Hello folks!

Today's blog offers real-life scenarios to help you learn how to use client access rules to allow or block different types of connections to Exchange.

Table of contents

What are clients in Exchange?

What are Client Access Rules?

What are client access components and properties (conditions)?

Learn how to use client access rules to allow or block different types of connection to exchange

The following are real scenario

Real Case scenario

• Allow only it admin and users in IST department to bypass the rule.
• Block connection to exchange from web access (OWA) specific Ip ranges.

Testing scenarios

• Test with PowerShell IT admin and another user from blocked range and allowed ranges
• Testing with login to mail web access from blocked IP rand and allowed using IT user and other user

All PowerShell commands

Reference links

As Microsoft says it applies to:  Exchange 2013, 2016, 2019 and Exchange Online

Example Scenarios:

• Allow access to Exchange ActiveSync clients from specific IP addresses and block all other ActiveSync clients.
• Block access to Exchange Web Services (EWS) for users in specific departments, cities, or countries.
• Block access to an offline address book (OAB) for specific users based on their usernames.
• Prevent client access using federated authentication.
• Prevent client access using Exchange Online PowerShell.
• Block access to the Exchange admin center (EAC) for users in a specific country or region.

Clients are:

Desktop programs like outlook, Outlook on the web OWA, mobile clients (iPhone, android and others)

That are used to connect to exchange.

Clients and mobile in Exchange Online | Microsoft Docs

Client access rules are:

Controlling access to exchange online or as stated in Microsoft (exchange 2016 and 2019)

Based on client properties like transport rules.

The rules will have components is like conditional access policy in azure

Conditions, Exceptions, Action, Priority

Properties or components of the client access rules.

Condition: Identify the client connections to apply the action to. Client Access Rules in Exchange Online | Microsoft Docs

Exceptions: Optionally identify the client connections that the action shouldn't apply to.

Action: Specifies what to do to client connections that match the conditions. (Allow or Block)

Priority: Indicates the order that the rules are applied to client connections (a lower number indicates a higher priority).

Real Case scenario

Now we need to control access for the clients

Block connection to exchange from specific IP range and allow users in IST department to bypass the rule.

This can be done by client access rules using PowerShell

Just go to internet type new-clientaccessrules you will have 2 links one for the procedures and the other is for syntax.

Procedures for Client Access Rules in Exchange Online | Microsoft Docs

New-ClientAccessRule (ExchangePowerShell) | Microsoft Docs

Run the following PowerShell commands to connect to exchange online

Install-Module -Name ExchangeOnlineManagement

#Installing the PowerShell module

Update-Module -Name ExchangeOnlineManagement

#update to the latest Version

Connect-ExchangeOnline

# connect to exchange online

Get-ClientAccessRule

#check if there are any client access rules 

First rule scenario

Create a rule to block OWA outside of my company IP range

Then exclude IT Department from this rule

Notes: always crate the first rule to preserve the admin from this rule

Conditions, Exceptions, Action, Priority

New-ClientAccessRule -Name "" [-Priority ] [-Enabled <$true | $false>] -Action [] []

The following rule will have the first priority to exclude IST department from any rules

New-ClientAccessRule -Name "Allow IT all protocols" -Action Allow -AnyOfProtocols RemotePowerShell, PowerShellWebServices, OutlookWebApp, ExchangeActiveSync, ExchangeAdminCenter, ExchangeWebServices -UserRecipientFilter "department -eq 'IST'" -Priority 1

#Allowing it admins to bypass any rules (a lower number indicates a higher priority).

The highest priority you can set on a rule is 1

Procedures for Client Access Rules in Exchange Online | Microsoft Docs

Then check the components of the rule

Create a rule to block OWA outside of my company IP range you can also exclude a specific user

new-ClientAccessRule -Name "Block OWA from IP range" -Action DenyAccess -AnyOfProtocols OutlookWebApp -AnyOfClientIPAddressesOrRanges 156.205.189.18/30 - -Priority 2

Get-ClientAccessRule -Identity "Block OWA from IP range" | FL

I shall have 2 rules now

Now test using PowerShell command testing the it admin user

Note: The rules may need 24 hours for being applied then any other rules will take one hour

The first rule will be applied only so he bypasses the second rule

When we test using another IP rage not in the blocked list it is allowed, and rule has been applied which is allow

Test-ClientAccessRule -User username@yourdomain.com -Protocol OutlookWebApp -AuthenticationType BasicAuthentication -RemoteAddress yourIPblockedrange -RemotePort 443

Test-ClientAccessRule -User username@yourdomain.com -Protocol OutlookWebApp -AuthenticationType BasicAuthentication -RemoteAddress youripallowed -RemotePort 443

Testing another user not in IST department

The rule was applied when accessing from blocked IP range

Then when in another range no rule applies

Now testing the log in for IT Admin account from range blocked and not blocked he can access

Let’s test with another user isn't in the exception

Now I will test with account it admin excluded from this rule

All PowerShell commands

Please replace the following (it admin, blocked user, allowed Ip, blocked Ip ) with your real data

Install-Module -Name ExchangeOnlineManagement

Connect-ExchangeOnline

New-ClientAccessRule -Name "Allow IT all protocols" -Action Allow -AnyOfProtocols RemotePowerShell, PowerShellWebServices, OutlookWebApp, ExchangeActiveSync, ExchangeAdminCenter, ExchangeWebServices -UserRecipientFilter "department -eq 'IST'" -Priority 1

new-ClientAccessRule -Name "Block OWA from IP range" -Action DenyAccess -AnyOfProtocols OutlookWebApp -AnyOfClientIPAddressesOrRanges Blockedrange - -Priority 2

Get-ClientAccessRule

Get-ClientAccessRule -Identity "Allow IT all protocols" | FL

Get-ClientAccessRule -Identity "Block OWA from IP range" | FL

Test-ClientAccessRule -User ITadmin@yourdomain.com -Protocol OutlookWebApp -AuthenticationType BasicAuthentication -RemoteAddress BlockedIP -RemotePort 443

Test-ClientAccessRule -User ITadmin@yourdomain.com  -Protocol OutlookWebApp -AuthenticationType BasicAuthentication -RemoteAddress AllowedIP -RemotePort 443

Test-ClientAccessRule -User blockeduser@domain.com -Protocol OutlookWebApp -AuthenticationType BasicAuthentication -RemoteAddress BlockedIP -RemotePort 443

Test-ClientAccessRule -User blockeduser@domain.com -Protocol OutlookWebApp -AuthenticationType BasicAuthentication -RemoteAddress AllowedIP -RemotePort 443

Reference links:

New-ClientAccessRule (ExchangePowerShell) | Microsoft Docs

Client Access Rules in Exchange Online | Microsoft Docs

Procedures for Client Access Rules in Exchange Online | Microsoft Docs