Allow / Prevent access to Exchange Online based on IP and Rules

It’s been my experience that companies generally embrace moving to the Cloud cautiously – tending to start with Exchange and, for one reason or another, not linking to their Active Directory environment through Azure

The ease of access this provides to company email for all users may not necessarily be desirable. I’ve been asked to limit access to Exchange online via any device (mobile or remote PC) to Office locations only and/or selected individuals – ensuring that most users are unable to access email away from the work environment

Fortunately this is possible through Client Access Rules

Important: Rule 1, priority 1 – always allow access to remote powershell – if you lock yourself out, it’s a call to Microsoft Support and nobody wants that. Suggest you always leave this rule as priority 1

Note the change in connection URL from usual Exchange Powershell

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session

### always allow powershell - highest priority 1 ###
New-ClientAccessRule -Name "Always Allow Remote PowerShell" -Action Allow -AnyOfProtocols RemotePowerShell -Priority 1

### always allow these users - priority 2 ###
New-ClientAccessRule -Name "Always Permitted Users" -priority 2 -enabled $true -Action AllowAccess -UsernameMatchesAnyOfPatterns your.domain\Bob.Scroggins,your.domain\will,your.domain\gemma.arterton

### always allow these networks - priority 3 ###
New-ClientAccessRule -Name "Allow Internal Network" -priority 3 -enabled $true -Action AllowAccess -AnyOfClientIPAddressesOrRanges 185.205.21.121,192.76.64.118,108.178.148.194

### BLOCK EVERYTHING ELSE - priority 4 ###
New-ClientAccessRule -Name "Block everything else" -priority 4 -enabled $true -Action DenyAccess

These are the basic rules I start with if required (names and IPs changed to protect the innocent). They can be changed via set-clientaccessrule -name xxxxxxxx

Clients can be prevented from connecting to Exchange Online based on IP address, authentication type, user properties, protocols, applications, services or resources that they’re using to connect. See Microsoft documentation for further details

Leave a Reply

Your e-mail address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.