Microsoft delays Exchange Online CARs deprecation until 2024

Microsoft announced today that Client Access Rules (CARs) deprecation in Exchange Online will be delayed by one year until September 2024.

Microsoft 365 administrators can utilize CARs comprising priority values, exceptions, actions, and conditions to filter client access to Exchange Online using various factors.

These factors include the client's IP addresses and authentication type, as well as the protocol, application, or service they use to establish connections. In essence, once configured, they help control access to Exchange Online resources within an organization.

In a previous announcement from September 2022, the company said the old Exchange Online access rules would be phased out until September 2023.

The following month, Redmond disabled CARs cmdlets in tenants where they weren't used to promote the switch to more secure alternatives such as Azure Active Directory (AAD) conditional access (CA) and continuous access evaluation (CAE).

The phase-out delay was prompted by the impossibility of migrating some CARs to Azure AD CA and CAE until the initial deadline, in some cases, because of the need for proper support.

"We have been working with customers to learn how they use CARs and how they can migrate to these newer features, but we have encountered a few scenarios where it's not possible to migrate current rules," said The Exchange Team on Friday.

"For these scenarios, we will allow the use of CARs beyond the previously announced September 2023 deadline until we can support them."

​Until the final retirement deadline is reached next year, Microsoft is waiting for customers to request help migrating their CARs to the new access control options via support tickets.

"We understand that migrating from CARs to Conditional Access and CAE requires some planning and testing, and we are here to help you with this process," The Exchange Team added.

"If there is a technical reason preventing you from migrating your CARs, please open a support ticket so we can investigate and understand your needs."

As Redmond explained in September 2022, switching from old Exchange Online access rules to conditional access would add extra resiliency by ensuring tenant policy change enforcement in almost real-time and proactively terminating active user sessions.

Microsoft also recently warned customers that basic authentication would be disabled in random tenants to boost Exchange Online security starting October 1, 2022.

The warning followed multiple reminders Redmond issued over the last three years, the first of which was published in September 2019.