Microsoft intends to phase out Client Access Rules (CAR) in Exchange Online.
CAR tabs help users control access to their Exchange Online organization based on client properties or client access requests, using details such as IP address (IPv4 and IPv6), authentication type, user property values, and the protocol, application, service, or resource they are using to connect
The car cars will be fully retired by September 2023 and will be shut down for tenants who will not be using them in October 2022.
What replaces cars?
According to the announcement (opens in a new tab)by Microsoft, CAR is to be replaced by Continuous Access Assessment (CAE).
CAE was first announced in January 2021 and according to Microsoft (opens in a new tab) will enable Azure Active Directory applications to subscribe to critical events.
These events, which include account cancellation, account disablement / deletion, password change, user location change and increased user risk, can then be assessed and enforced “near real time”.
Upon receipt of such events, application sessions are immediately terminated and users are redirected back to Azure AD for reauthentication or policy reevaluation.
Microsoft says this allows users to have better control while increasing the resilience of their organization, as real-time enforcement of policies can safely extend session duration.
In the event of any outages in Azure AD, users with CAE sessions will reportedly be able to turn them off without even noticing them.
Tenants still using client access rules are set to receive notifications via the Message Center to begin the migration planning process for their rules.
No wonder Microsoft is consistently updating its Microsoft Exchange authentication protocols, it is a platform that remains a consistent target for cybercriminals.
A group of cybersecurity authorities including the US Federal Bureau of Investigation (FBI) and the UK’s National Cyber Security Center (NCSC) highlighted how state-sponsored Iranian hackers exploit the ProxyShell vulnerability (opens in a new tab) from at least October 2021
This vulnerability gave cyber criminals unauthenticated remote code execution privileges.