How to block external access to Exchange admin center in Exchange 2019 via Client Access Rules?

The purpose of Client Access Rules

Managing Client Access Rules is possible only from the Exchange Management Shell level. There is no GUI you can use to manage them. The Client Access Rules feature allows you to block:

  • Individual IP addresses, e.g. 192.168.0.1
  • Ranges of IP addresses, e.g. 192.168.0.1 – 192.168.0.10
  • Subnet IP, e.g. 168.0.0/24

With the use of more advanced rules, you can also block elements like authentication protocols, selected users in Active Directory or users having specified attributes in AD like e.g. Department, Company, etc. (the last option seems to be reserved for Exchange Online, for the moment). To get more information about Client Access Rules, visit this Microsoft document.

The elements of Client Access Rules

A single Client Access Rule consist of the following elements:

  • Condition – identifies the client connection to which the rule applies.
  • Exception – identifies the client connection to which the rule should not apply.
  • Action – defines what actions need to be taken when the client connection meets the condition.
  • Priority – defines the order in which rules are executed. Every rule has a priority number assigned. The lower the number, the higher the priority. By default, the oldest rules have the highest priority, so they are processed first.

The cmdlets for Client Access Rules

There are different cmdlets available to manage Client Access Rules. See the list below:

  • Get-ClientAccessRule – this cmdlet will return the results showing a list of currently configured rules.
  • New-ClientAccessRule –this cmdlet lets you create new rules.
  • Set-ClientAccessRule – use this cmdlet to modify existing rules.
  • Test-ClientAccessRule – a useful cmdlet that lets you test a rule configuration.
  • Remove-ClientAccessRule – use it to remove rules.

How to block access to EAC (ECP)

You can use Client Access Rules to block access to Exchange admin center. In my example below, I want to block access for all users except for one internal network, VLAN 192.168.171.0/24, which is Management. Thanks to that, other subnets within the organization as well as users from outside of the organization will have no access to Exchange admin center. The main purpose of it is to keep organization secure and protected from unauthorized access.

To start, it is a good practice to run the following cmdlet:

New-ClientAccessRule -Name "Always Allow Remote PowerShell" -Action AllowAccess -AnyOfProtocols RemotePowerShell -Priority 1

This command will prevent Exchange Management Shell (EMS) to be cut off in case the administrator makes a mistake during the configuration.

Block access for all users except for one network

In order to block the access to EAC for all user except for the particular network e.g. in my case it is VLAN Management 192.168.171.0/24, run the cmdlet like this:

New-ClientAccessRule -Name "Allow ECP only for VLAN MGMT" -Action DenyAccess -AnyOfProtocols ExchangeAdminCenter -ExceptAnyOfClientIPAddressesOrRanges 192.168.171.0/24 -Priority 2

Block access for all users with an exception

As a result, only VLAN Management can access EAC. Users from other VLANs\subnets will not be allowed to access EAC.

Check a list of Client Access Rules

To check a list of configured rules, run the following cmdlet:

Get-ClientAccessRule

Check a list of Client Access Rules
It will return results where you can see details about each rules like name or their priority on the list.

Check if the rule works properly

To test the rule to verify if it works as expected, try to log in to EAC from the network other than, in my case, 192.168.171.0. If the rule works correctly, you should see something similar to:

Check if the rule works properly

To test the rule, you can also run abovementioned cmdlet Test-ClientAccessRule. This will simulate the connection e.g. from IP address 192.168.169.2 to EAC for the Administrator user:

Check if the rule works properly

Of course, this is only an example of how you can use cmdlets to manage a wide range of functionalities offered by Client Access Rules. Let’s now see how to block access to EAC by using different Active Directory attributes.

Block access to EAC depending on user Active Directory attributes

[Important] At the time of writing this article, this method worked flawlessly. However, when recently testing it, it turned out that -UserRecipientFilter is no longer available in Exchange 2019. This Microsoft article seems to confirm this information. The New-ClientAccessRule cmdlet with this filter runs successfully and doesn’t return errors. However, access isn’t blocked afterwards. Running this cmdlet in Exchange Online works without any issues.

