Microsoft will retire Client Access Rules (CARs) in Exchange Online by September 2025.
Published: Dec 12, 2024
Key Takeaways:
Microsoft has announced plans to retire Client Access Rules (CARs) in Exchange Online for all tenants by September 2025. The company urges organizations to transition to Conditional Access with Continuous Access Evaluation (CAE) for improved security and compliance.
Client Access Rules in Exchange Online allow organizations to control access to their email services based on specific client properties or connection requests, using conditions, exceptions, and actions. These rules help IT admins manage access by IP addresses, authentication type, user properties, and more. This feature is designed to protect Exchange Online resources against security threats and ensure compliance with regulatory requirements.
Microsoft originally announced plans to deprecate Client Access Rules (CARs) in Exchange Online back in September 2022. CARs are considered legacy technology and lack modern enforcement controls like multifactor authentication and device compliance. Moreover, CARs are designed to work within the Exchange Online environment and do not apply to other applications or services.
Microsoft has already disabled CARs cmdlets for tenants without active rules. Now, Microsoft plans to deprecate CARs for all remaining tenants on September 1, 2025. Microsoft recommends organizations move to newer access control features such as Conditional Access (CA) with Continuous Access Evaluation (CAE).
CAE enhances security by ensuring that users’ location-based Conditional Access (CA) policies are consistently enforced. Additionally, this feature is supported by various Microsoft 365 services, including SharePoint Online, Exchange Online, and Microsoft Teams. CAE also provides real-time notifications for password changes, account deletion, and more.
“CA with CAE can truly allow or block access to those services. Additionally, CARs only provide basic enforcements, such as filtering by IP address, protocol, and user. They lack modern enforcement controls required for higher security standards, such as the physical location of the device, multi-factor authentication (MFA), and device compliance,” the Exchange team explained.
Microsoft mentioned that migrating from CARs to CA with CAE requires some planning and testing. Organizations should configure the necessary Conditional Access policies in order to enforce IP location policies with Continuous Access Evaluation for Exchange Online. It’s also recommended to use the Set-CASMailbox and Set-CASMailboxPlan cmdlets to manage client access settings for specific protocols such as Exchange ActiveSync, Outlook, Outlook on the web, POP3, and IMAP4.