Microsoft is set to phase out the use of Client Access Rules (CAR) in Exchange Online.
CARs help users control access to your Exchange Online organization based on client properties or client access requests, using details such as their IP address (IPv4 and IPv6), authentication type, values owned by the user and the protocol, application, service, or resource. use to login
CARs are expected to be completely obsolete by September 2023 and will be deactivated for tenants not using them in October 2022.
What replaces CARs?
As announced (opens in a new tab) by Microsoft, CARs are about to be replaced by Continuous Access Evaluation (CAE).
CAE was first announced in January 2021, and according to Microsoft (opens in a new tab), it will allow Azure Active Directory applications to subscribe to critical events.
These events, including account revocation, account deactivation/deletion, password change, user location change, and increased user risk, can be assessed and enforced "near real time."
Upon receipt of such events, application sessions are immediately terminated and users are redirected to Azure AD to re-authenticate or re-evaluate policy.
Microsoft says this allows users greater control while adding resiliency to their organizations, as real-time policy enforcement can safely extend session duration.
In the event of an Azure AD outage, users with CAE sessions could experience these outages without even realizing it.
Tenants that are still using Client Access Rules are configured to receive notifications through the Message Center to start the migration planning process for their rules.
It's no surprise that Microsoft is constantly rolling out updates to Microsoft Exchange's authentication protocols, it's a platform that remains a constant target for cybercriminals.
A group of cybersecurity authorities, including the US Federal Bureau of Investigation (FBI) and the UK's National Cyber Security Center (NCSC), have highlighted how state-sponsored Iranian hackers have been using the ProxyShell vulnerability (Opens in a new tab). since at least October 2021.
This vulnerability gave cybercriminals unauthenticated remote code execution powers.