Let’s assume that your company security policy requires that only employees of the IT Department can have access to Exchange admin center. To make this case more complex, let’s also assume that the IT Department is located in different parts of the world as well as there are different networks to take into account (LAN, VLAN etc. which is really problematic to write rules based on IP addresses).

To meet the abovementioned requirements, you can create the Client Access Rules based on, for example, the Department attribute in Active Directory. I created two new employees in AD who are members of the IT Department and assigned them with Organizational Management rights.

Department attribute in AD

Before I start a new rule configuration, I remove the rule based on the IP subnet by using the following cmdlet:

Remove-ClientAccessRule

Remove client access rule
Now, I can create a new rule, which will check the value of the Department AD attribute. If the value is different than “IT”, the access will be denied. This is the command:

New-ClientAccessRule -Name "Allow access to ECP only for IT" -Action DenyAccess -AnyOfProtocols ExchangeAdminCenter -UserRecipientFilter {Department -ne "IT"} -Priority 2

New client access rule
Now it is time to test the new rule. I will use a newly created account of Jon Snow to access EAC (Jon is a member of the IT team). For this purpose, I run this cmdlet:

Test client access rule.

If there are no results returned, it means that no Client Access Rules apply to the user. And this is correct as I configured a blocking rule. Let’s now test what happens when I change the value of the Department attribute to “HR”.

AD properties of a user.

To check the results of the rule, I use the same cmdlet as for the example above:

Test the results of client access rule.

You can see that once I changed the value of the Active Directory attribute, the Client Access Rule works correctly by blocking access to ECP.

This is what it looks like from the browser (for Jon Snow if he is in the “HR” Department):

A notification about blocked access to EAC.

And here is an example for another user, Tyrion Lannister who is from the “IT” Department. As you can see, the user has access to ECP:

Access to EAC

Bottom line

Those examples are just a small part of what you can really get from the Client Access Rules functionality in Exchange 2019. The list of scenarios that you can cover by using this feature is almost endless and will definitely help you meet strict security requirements in your Exchange 2019 environment.

See also:

Tools for Microsoft 365

Recommended articles

How to migrate from Exchange Server 2016/2019 to Microsoft 365

How to migrate from Exchange Server 2016/2019 to Microsoft 365

Migrating Exchange data to the cloud is not rocket science – explore your options and launch the migration stress-free. As you may already know, Exchange Server 2016 and 2019 have reached end of life and are no longer officially supported by Microsoft. If your organization still uses either of these platforms to manage email, contacts, calendars, and tasks, keep in mind that: Your environment may become vulnerable to newly discovered security threats – Microsoft will no longer provide security updates for Exchange 2016 and 2019 (unless you’ve enrolled in the Extended Security Update program, which ends in October 2026). Your emails may get blocked – Microsoft has started to throttle and block emails sent from unsupported Exchange Server versions to Exchange Online (as I covered in this article). That said, migrating to a supported platform is now the only viable long-term option for keeping your organization’s email environment secure, supported, and fully operational. If your organization wants or needs to keep things on‑premises (and continue using Microsoft’s solutions for that), upgrading to Exchange Server Subscription Edition (SE) is the only path forward. But given Microsoft’s clear preference for its cloud services – evident in the faster rollout of new features and the many security capabilities available exclusively in Microsoft 365 (Office 365) – now is a great time to leave your on‑prem environment behind and migrate to Exchange Online as part of Microsoft 365. While switching over to a new platform might seem like a rough ride, I’ll show you some easy ways to follow when migrating mailboxes from Exchange Server 2016/2019 to Microsoft 365. How to prepare for email migration to Microsoft 365 Before you start the migration process, you need to make sure your environment is ready for the move. For this purpose, you can use this guide in the Microsoft 365 admin center – it will help you connect your organization to Microsoft 365 and integrate your existing user accounts with Microsoft Entra ID. Microsoft also recommends completing the steps below: Set up an SPF record to determine valid email sources for your organization’s Microsoft 365 domain. Set up the Exchange Online Protection service as a means of protection against spam and malware. If you’re behind on updates, make sure to install the latest Cumulative Update (CU). And here is my quick, less obvious Microsoft 365 migration checklist: Verify if your software will work in Microsoft 365 (especially when it comes to server software). Microsoft 365 migration might be the time you learn that there is crucial legacy software that half the company uses and which is hard to replace. Encourage the whole company to clean up projects. It’s much easier to do this before the migration and start fresh. Gather as much information about your on‑premises environment as possible. For example, you might need to recreate access roles and permissions from scratch in the cloud or set up mail flow rules. Without prior research, it will be much more difficult. Verify if you need to migrate service accounts. There can be a lot of them on‑premises and in most cases, you won’t need them after the move. Review mailbox size limits in Exchange Online before migration to see which licenses you’ll need and whic
New-ComplianceSearch: how to use the newer version of Search-Mailbox

