Update 12/12/2024: Please see our later blog post for updates on this subject.
Last September, we announced the deprecation of Client Access Rules (CARs) in Exchange Online. CARs allow admins to control which devices can access their organization's mailboxes. It was introduced in 2017 as a way to provide granular access control based on client properties such as IP addresses, protocol, or application.
In October 2022, we disabled CARs cmdlets for tenants that were not using CARs. This was done to reduce the complexity and confusion around CARs and to encourage the adoption of newer and more secure features like Azure Active Directory (AAD) Conditional Access and Continuous access evaluation (CAE).
We have been working with customers to learn how they use CARs and how they can migrate to these newer features, but we have encountered a few scenarios where it's not possible to migrate current rules. For these scenarios, we will allow the use of CARs beyond the previously announced September 2023 deadline until we can support them.
We understand that migrating from CARs to Conditional Access and CAE requires some planning and testing, and we are here to help you with this process. If there is a technical reason preventing you from migrating your CARs, please open a support ticket so we can investigate and understand your needs.
Our updated CARs deprecation timeline is as follows:
Resources
- Client Access Rules in Exchange Online
- What is Conditional Access in Azure Active Directory?
- Plan an Azure Active Directory Conditional Access deployment
- Continuous access evaluation in Azure AD
The Exchange Team
