Microsoft switches gears, keeps Exchange Online's CARs around until Sept 2024

Some enterprises that are using Client Access Rules (CARs) in Exchange Online are getting a one-year reprieve before Microsoft shuts down the access control tool altogether.

In September 2022 Redmond announced plans to phase out the use of CARs by September this year, essentially giving organizations time to transition over to what's said to be the more secure Azure Active Directory Conditional Access and Continuous Access Evaluation (CAE) approach.

However, there has been a stay of these plans, at least for some companies.

"We have been working with customers to learn how they use CARs and how they can migrate to these newer features, but we have encountered a few scenarios where it's not possible to migrate current rules," Microsoft's Exchange Online team wrote in a memo this month. "For these scenarios, we will allow the use of CARs beyond the previously announced September 2023 deadline until we can support them."

The deadline is now September 2024.

Shifting from CARs to Conditional Access and CAE isn't a simple matter, the team acknowledged. There are planning and testing hoops to jump through, and so enterprises with technical issues that would prevent them migrating in time for the September deadline can open a support ticket and Microsoft will investigate their needs and help them through the process.

That said, Microsoft already has begun taking steps to move organizations to Conditional Access and CAE. In October, the Windows maker disabled CARs cmdlets for online tenants that already were not using CARs, with the goal of reducing "the complexity and confusion around CARs," the Microsoft Exchange team wrote.

• Microsoft unboxes Exchange Online certification in bid to push customers off-prem
• Microsoft uses carrot and stick with Exchange Online admins
• Exchange Online and Microsoft Teams went down in APAC because Microsoft broke itself
• Start using Modern Auth now for Exchange Online

Redmond rolled out CARs in 2017 to give administrators granular control over which devices can access their organization's mailboxes, based on such properties as IP addresses – both IPv4 and IPv6 – authentication type, protocol, application, or resource they're trying to connect to.

CAE became generally available in January 2022 as a key part of Microsoft's larger Azure AD Zero Trust Session Management portfolio, with Redmond highlighting the tool's security enhancements and real-time enforcement.

"With CAE, we have introduced a new concept of Zero Trust authentication session management that is built on the foundation of Zero Trust principles – Verify Explicitly and Assume Breach," Alex Simons, corporate vice president of product management for Microsoft's identity and network access division, wrote at the time. "With the Zero Trust approach, the authentication session lifespan now depends on session integrity rather than on a predefined duration."

Microsoft mapped out two scenarios for CAE – critical event evaluation and Conditional Access policy evaluation.

With CAE, services like Exchange Online, SharePoint Online, and Teams subscribe to critical Azure AD events, which are evaluated in near real time. Events include when a user account is deleted or disabled, a user password is changed or reset, multifactor authentication is enabled for a user, an administrator revokes all refresh tokens for a user, and Azure AD Identity Protection identifies high user risk.

"This process enables the scenario where users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event," Microsoft wrote in February.

In addition, those Microsoft services – plus MS Graph – can sync Conditional Access policies for evaluation within the service itself. After the location of the networks changes, users can lose access to their organization's files, email, calendar, or tasks from Microsoft 365 app or SharePoint Online immediately. ®