New-ComplianceSearch: how to use the newer version of Search-Mailbox

Microsoft retired the Search-Mailbox cmdlet – now what? Discover how to use New-ComplianceSearch, its key advantages and how to make the switch seamlessly.
How to start remote PowerShell session to Exchange or Microsoft 365

How to start remote PowerShell session to Exchange or Microsoft 365

One of many features of the PowerShell command line tool is its ability to connect with and manage the Exchange Server remotely. The procedure described below applies to the classic on-prem Exchange server and to the Microsoft 365/Exchange Online version.

Comments

  1. Hello,
    On Exchange 2019, is it possible to block my users’ access from outside via their mobiles (I suppose it is enough to deactivate ActiveSync on each user) but also access to OWA via a web browser at home? The goal being that they only use Exchange 2019 messaging internally

    Regards,

    • avatar
      Adam the 32-bit Aardvark says:

      Hi,
      The approach with deactivating ActiveSync on each user to block their access from outside via mobiles, should do the trick. This can be achieved either via EAC or PowerShell. Regarding OWA: this article explains how to disable Outlook on the web access to mailboxes in Exchange Server.

  2. avatar
    Franklin Guerrero says:

    Nice article but you were using the wrong syntax for “Block access to EAC depending on user Active Directory attributes”

    The syntax works this way;
    New-ClientAccessRule -Name “Allow access to ECP only for IT” -Action DenyAccess -AnyOfProtocols ExchangeAdminCenter -UserRecipientFilter “Department -ne ‘IT'” -Priority 2

    Franklin Guerrero – Exchange Admin

    • avatar
      Adam the 32-bit Aardvark says:

      Thanks! I’ve noticed that the wrong type of quotation marks was used in the command, but other than that the syntax should be ok. You can use braces { } as long as the filter doesn’t contain variables. In this case, it doesn’t.

  3. I really wish blocking Outlook Anywhere externally would work, but it does not.

    -AnyOfProtocols
    The AnyOfProtocols parameter specifies a condition for the client access rule that’s based on the client’s protocol.

    Valid values for this parameter are:

    Note: In Exchange 2019, the only supported values are ExchangeAdminCenter and RemotePowerShell.

    https://docs.microsoft.com/en-us/powershell/module/exchange/new-clientaccessrule?view=exchange-ps

    Any solution to this would be great as we are looking to block this as well.

    • avatar
      Adam the 32-bit Aardvark says:

      You’re right, the rest of the protocols are restricted to Client Access Rules in Exchange Online. Until the feature is upgraded in Exchange 2019, there is no easy way to block this protocol.

  4. Thank you for the information. I would like to know can we check the list of the blocked IP address when it comes to access Exchange.

