New Client Access Rules for Exchange Online

There are many ways you can manage and control the way your end-users connect to Office 365. Intune, and Azure Active Directory Premium are add-on feature sets for your Office 365 subscription that give you advanced controls for managing client access scenarios, but some customers want a lower level of control that they can implement without having to buy add-on licenses.

In this blog post, I am going to explore some new Client Access Rules that have recently been added into Exchange Online.

What are Client Access Rules?

Client Access Rules are a tool used to control access to your Exchange servers based on client properties, or client access request types. They work much the same way that transport rules do, except they apply to client connections not email in the transport pipeline.

Unlike Intune or Azure Active Directory Premium, Client Access Rules are available in Exchange Online with every subscription level. There is no add-on license to purchase to gain access to Client Access Rules.

There are four components to any Client Access Rule; Conditions, Exceptions, Action, and Priority. The combination of these four components is what make the Client Access Rules work.

• Conditions are used to identify the connection we want to allow or block. The conditions may be that the connection comes from specific IP addresses, or from a specific client type. Conditions are really the meat of your Client Access Rules.
• Exceptions are optional and define what connections a rule should not apply to. Maybe your organization wants to block connections from a specific IP range except when those connections are made from an Outlook for Android client.
• Actions specify what is done with a specific connection. The connection can either be allowed or blocked by Client Access Rules.
• Priority is the last component of Client Access Rules and defines the order in which multiple Client Access Rules are applied to a connection. It is important to remember that processing stops on the first Client Access Rule that matches a specific condition.

How do I modify Client Access Rules?

By default, there are no Client Access Rules defined in your Office 365 tenant. To modify the Client Access Rules in your Exchange Online tenant, you’ll need to connect to remote PowerShell and manage them with the *-ClientAccessRule cmdlets.

In the screenshot below you can see I used Get-Command to find the PowerShell cmdlets available to manage Client Access Rules. Hopefully by this point you are familiar with PowerShell and how the cmdlets work.

Running Get-ClientAccessRule in your Office 365 tenant will show you that there are no default Client Access Rules pre-built for you. We’ll need to create a new rule to see out options.

Here is the TechNet article for New-ClientAccessRule. Review the cmdlet and the detail given there. You can see that article has not been updated for a while, so it probably does not contain information on the new Client Access Rule features that Microsoft is rolling out.

The options for New-ClientAccessRule in my tenant still match that document, so it does not look like I’ve had the new Client Access Rules added to my tenant. This brings up the question…

What new functionality does this change give me?

Here’s the rub with Office 365 – changes are rarely documented in a complete and timely manner. The updates to the Client Access Rules are no different. Below is a screenshot from the Office 365 roadmap that announces this change.

As you can see, there is not a ton of information there on the roadmap. We know Microsoft is updating Client Access Rules, but that is about it. As this change is posted in the “rolling out” section, we don’t even have a clever way to know if the updates have been applied to our tenant or not from what we see here.

Sometimes there is information available to us MVPs from Microsoft before changes like this go to the public, but even if that was the case here, I wouldn’t be allowed to share that information until Microsoft makes it public in some way.

So how do you, as an Office 365 administrator, know what changes are coming to your Office 365 tenant? There are no easy answers to that question until Microsoft improves the documentation for Office 365 updates. I know the MVP community spends a lot of time reviewing the roadmap and other sources, but that is no guarantee that you’ll get the information you need in a timely manner.

My suggestion is that you review blogs (like this one!) and do what you can to keep current. Don’t be afraid to play with your Office 365 tenant (a test tenant is a really clever idea if your employer would prefer you not mess up the production tenant).

The Wrap Up

Managing an Office 365 tenant is a lot of work. Administrators that were worried a migration into Office 365 was going to mean that their job would be going away, were clearly wrong. There is plenty for an Office 365 administrator to do, if he or she is willing to put in the time to figure out what all the changes are and how they will affect your organization. As Microsoft rolls out new features and works on their documentation, there is still some manual effort needed to stay up to date with all the functionality in Office 365.

Looking to get ultimate visibility into you Hybrid Office 365 environment? Mailscape 365 helps you manage the cloud like you own IT. Get started with a free trial now: