Microsoft Exchange Online is making some major access changes

password manager security
(Image credit: Passwork)

Microsoft is set to phase out the use of Client Access Rules (CARs) in Exchange Online.

CARs help users control access to their Exchange Online organization based on client properties or client access requests, using details such as their IP address (IPv4 and IPv6), authentication type, user property values, and the protocol, application, service, or the resource that they're using to connect

CARs are set to be fully deprecated by September 2023, and will be disabled for tenants who don't use them in October 2022.

What’s replacing CARs?

As per the announcementby Microsoft, CARs are set to be replaced by Continuous Access Evaluation (CAE).

CAE was first announced in January 2021, and according to Microsoft will allow Azure Active Directory applications to subscribe to critical events.

These events, which include account revocation, account disablement/deletion, password change, user location change, and user risk increase can then be evaluated and enforced in "near real-time".

On receiving such events, app sessions are immediately interrupted and users are redirected back to Azure AD to reauthenticate or reevaluate policy.

Microsoft says this enables users to have better control while also adding resiliency to their organizations because the real-time enforcement of policies can safely extend the session duration.

In the case of any Azure AD outages, users with CAE sessions will reportedly be able to ride out these outages without ever noticing them.

Tenants still using client access rules are set to receive notifications via Message Center to start the planning process to migrate their rules.

It's no surprise that Microsoft is consistently rolling out updates to Microsoft Exchange's authentification protocols, it's a platform that's remaining a consistent target for cybercriminals. 

A group of cybersecurity authorities, including the US Federal Bureau of Investigation (FBI) and the United Kingdom’s National Cyber Security Centre (NCSC) highlighted how Iranian state-sponsored hackers have beenusing the ProxyShell vulnerability since at least October 2021.

This vulnerability gave cybercriminals unauthenticated, remote code execution powers.

Will McCurdy has been writing about technology for over five years. He has a wide range of specialities including cybersecurity, fintech, cryptocurrencies, blockchain, cloud computing, payments, artificial intelligence, retail technology, and venture capital investment. He has previously written for AltFi, FStech, Retail Systems, and National Technology News and is an experienced podcast and webinar host, as well as an avid long-form feature writer.