Microsoft announced today that it will retire Client Access Rules (CARs) in Exchange Online within a year, by September 2023.
CARs are sets of conditions, exceptions, actions, and priority values that allow Microsoft 365 admins to filter client access to Exchange Online based on many factors.
Connections can be allowed or blocked based on the client’s IP addresses and authentication type, as well as the protocol, application, or service they’re using to connect.
In short, once configured, they help control who can access what resources in an Exchange Online organization.
“Today, we are announcing the retirement of CARs in Exchange Online, to be fully deprecated by September 2023,” the Exchange Team said.
“We will send Message Center posts to tenants using client access rules to start the planning process to migrate their rules.”
The company will begin the deprecation process by first disabling client access rules in tenants where they’re unused starting October 2022.
Until September 2023, Microsoft plans to help migrate all remaining tenants from CARs to use new access control features like continuous access evaluation (CAE).
”If you do not currently use CARs, cmdlets will be disabled for your tenant after October 2022,” the Exchange Team added.
“If you currently have CARs configured in your tenant you will be able to keep using them until September 2023, which provides you with time to migrate other, more resilient options.”
As Redmond explains, the switch to CAE access control to Exchange Online resources is designed to add extra resiliency by proactively terminating active user sessions and ensuring tenant policy change enforcement in almost real-time.
“Now with new features, like Continuous Access Evaluation (CAE) that allows Azure Active Directory applications to subscribe to critical events, that can then be evaluated and enforced in near real time; you can have better control while also adding resiliency to your organization,” the Exchange Team said.
Microsoft also recently warned customers that it would start disabling basic authentication in random tenants to improve Exchange Online security beginning October 1, 2022.
The announcement followed multiple other reminders and warnings Redmond has issued over the last three years, the first one published in September 2019.