back to article Microsoft to kill off old access rules in Exchange Online

Microsoft next month will start phasing out Client Access Rules (CARs) in Exchange Online – and will do away with this means for controlling access altogether within a year. CARs are being replaced with Continuous Access Evaluation (CAE) for Azure Active Directory, which can apparently in "near-real time" pick up changes to …

  1. Steve Davies 3 Silver badge

    The beginning of the end...

    for 3rd party client access?

    MS could make the rules and hurdles so difficult to overcome that people will have to be forced to use Outlook or some other approved client?

    If this is true then Redmond should have already allocated a hefty budget to lobby against the inevitable anti-trust cases that will be filed.

    1. Anonymous Coward
      Anonymous Coward

      Re: The beginning of the end...

      My Corporate IT overlords have already flipped the switches so it's impossible to use anything but the official Outlook app on mobile. Even contact names and calendar entries deemed top secret propriety information which don't escape the Outlook app, so you have to re-enter them manually on your own company phone.

      Not even OWA (web mail) works without the appropriate Microsoft device management app also installed on the PC or mobile and naturally there are fewer requests to verify sign-on information if you use Edge instead of another browser and MS Authenticator instead of another authenticator.

      Absurd and stupid, but all methods that Microsoft already use to tighten their grip.

      1. Anonymous Coward
        Anonymous Coward

        Re: The beginning of the end...

        That's why our manglement (in a decision that was uncharacteristically intelligent) mandated open standards support. Given that Exchange doesn't talk cardddav and caldav (and neither does Outlook without plugins) and that Microsoft has apparently also announced that IMAP/SMTP access will become problematic I suspect that that will spell the end of the Exchange based infrastructure.

        They're already cloud-averse (thankfully) so it'll be interesting to see who gets the migration job and how they will go about it.

        1. Anonymous Coward
          Anonymous Coward

          Re: The beginning of the end...

          When Demon shifted the user email service to Namesco we unexpectedly ended up on an Office 365 licence.

          With the nightmare of trying to use the service after 1 October I am looking for a non-MS supplier - it will probably be cheaper too.

          Any recommendations?

          The Office 365 web email access (OWA) is ridiculous. In your account you can set aliases on your domain. Incoming mail is accepted on those aliases. On IMAP you can use those aliases to send emails to different classes of correspondent.

          When you send an email from OWA - there is no way to set the alias address as FROM. All your emails go out with your default address - thus exposing a significant part of your login identity. Any replies then all come in with your default address too.

      2. Anonymous Coward
        Anonymous Coward

        Re: The beginning of the end...

        A few of years ago our company tried locking the phones down to company use and information only, not for operational reasons, but because the lawyers were worried that the company could be sued for illegal stuff found on the phones* Then people started leaving their phones at work when they went home cos they didn't want to have to carry two phones around. Policy got changed pretty quickly.

        *No, not porn. They were more worried about copyright of ripped music and DVDs.

        1. Captain Scarlet Silver badge

          Re: The beginning of the end...

          I would personally use 2 phones anyway, one personal and one corporate. Screw anyone else having access to my phone (Google and Apple already have to much access as it is) and stuff being called whilst on holiday.

          If you get the option take it, nothing worse using one phone only to find your personal stuff has been wiped because the Corp deemed it.

          1. NoneSuch Silver badge

            Re: The beginning of the end...

            Sending email to someone you've written weekly for ten years.

            Outlook: SUSPISCIOUS ACTIVITY and blocks your account.

            Meanwhile, three Nigerian Prince emails get through.

    2. Sandtitz Silver badge

      Re: The beginning of the end...

      MS could make the rules and hurdles so difficult

      These CAE rules are there for the company Exchange admins to enable and manage.

      If you have information to the contary do tell us. Otherwise you are spouting FUD.

    3. Anonymous Coward
      Anonymous Coward

      Re: The beginning of the end...

      "for 3rd party client access?"

      As far as I am concerned that has already happened. I've spent several weeks nibbling away at getting Pegasus v4.80 to connect to Office 365 with IMAP using the Oauth system. Tomorrow is drop-dead day - and OWA is a very poor substitute.

      I haven't even got as far as entering any values in Pegasus's config. The MS instructions keep wittering on about QR codes and downloading smart phone apps. The hopeful screen shots to select "App Password" don't agree with what I see - that option is missing even though 2FA has been set for the user.

      Microsoft was not my favourite supplier in recent years - but the amount of pain (sometimes body literal) is making me hate them now. My GP will not be impressed by my current regular blood pressure readings.

      It was easy to make the same Pegasus transition for Google mail. It seems preferable to transfer all my emails to Google until I can find a non-MS email service to which to transfer my domain.

      Any UK non-MS email service recommendations?

  2. Mayday Silver badge


    So how am I supposed to read emails, see ex-colleagues (including the CEO) calendars and contact details etc from jobs I left months ago now?

    1. Anonymous Coward
      Anonymous Coward

      Re: Bugger

      The same way you do already?

      I assume it's because they haven't gotten around to disabling your account yet.

      If they haven't done that, they are unlikely to have existing restrictions or enable new ones because of a Microsoft change.

      If on the other hand they stumble upon (or are forced into) competent system administration, you maybe out of luck

  3. sitta_europea Silver badge

    "Microsoft announced the replacement CAE in January, touting its ability to act fast..."

    Act fast?


    Yeah, right.

    They seem totally to ignore the hundreds of abuse reports that I send.

    But hey, I'm not spending any money on their products anyway so why would they care?

  4. Strahd Ivarius Silver badge

    So will it be possible to block access for users...

    ... when their accounts in an on-premise Active Directory synchronized with AAD have expired?

    Does it means that the property "account expired" will be added to AAD?

    (as other standard properties and attributes that are missing...)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like