Exchange Online: Client Access Rules (CARs) supported until Sept. 2024

Exchange Logo[German]A short note for administrators who are responsible for Exchange Online in companies and have used Client Access Rules (CARs) so far. Actually, the support for CARs should expire – but Microsoft announced a few days ago an extension of the support until September 2024. The companies concerned or their administrators will therefore receive an extended transition period.

Client Access Rules (CARs)

Client Access Rules (CARs) allow administrators to control access to Exchange Online organization based on client properties or client access requests. Client access rules, like email flow rules (also known as transport rules), are intended for client connections to corporate Exchange Online instances. Administrators can prevent clients from connecting to Exchange Online in a variety of ways (via CARs). This can be done based on the IP address (IPv4 and IPv6), authentication type, and their user property values, as well as the protocol, application, service, or resource used for the connection.

Microsoft describes the details of CAS in this support article. However, Redmond wants to replace Client Access Rules (CARs) and replace them with Continuous Access Evaluation, CAE. So as of October 2022, Microsoft has disabled access to Client Access Rules for all existing Exchange Online organizations that have not used them. In October 2023, support for client access rules should end for all Exchange Online organizations (see the old Techcommunity post Deprecation of Client Access Rules in Exchange Online).

CARs support until Sept. 2024

However, as of April 7, 203, Microsoft has published the Techcommunity post Update: Deprecation of Client Access Rules in Exchange Online announcing an extension of CARs support. I became aware of the issue last week via the following tweet and this post from The Register.

Client Access Rules (CARs) support till Sept. 2024

In working with customers, Microsoft has encountered scenarios to migrate current CAS rules (to successor mechanisms). For these scenarios, Microsoft is allowing the use of CARs beyond the announced September 2023 deadline, until such time as Redmond can support the migration. If organizations have a technical reason that prevents you from migrating the CARs you are using, Microsoft asks that you open a support ticket for that reason. This is to allow evaluation of the case in question.

Exchange Online CAS retirement

Microsoft has published the above updated schedule for the removal of CARs from Exchange Online. This now anticipates the deactivation of Client Access Rules to occur in September 2024. Anyone in the readership still relying on CARs? Or has this never been an issue?

This entry was posted in Cloud, Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *