Microsoft to Retire Client Access Rules Support in Exchange Online in 2023

Microsoft is getting ready to end support for Client Access Rules (CARs) in Exchange Online. The Exchange team has warned customers that support for this feature will be removed from the service in September 2023.

Client Access Rules allow IT admins to control access to their Exchange servers based on client properties or client access request types. CARs are not defined in Office 365 tenants by default, and administrators can manage them at the Exchange Management Shell level.

“Client Access Rules are like mail flow rules (also known as transport rules) for client connections to your Exchange Online organization. You can prevent clients from connecting to Exchange Online based on their IP address (IPv4 and IPv6), authentication type, and user property values, and the protocol, application, service, or resource that they’re using to connect,” the company explained.

Deprecation of Client Access Rules in Exchange Online to begin next month

Microsoft will start disabling Client Access Rules in organizations that no longer use it in October this year. The company plans to complete the migration process for all other tenants until September 2023.

In the meantime, Microsoft will help customers migrate from Client Access Rules to new access control capabilities like continuous access evaluation (CAE). The feature allows Azure Active Directory applications to subscribe to critical events. It helps IT admins to improve the security posture of their environment. CAE also reduces the amount of time before end users lose access to resources due to certain critical events.

In related news, Microsoft has also warned organizations that it will disable Basic Authentication support in Exchange Online on October 1. This change will impact popular protocols like IMAP, MAPI, POP, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), Remote PowerShell, and Exchange ActiveSync (EAS).