Exchange Online Users Losing Client Access Rules Support Next Year -- Redmondmag.com

Exchange Online Users Losing Client Access Rules Support Next Year

By Kurt Mackie
09/28/2022

Microsoft is planning to end support for Client Access Rules used with its Exchange Online service, favoring the use of Continuous Access Evaluation instead, according to a Tuesday announcement.

Client Access Rules let IT pros specify how clients can access the Exchange Online e-mail service. They can permit some clients (but not all) to access Exchange Online when they are using the old Exchange ActiveSync protocol, for instance. It's also possible to block client access via federated authentication or block the use of Exchange Online PowerShell during access attempts.

Despite the usefulness of Client Access Rules, Microsoft is planning to drop support for them in September of next year. The rules are getting "deprecated" at that time. Microsoft published the following timeline to that effect:

**[Click on image for larger view.]** *Figure 1.* Microsoft's plans for deprecating Client Access Rules use with Exchange Online in Sept. 2023 (source: Sept. 27 Exchange team blog post).

The announcement offered no reasons why Client Access Rules support is going away. However, Microsoft appears to want organizations to use Continuous Access Evaluation instead, saying it "allows Azure Active Directory applications to subscribe to critical events that can then be evaluated and enforced in near real time."

Continuous Access Evaluation for Exchange Online is Microsoft's effort to address timing issues when conditions have changed regarding client access permissions. Organizations may have set conditions for access using OAuth 2.0 tokens, but the policy enforcement may lag based on when those tokens get refreshed. With Continuous Access Evaluation, the policies get checked by the "the token issuer (Azure AD), and the relying party (enlightened app)." It's not exactly a "continuous" process, though. Microsoft's documentation admits that a "latency of up to 15 minutes may be observed."

Continuous Access Evaluation is actually an OpenID Foundation developing standard that Microsoft has adopted for use with Exchange Online. Outlook and Teams client applications already support Continuous Access Evaluation, Microsoft had explained a couple of years ago.

With Continuous Access Evaluation, it's possible to check if a user account has been disabled or deleted, or if refresh tokens have been revoked. It'll also check for password changes or resets, or if multifactor authentication has been enabled.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

Multi-Tenant Organization Hooks Released for Microsoft 365

Microsoft Entra ID's new multi-tenant organization capabilities have reached general availability (GA).
Real-World Ransomware Recovery

Here's how I was (mostly) successful in recovering a family PC infected with malware.
Microsoft Launches Small AI Models Family Phi-3

Recognizing that bigger isn't always better, Microsoft has released its smallest open AI models to date, Phi-3.
Microsoft and OpenAI Continue Global AI Expansions

Microsoft and OpenAI each continued their global expansion this month, with the announcements of new infrastructure investments and service rollouts in new regions, like Asia and the Middle East.
Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.