Exchange Online’s Client Access Rules (CARs) were announced for deprecation in September 2022, leading up to a switch-off for inactive tenants in October 2022. However, the notice given to CAR users has been extended.
CARs were set to be axed from September 2023, giving users a year to migrate. However, it looks like the company has extended this until September 2024 for some users.
Rules without technical limitations will continue as planned, reaching retirement by September 2023, however all other CARs have been given a full year’s extension.
Exchange CAR migration
CARs are granular access controls that were first introduced in 2017 to authotize permissions based on properties like IP addresses, protocol, or application.
Newer and more secure features like Azure Active Directory (AAD) Conditional Access and Continuous Access Evaluation (CAE) are hoped to replaced CARs and provide an egress route for those yet to migrate.
It was hoped that the shutdown of CARs for those not actually using them in October 2022 would help minimize migration impact and reduce complexities. New users since then have only been able to use the successors as mentioned above.
In an announcement (opens in new tab), Microsoft recognized that migrating from CARs to Conditional Access and CAE “requires some planning and testing.” The company also acknowledged “a few scenarios where it’s not possible to migrate current rules,” which it hopes to fix within the year-long extension.
Irrespective of the deadline being pushed back, if an organization is able to migrate, it should. CAE benefits include almost real-time notifications for things like account deletion, password changes, and admin changes for Exchange Online, SharePoint Online, and Teams Service.