Client Access Rules in Exchange Online

A new feature available within Exchange Online comes in the form of Client Access Rules. This new feature provides customers the ability to control access to Exchange Online based on conditions.  Similar to Conditional Access, you can set conditions like IP Address and authentication type. However, this applies to Exchange Online only.

Client Access Rules are like Transport Rules in that they work on Conditions, Exceptions and Actions. However, Client Access Rules can only be managed through PowerShell.

There are some important notes around Client Access Rules that need to be considered:

  • When a Client Access Rule is triggered by a connection attempt, no more rules are processed.
  • Connections from your internal network are not automatically allowed. A rule must be created to allow traffic.
  • Outlook for iOS and Android will bypass Client Access Rules and will always be allowed access.
  • The first Client Access Rule created within Exchange Online can take up to 24 hours to take effect. Subsequent rules created, modified or deleted can take up to an hour.
Rule Priority

When a Client Access Rule is triggered, no more rules are processed. This makes the priority of rules important. For example, you have the following rules:

  • Rule 1 blocks Exchange ActiveSync and has a priority of 1
  • Rule 2 allows ActiveSync connections for specific users and has a priority of 4

In this situation, the users assigned to Rule 2 will not be able to connect. It is recommended to use exceptions instead of multiple rules.

Internal Network

A rule must be created to allow connections from your Internal Network. This is not automatically allowed. The rule is configured to allow connections from specific IP addresses or IP address ranges. It is recommended that this is the highest priority rule so connections from your network are not blocked.

Outlook for iOS and Android

It comes as a surprise for me that Outlook for iOS and Android will always be allowed access. My initial thoughts are that this allows anyone with iOS and Android access to their mail via app. Does this mean that you require Conditional Access to be able to manage connectivity from mobile devices? I think once I see this in action I can make a better comment.

Administrative Changes

It is good to know how long to wait until changes are expected to be in effect. I think an hour to see changes after the first one is acceptable and makes testing much more structured.

So, I think Client Access Rules are a welcome addition to the arsenal of features available to us within Exchange Online. My only concern is that Outlook for iOS and Android will always have access, this requires further investigation which I hope to do soon.

Follow this link for information on the PowerShell commands required to manage Client Access Rules.

About the author