>
Microsoft plans to phase out the use of Client Access Rules (CARs) in Exchange Online.
CARs help users manage access to their Exchange Online organization based on client properties or client access requests, using details such as their IP address (IPv4 and IPv6), authentication type, user property values, and the protocol, application, service, or source that they use to connect
CARs will be fully terminated by September 2023 and will be disabled in October 2022 for renters who do not use them.
What replaces cars?
According to the announcement (opens in new tab)Microsoft is replacing CARs with Continuous Access Evaluation (CAE).
CAE was first announced in January 2021, and according to Microsoft (opens in new tab) enables Azure Active Directory applications to subscribe to critical events.
These events, including account revocation, account disabling/deletion, password changes, user location change, and user risk increase, can then be evaluated and enforced in “near real-time “.
Upon receiving such events, app sessions are immediately interrupted and users are sent back to Azure AD to re-verify or re-evaluate the policy.
Microsoft says this allows users to have better control while adding resiliency to their organizations, as the real-time policy enforcement can safely extend session duration.
In the event of an Azure AD outage, users with CAE sessions will reportedly be able to resolve these outages without ever noticing.
Tenants who still use client access rules are set up to receive notifications through the Notification Center to start the planning process to migrate their rules.
It’s no surprise that Microsoft is consistently rolling out updates to Microsoft Exchange’s authentication protocols, a platform that continues to be a consistent target for cybercriminals.
A group of cybersecurity authorities, including the US Federal Bureau of Investigation (FBI) and the UK’s National Cyber Security Center (NCSC), highlighted how Iranian state-sponsored hackers have used the ProxyShell vulnerability (opens in new tab) since at least October 2021.
This vulnerability gave cyber criminals unauthenticated, remote code execution privileges.