Exchange Client Access Rules

Recently I was asked to limit access to the client-facing portions of Exchange online, mainly Outlook for Web, Outlook desktop clients (both Windows and macOS), POP/IMAP, and ActiveSync apps. Basically, this organization only wanted enough access to Exchange to allow Teams voicemail to function, and voicemail to show up in the Microsoft Teams client. The organization hosts their email with another provider, but they’re using Microsoft Teams for calling.

While these methods are probably too much for most organizations, they can serve as a starting point for limiting points of access that you do not want.


Creating Exchange client access rules can only be done via PowerShell. To do this, you need the Exchange Online PowerShell module. To install this module on your computer, open PowerShell as an administrator and run this command:

Install-Module -Name ExchangeOnlineManagement

Once the module is installed, you can connect to your environment by running this command and signing in. You should sign-in as a user with the Exchange Administrator role in Azure AD.


Create Client Access Rule

There is one need-to-know item with client access rules – they take time to apply. Microsoft states that the first rule you create in your environment may take up to 24 hours to apply. In my environment, it didn’t take the full 24 hours, but it did take overnight. After the first rule is created and applies, additional rules, changes to existing rules, or deleting rules may take up to one hour to apply. I was consistently seeing changes take the full one hour.

First, it’s best practice to create a rule with the highest priority (priority 1) that maintains access to the Exchange Admin Center and access via PowerShell. This will make sure that you do not lock yourself out of your environment. To create this rule, run this command.

New-ClientAccessRule -Name "AllowAdminAccess" -Action Allow -AnyOfProtocols RemotePowerShell,ExchangeAdminCenter  -Priority 1

Next, we can create the actual rule to block access to the Exchange protocols. As of this writing, these are the available protocols to block (source: New-ClientAccessRule (ExchangePowerShell) | Microsoft Docs).

  • ExchangeActiveSync
  • ExchangeAdminCenter
  • ExchangeWebServices
  • IMAP4
  • OfflineAddressBook
  • OutlookAnywhere
  • OutlookWebApp
  • POP3
  • PowerShellWebServices
  • RemotePowerShell
  • REST
  • UniversalOutlook (Mail and Calendar app)

There are two ways to block protocols. You can use the AnyOfProtocols parameter, or the ExceptAnyOfProtocols parameter. Any will block the protocols you specify, Except will keep open the protocols you specify. In my case, I was blocking everything except what was required for Teams voicemail, so I used except and kept REST enabled (which is how Teams voicemail gets to the Teams client).

Here is my command to keep open REST, while disabling everything else:

New-ClientAccessRule -Name "BlockClientAccess" -Action DenyAccess -ExceptAnyOfProtocols REST -Priority 2

Once created, you can use this command to view your client access rules.

Get-ClientAccessRule | Format-List

Mobile Apps

Mobile apps created by Microsoft like Outlook on iOS and Android do not adhere to client access rules (source: Client Access Rules in Exchange Online | Microsoft Docs, under Important Notes > Client Access Rules and middle-tier applications). So, to block these, you must use an ActiveSync access rule.

To block Outlook from connecting on iOS and Android, run this command:

New-ActiveSyncDeviceAccessRule -Characteristic DeviceType -QueryString "Outlook" -AccessLevel Block

That is it. Hopefully this post can help you craft your rules to keep your Exchange environment secure.


All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.



Contact Us

On Key

More Posts

Mastering Azure AD Connect - A Comprehensive Guide by WME
Active Directory

Mastering Azure AD Connect – A Comprehensive Guide

Modern businesses are fast moving toward cloud-based infrastructure. In fact, cloud-based business is not just a trend anymore but a strategic necessity. Microsoft’s Azure Active Directory (Azure AD) has become a frontrunner in this domain. It

Read More »
Security Best Practices in SharePoint
Office 365

Security Best Practices in SharePoint

Microsoft SharePoint is an online collaboration platform that integrates with Microsoft Office. You can use it to store, organize, share, and access information online. SharePoint enables collaboration and content management and ultimately allows your teams to

Read More »
The Ultimate Guide to Microsoft Intune - Article by WME
Active Directory

The Ultimate Guide to Microsoft Intune

The corporate world is evolving fast. And with that, mobile devices are spreading everywhere. As we venture into the year 2024, they have already claimed a substantial 55% share of the total corporate device ecosystem. You

Read More »
Protecting Microsoft 365 from on-Premises Attacks
Cloud Security

How to Protect Microsoft 365 from On-Premises Attacks?

Microsoft 365 is diverse enough to enrich the capabilities of many types of private businesses. It complements users, applications, networks, devices, and whatnot. However, Microsoft 365 cybersecurity is often compromised and there are countless ways that

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.