ^/autodiscover/autodiscover.xml
  RewriteRule .* - [F,L]

Whilst it is technically possible to set a configuration on desktop Windows machines running the Outlook clients to stop this behaviour, this may not be possible. The Enterprise IT or email administration teams would need to make modifications to configuration, and it will depend on how desktop machines are configured, which versions of Outlook are in use, and whether local machines can be updated with a GPO to set keys in local registries. See the registry key for "ExcludeHttpsRootDomain".