Controlling end-user access to Exchange Online
Control of end-user access to Office 365 is an important business requirement. If your organisation has deployed Office 365 you are probably familiar with Azure Active Directory’s Conditional Access Policies. And if Active Directory Federation Services (ADFS) has been deployed, AFDS Access Control Policies. Depending on conditions such as where a connection attempt was made or the client app being used, you may already be using these policies to restrict access. However, at Ignite 2017 Microsoft unveiled a new Exchange Online feature to provide organisations with additional control over end-user access.
Introducing Client Access Rules
Client Access Rules are built directly into Exchange Online and allow on-going inspection of client connectivity in that service. Exchange Online administrators can now define rules to allow or prevent clients from connecting based on different conditions such as:
• The IP address and hence location of the client
• The authentication type, such as federated or basic authentication
• Individual user names, as well as user property values from the directory such as company, department or office
• The protocol and service being used by the client, such as Exchange ActiveSync, Exchange Web Services or Outlook on the Web.
By introducing Client Access Rules, organisations now have the flexibility to implement common access control scenarios. For example, a Client Access Rule could be constructed to restrict Exchange ActiveSync connections so that they only succeed if they are made from specific approved locations. Another Client Access Rule could be constructed to completely block access to Outlook on the Web for a specific user, if required. In a scenario where Outlook on the Web is blocked, the user receives a message similar to the one shown below:
How do Client Access Rules work?
Client Access Rules function like other rules in Exchange Online, such as transport rules. They consist of familiar components such as conditions, exceptions, actions and priorities:
• Conditions allow you to specify the client scenario you want to match. For example, clients connecting via Exchange ActiveSync, or clients connecting from specific IP addresses or ranges of IP addresses
• Exceptions allow specification of optional client scenarios you don’t want to match and override any conditions that do match
• Actions either allow or block the connection as specified
• Priorities are important to understand since rules are processed in priority order until a match is made. As soon as a match is made, no more rules are processed. Therefore, it is very important to get your rules defined in the correct priority processing order.
Administrators create, modify and remove Client Access Rules using PowerShell, since there is no graphical administration interface to manipulate them. Five Client Access Rule PowerShell cmdlets are available using the familiar New-, Get-, Set-, Remove- and Test- verbs in conjunction with the ClientAccessRule noun. For example, the New-ClientAccessRule cmdlet. The Test-ClientAccessRule can be used to test the effects of your rules across your organisation.
The need for rule testing
Rule testing is very important. Client Access Rules include the ability to block access via protocols, including PowerShell itself. Since this is the only way to manage these rules, Microsoft has advised care when constructing rules. The PowerShell interface even reminds you of this need when creating new rules. Failure to heed these warnings means you could inadvertently block access to PowerShell. As a result, you may be unable to modify the rules and need to raise a support call with Microsoft!
Are there timing considerations?
Yes. Microsoft technical documentation and prompts in the PowerShell interface advise that the first rule created may take up to 24 hours to be implemented. Subsequent rule creation or modification may take up to an hour to be implemented. Therefore, planning rule implementation or changes should take this into account.
Do I need to do anything?
To enable control of end-user access to Exchange Online based on conditions, such as those mentioned earlier, it may be time for you to investigate Client Access Rules. As stated by Microsoft, Client Access Rules have been rolling out to Office 365 Targeted Release tenancies recently. General roll-out to all tenancies will follow during the remainder of Q4 CY2017.
How Can Silversands help?
Understanding the many access control features in Azure Active Directory, ADFS and Office 365 workloads such as Exchange Online, together with their benefits, applicability and requirements can be a daunting experience. Which is where we come in. We have extensive experience with Office 365 and Azure Active Directory, and can assist you in making sense of the options available. To start a conversation about your needs please complete the form below, or come and talk to us face-to-face at our regular workshops . Also we’re very active bloggers and commentators around Microsoft Office 365, SharePoint and Azure, so please do follow us on Twitter and LinkedIn.