A new feature available within Exchange Online comes in the form of Client Access Rules. This new feature provides customers who do not have access to Conditional Access Rules and do not want to deploy ADFS the ability to control access to your Exchange Online environment based on conditions like IP Address, authentication type and more.
Client Access Rules are like Transport Rules in that they work on Conditions, Exceptions and Actions. However, Client Access Rules can only be managed through PowerShell.
There are some important notes around Client Access Rules that need to be considered:
- When a Client Access Rule is triggered by a connection attempt, no more rules are processed.
- Connections from your internal network are not automatically allowed. A rule must be created to allow traffic.
- Outlook for iOS and Android will bypass Client Access Rules and will always be allowed access.
- The first Client Access Rule created within Exchange Online can take up to 24 hours to take effect. Subsequent rules created, modified or deleted can take up to an hour.
When a Client Access Rule is triggered, no more rules are processed. This makes the priority of rules important. For example, if a rule that blocks Exchange ActiveSync has a priority of 1 and another rule that allowed ActiveSync connects for specific users has a priority of 4 those users will not be able to connect. It is recommended to use exceptions instead of multiple rules, so one rule that blocks ActiveSync connections except for the users who are allowed the have access.
A rule will need to be created to allow connections from your Internal Network. This is not automatically allowed. The rule would be configured to allow connections from specific IP addresses or IP address ranges (it is currently assumed that public IP addresses are required. I have not had a chance to test this). It is recommended that this is the highest priority rule so connections from your network are not blocked.
Outlook for iOS and Android
It comes as a surprise for me that Outlook for iOS and Android will always be allowed access. My initial thoughts are that this basically allows anyone with iOS and Android access to their mail via app. Does this mean that you require Conditional Access to be able to manage connectivity from mobile devices? I think once I see this in action I can make a better comment.
It is good to know how long to wait until changes are expected to be in effect. I think an hour to see changes after the first one is acceptable and makes testing much more structured.
So, I think Client Access Rules are a welcome addition to the arsenal of features available to us within Exchange Online. My only concern is that Outlook for iOS and Android will always have access, this requires further investigation which I hope to do soon.
Follow this link for information on the PowerShell commands required to manage Client Access Rules.