Articles in this section

See more

Related articles

Locking Down Microsoft 365 Exchange Online Mailbox Access with Client Access Rules

Avatar
Christopher Johnson (CJohnson.os33)
Updated
Follow

Manage Rules

Client Access Rules help you control access to your Exchange Online organization based on client properties or client access requests. Client Access Rules are like mail flow rules (also known as transport rules) for client connections to your Exchange Online organization. You can prevent clients from connecting to Exchange Online based on their IP address, authentication type, and user property values, and the protocol, application, service, or resource that they're using to connect. For example:

  • Allow access to Exchange ActiveSync clients from specific IP addresses, and block all other ActiveSync clients.

  • Block access to Exchange Web Services (EWS) for users in specific departments, cities, or countries.

  • Block access to an offline address book (OAB) for specific users based on their usernames.

  • Prevent client access using federated authentication.

  • Prevent client access using Exchange Online PowerShell.

  • Block access to the Exchange admin center (EAC) for users in a specific country or region.

References

https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/client-access-rules/client-access-rules

https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/client-access-rules/procedures-for-client-access-rules?source=recommendations

https://docs.microsoft.com/en-us/powershell/module/exchange/new-clientaccessrule?view=exchange-ps

https://learn.microsoft.com/en-us/exchange/recipients/mailbox-custom-attributes?view=exchserver-2019

Step 1 - Install ExchangeOnlineManagementmodule to connect to Exchange Online

Install-Module ExchangeOnlineManagement -Confirm:$false
Connect-ExchangeOnline

Please note: your first rule may take up to 24 hours to be implemented. Any rule after the first one may take up to an hour to be implemented.

 

Step 2 - Setup PowerShell Admin Access 

PowerShell is the only way to manage Client Access Rules.  You must be be careful not to lock yourself out. If you get locked out, you'll need to call Microsoft. As a best practice, create a Client Access Rule with the highest priority to preserve your access to remote PowerShell. 

Define trusted Admin IPs

$AdminIPS = "X.X.X.X/23","Y.Y.Y.Y/24","Z.Z.Z.Z/16" # Do not get locked out, use your corporate VPN

Allow Exchange PowerShell access from trusted IPs

$AllowRuleName = "Ensure PowerShell Is always available from Trusted IPs"
New-ClientAccessRule -Name $AllowRuleName -Action Allow -AnyOfProtocols RemotePowerShell -AnyOfClientIPAddressesOrRanges $AdminIPS -Priority 1 -Confirm:$false

Follow up with 2nd rule that will ensure PowerShell is restricted to trusted IPs only

$DenyRuleName = "Limit PowerShell to Only Trusted IPs"
New-ClientAccessRule -Name $DenyRuleName -Action Deny -AnyOfProtocols RemotePowerShell -ExceptAnyOfClientIPAddressesOrRanges $AdminIPS -Priority 2 -Confirm:$false

(Optional) To add or remove from the existing rules with IP address you can pass add/remove parameter

Get-ClientAccessRule | ? Name -eq "Ensure PowerShell Is always available from Trusted IPs" | Set-ClientAccessRule -AnyOfClientIPAddressesOrRanges @{Add="C.C.C.C/24"}
Get-ClientAccessRule | ? Name -eq "Limit PowerShell to Only Trusted IPs" | Set-ClientAccessRule -ExceptAnyOfClientIPAddressesOrRanges @{Remove="D.D.D.D/16"}

Step 3 - Restrict user mailbox access to Venn Private Company Gateway

Apply Client Access Rules to individual users 

Unfortunately group membership cannot be used for applying Client Access Rules
-UserIsMemberOf as this parameter is reserved for internal Microsoft use.

The only option is to use the UserRecipientFilter which can be based only on following fields:

  • City

  • Company

  • CountryOrRegion

  • CustomAttribute1 to CustomAttribute15

  • Department

  • Office

  • PostalCode

  • StateOrProvince

  • StreetAddress

In the following example, the client access rules will be in effect only for user mailboxes with a defined CustomAttribute1. (Please make sure to define AnyOfProtocols parameter in order for the rules to apply.) 

$UserDenyRuleName = "Restrict Exchange to Venn Private Company Gateway IPs"
$PrivateGatewayIPs = "X.X.X.X","Y.Y.Y.Y"
$Protocols = "ExchangeActiveSync,ExchangeAdminCenter,ExchangeWebServices,IMAP4,OfflineAddressBook,OutlookAnywhere,OutlookWebApp,POP3,PowerShellWebServices,RemotePowerShell,REST,UniversalOutlook"
$UserRecipientFilter = {CustomAttribute1 -eq 'PrivateCompanyGateway'}
New-ClientAccessRule -Name $UserDenyRuleName -Action Deny -AnyOfProtocols $Protocols -Scope Users -ExceptAnyOfClientIPAddressesOrRanges $PrivateGatewayIPs -UserRecipientFilter $UserRecipientFilter -Priority 3 -Confirm:$false

You can run the following command to set the custom attribute for a specific user

Get-Mailbox -Identity user@company.com | Set-Mailbox -CustomAttribute1 "PrivateCompanyGateway"

Applying Client Access Rules to all user

In order to apply Client Access Rules to all users, please follow these steps to remove dependency on CustomAttribute1 or any other parameter. 

# To remove filter
Get-ClientAccessRule | ? Priority -eq 3 | Set-ClientAccessRule -UserRecipientFilter ""

# To revert the change
Get-ClientAccessRule | ? Priority -eq 3 | Set-ClientAccessRule -UserRecipientFilter "CustomAttribute1 -eq 'PrivateCompanyGateway'"

 

Return to top
Was this article helpful?
0 out of 0 found this helpful

Sorry about that! What problem did you encounter?

We read all feedback and use it to improve Help Center.

Have more questions? Submit a request