Exchange Online Users Losing Client Access Rules Support Next Year
Microsoft is planning to end support for Client Access Rules used with its Exchange Online service, favoring the use of Continuous Access Evaluation instead, according to a Tuesday announcement.
Client Access Rules let IT pros specify how clients can access the Exchange Online e-mail service. They can permit some clients (but not all) to access Exchange Online when they are using the old Exchange ActiveSync protocol, for instance. It's also possible to block client access via federated authentication or block the use of Exchange Online PowerShell during access attempts.
Despite the usefulness of Client Access Rules, Microsoft is planning to drop support for them in September of next year. The rules are getting "deprecated" at that time. Microsoft published the following timeline to that effect:
The announcement offered no reasons why Client Access Rules support is going away. However, Microsoft appears to want organizations to use Continuous Access Evaluation instead, saying it "allows Azure Active Directory applications to subscribe to critical events that can then be evaluated and enforced in near real time."
Continuous Access Evaluation for Exchange Online is Microsoft's effort to address timing issues when conditions have changed regarding client access permissions. Organizations may have set conditions for access using OAuth 2.0 tokens, but the policy enforcement may lag based on when those tokens get refreshed. With Continuous Access Evaluation, the policies get checked by the "the token issuer (Azure AD), and the relying party (enlightened app)." It's not exactly a "continuous" process, though. Microsoft's documentation admits that a "latency of up to 15 minutes may be observed."
Continuous Access Evaluation is actually an OpenID Foundation developing standard that Microsoft has adopted for use with Exchange Online. Outlook and Teams client applications already support Continuous Access Evaluation, Microsoft had explained a couple of years ago.
With Continuous Access Evaluation, it's possible to check if a user account has been disabled or deleted, or if refresh tokens have been revoked. It'll also check for password changes or resets, or if multifactor authentication has been enabled.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.