    • avatar
      Adam the 32-bit Aardvark says:

      The cmdlet:
      Get-ClientAccessRule | FL Name,Action,AnyOfClientIPAddressesOrRanges,ExceptAnyOfAuthenticationTypes
      Should return all relevant information.

    • avatar
      Adam the 32-bit Aardvark says:

      Hi,
      After testing, it seems that Exchange 2019 does accept the -UserRecipientFilter but such a rule doesn’t really work. I’m sorry for the mixup, I’ll edit the article as soon as I’m able.

  5. Hi, can this the parameter “UserRecipientFilter ” be used in Exchange 2019? From here(https://docs.microsoft.com/en-us/powershell/module/exchange/client-access/New-ClientAccessRule?redirectedfrom=MSDN&view=exchange-ps), i find that this parameter only be used in Exchange Online.

    • avatar
      Adam the 32-bit Aardvark says:

      I’m positive I’ve tested it before and it worked in Exchange 2019, as well. I’ve just checked it in a test Exchange 2019 environment and PowerShell does accept the UserRecipientFilter attribute with a proper value. I’ll let you know if it actually works as expected after the Client Access rule kicks in (the first Client Access rule takes up to 24 hours to start working).

  6. Hi, does this also work for Outlook Anywhere? We have Exchange 2013 now but if this can also control Outlook Anywhere, this would be a compelling upgrade.

    We deploy active sync to mobile devices using MDM. What we don’t want is an end user with their personal device configuring outlook to download corporate data to an unmanaged system. It’s easy to do and even if activesync and owa are disabled for the account, Outlook anywhere and autodiscover makes it all too easy to setup any outlook to any company email account, provided you know the username and password.

    • avatar
      Adam the 32-bit Aardvark says:

      Hi Kjstech,
      Yes, Client Access Rules support Outlook Anywhere. The complete list of protocols it can handle is as follows:
      • ExchangeActiveSync
      • ExchangeAdminCenter
      • ExchangeWebServices
      • IMAP4
      • OfflineAddressBook
      • OutlookAnywhere (includes MAPI over HTTP)
      • OutlookWebApp (Outlook on the web)
      • POP3
      • PowerShellWebServices
      • RemotePowerShell
      • REST
      So for the rule to apply to Outlook Anywhere, you would simply need to add -AnyOfProtocols OutlookAnywhere not specifying the AnyofProtocols attribute would also make the rule apply to Outlook Anywhere (and all the other protocols listed). The problem is that currently, it only works for Exchange Online. Rules on Exchange 2019 allow only Exchange Admin Center and RemotePowerShell protocols.

  7. thanks for the excellent story,

    I have a question, is it possible to use more than one access rule to have more specific control?
    For example, I want access to be restricted to my organization’s IP only but I need IT staff to have external access. I created this two rules but apparently didn´t work

    New-ClientAccessRule -Name “Acesso Departamento” -Action AllowAccess -AnyOfProtocols ExchangeAdminCenter -UserRecipientFilter {Department -eq “IT”} -Priority 2
    New-ClientAccessRule -Name “Acesso IP” -Action DenyAccess -AnyOfProtocols ExchangeAdminCenter -ExceptAnyOfClientIPAddressesOrRanges -Priority 3

    • avatar
      Adam the 32-bit Aardvark says:

      Hi Diego,
      It is one of the most basic setups and it should work without problems. One of the first pieces of information shared on the subject of Client Access Rules by Microsoft is that you should start with setting up a safety rule not to lock your admins out. How does this setup work? Anyone can access PowerShell regardless of IP, IT can only connect from a set of IPs?
      Another thing to keep in mind is that Client Access Rules need some time to propagate through your tenant.

    • avatar
      Adam the 32-bit Aardvark says:

      Unfortunately, Client Access Rules have been introduced in Exchange 2019, so the steps from this article will not work for the previous Exchange Server releases.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

CodeTwo sp. z o.o. sp. k. is a controller of your personal data.
See our Privacy Policy to learn more.