Microsoft announced on April 8 that the deprecation of Client Access Rules (CAR) in Exchange Online will be delayed by one year until September 2024.
Microsoft 365 administrators can leverage CARs that contain priority values, exceptions, actions, and conditions to filter client access to Exchange Online using various factors.
These factors include the client's IP address and authentication type, as well as the protocol, application, or service they use to establish the connection.
Essentially, once configured, they help control access to Exchange Online resources within an organization.
In a previous announcement in September 2022, the company said that the old Exchange Online access rules would be phased out by September 2023.
The following month, Redmond disabled the CARs cmdlet in tenants where it was not being used to facilitate switching to more secure alternatives such as Azure Active Directory (AAD) Conditional Access (CA) and Continuous Access Evaluation (CAE).
In some cases, some CARs could not be migrated to Azure AD CA and CAE by the initial deadline due to the need for proper support, resulting in delays in phase-out.
We've been working with customers to understand how they're using CAR and how they're migrating to these newer features, but we've come across a few cases where we couldn't migrate the current rules.
For these cases, we will allow the use of CARs beyond the previously announced September 2023 deadline until we are able to support them.
Updated Client Access Rules Deprecation Schedule
Microsoft is waiting for customers to ask for help migrating their CARs to the new access control options via support tickets before the final retirement deadline next year.
We know migrating from CAR to conditional access and CAE takes some planning and testing, and we're here to help you through that process," added the Exchange team.
If there are technical reasons preventing you from migrating CAR, please open a support ticket so we can investigate and understand your needs.
As Redmond explained in September 2022, switching from legacy Exchange Online access rules to Conditional Access will add additional resiliency by ensuring that tenant policy changes are enforced in near real-time and active user sessions are proactively terminated.
Microsoft also recently warned customers that starting October 1, 2022, basic authentication will be disabled for random tenants to improve the security of Exchange Online.
The warning follows multiple alerts from Redmond over the past three years, the first of which was issued in September 2019.