Microsoft is set to phase out the use of Client Access Rules (CARs) in Exchange Online.
CARs help users control access to their Exchange Online organization based on client properties or client access requests, using details such as their IP address (IPv4 and IPv6), authentication type, user property values, and the protocol, application, service, or the resource that they’re using to connect
CARs are set to be fully deprecated by September 2023, and will be disabled for tenants who don’t use them in October 2022.
What’s replacing CARs?
As per the announcement (opens in new tab)by Microsoft, CARs are set to be replaced by Continuous Access Evaluation (CAE).
CAE was first announced in January 2021, and according to Microsoft (opens in new tab) will allow Azure Active Directory applications to subscribe to critical events.
These events, which include account revocation, account disablement/deletion, password change, user location change, and user risk increase can then be evaluated and enforced in “near real-time”.
On receiving such events, app sessions are immediately interrupted and users are redirected back to Azure AD to reauthenticate or reevaluate policy.
Microsoft says this enables users to have better control while also adding resiliency to their organizations because the real-time enforcement of policies can safely extend the session duration.
In the case of any Azure AD outages, users with CAE sessions will reportedly be able to ride out these outages without ever noticing them.
Tenants still using client access rules are set to receive notifications via Message Center to start the planning process to migrate their rules.
It’s no surprise that Microsoft is consistently rolling out updates to Microsoft Exchange’s authentification protocols, it’s a platform that’s remaining a consistent target for cybercriminals.
A group of cybersecurity authorities, including the US Federal Bureau of Investigation (FBI) and the United Kingdom’s National Cyber Security Centre (NCSC) highlighted how Iranian state-sponsored hackers have beenusing the ProxyShell vulnerability (opens in new tab) since at least October 2021.
This vulnerability gave cybercriminals unauthenticated, remote code execution powers.