You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: exchange/exchange-ps/exchange/New-ClientAccessRule.md
+70-23Lines changed: 70 additions & 23 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,6 +12,7 @@ ms.reviewer:
12
12
# New-ClientAccessRule
13
13
14
14
## SYNOPSIS
15
+
15
16
This cmdlet is functional only in Exchange Server 2019 and in the cloud-based service. Some parameters and settings may be exclusive to one environment or the other.
16
17
17
18
Use the New-ClientAccessRule cmdlet to create client access rules. Client access rules help you control access to your organization based on the properties of the connection.
@@ -20,7 +21,7 @@ For information about the parameter sets in the Syntax section below, see [Excha
Client access rules are like mail flow rules (also known as transport rules) for client connections to your organization. You use conditions and exceptions to identify the connections based on their properties, and actions that allow or block the connections.
49
49
50
-
**Note**: Currently, not all authentication types are supported for all protocols. The supported authentication types per protocol are described in this list:
50
+
Client access rules are like mail flow rules (also known as transport rules) for client connections to your organization. You use conditions and exceptions to identify the connections based on their properties, and actions that allow or block the connections.
51
51
52
-
- ExchangeActiveSync: BasicAuthentication, OAuthAuthentication, and CertificateBasedAuthentication.
53
-
- ExchangeAdminCenter: BasicAuthentication and AdfsAuthentication.
54
-
- IMAP4: BasicAuthentication and OAuthAuthentication.
55
-
- OutlookWebApp: BasicAuthentication and AdfsAuthentication.
56
-
- POP3: BasicAuthentication and OAuthAuthentication.
57
-
- RemotePowerShell: BasicAuthentication and NonBasicAuthentication.
52
+
**Note**: Not all protocols support authentication type filters. Additionally, not all authentication types are supported for each protocol where authentication filters are supported. The supported authentication types per protocol are in the following table. Please use caution when mixing protocol and authentication types in the same rule.
You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see [Find the permissions required to run any Exchange cmdlet](https://docs.microsoft.com/powershell/exchange/find-exchange-cmdlet-permissions).
This example creates a highest priority rule that allows access to remote PowerShell. This rule is an important safeguard to preserve access to your organization. Without this rule, if you create rules that block your access to remote PowerShell, or that block all protocols for everyone, you'll lose the ability to fix the rules yourself (you'll need to call Microsoft Customer Service and Support).
The AnyOfClientIPAddressesOrRanges parameter specifies a condition for the client access rule that's based on the client's IPv4 or IPv6 address. Valid values are:
141
160
142
161
- Single IP address: For example, 192.168.1.1 or 2001:DB8::2AA:FF:C0A8:640A.
The Confirm switch specifies whether to show or hide the confirmation prompt. How this switch affects the cmdlet depends on if the cmdlet requires confirmation before proceeding.
216
238
217
239
- Destructive cmdlets (for example, Remove-\* cmdlets) have a built-in pause that forces you to acknowledge the command before proceeding. For these cmdlets, you can skip the confirmation prompt by using this exact syntax: `-Confirm:$false`.
This parameter is available only in on-premises Exchange.
235
258
236
259
The DomainController parameter specifies the ___domain controller that's used by this cmdlet to read data from or write data to Active Directory. You identify the ___domain controller by its fully qualified ___domain name (FQDN). For example, dc01.contoso.com.
The Enabled parameter specifies whether the client access rule is enabled or disabled. Valid values for this parameter are $true or $false. The default value is $true.
The ExceptAnyOfClientIPAddressesOrRanges parameter specifies an exception for the client access rule that's based on the client's IPv4 or IPv6 address. Valid values are:
297
325
298
326
- Single IP address: For example, 192.168.1.1 or 2001:DB8::2AA:FF:C0A8:640A.
This parameter is functional only in the cloud-based service.
388
420
389
421
The ExceptUsernameMatchesAnyOfPatterns parameter specifies an exception for the client access rule that's based on the user's account name in the format `<Domain>\<UserName>` (for example, `contoso.com\jeff`). This parameter accepts text and the wildcard character (\*) (for example, `*jeff*`, but not `jeff*`). Non-alphanumeric characters don't require an escape character.
The Priority parameter specifies a priority value for the rule that determines the order of rule processing. A lower integer value indicates a higher priority, the value 0 is the highest priority, and rules can't have the same priority value.
408
441
409
442
Valid values and the default value for this parameter depend on the number of existing rules. For example, if there are 8 existing rules:
This parameter is functional only in the cloud-based service.
467
503
468
504
The UsernameMatchesAnyOfPatterns parameter specifies a condition for the client access rule that's based on the user's account name in the format `<Domain>\<UserName>` (for example, `contoso.com\jeff`). This parameter accepts text and the wildcard character (\*) (for example, `*jeff*`, but not `jeff*`). Non-alphanumeric characters don't require an escape character. This parameter does not work with the -AnyOfProtocols UniversalOutlook parameter.
This parameter is functional only in the cloud-based service.
487
522
488
-
The UserRecipientFilter parameter specifies a condition for the client access rule that uses OPath filter syntax to identify the user. The syntax is `"Property -ComparisonOperator 'Value'"` (for example, `"City -eq 'Redmond'"`).
489
-
490
-
- Enclose the whole OPath filter in double quotation marks " ". If the filter contains system values (for example, `$true`, `$false`, or `$null`), use single quotation marks ' ' instead. Although this parameter is a string (not a system block), you can also use braces { }, but only if the filter doesn't contain variables.
491
-
- Property is a filterable property. For filterable recipient properties, see [Filterable properties for the RecipientFilter parameter on Exchange cmdlets](https://docs.microsoft.com/powershell/exchange/recipientfilter-properties).
492
-
- ComparisonOperator is an OPath comparison operator (for example `-eq` for equals and `-like` for string comparison). For more information about comparison operators, see [about_Comparison_Operators](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_comparison_operators).
493
-
- Value is the property value to search for. Enclose text values and variables in single quotation marks (`'Value'` or `'$Variable'`). If a variable value contains single quotation marks, you need to identify (escape) the single quotation marks to expand the variable correctly. For example, instead of `'$User'`, use `'$($User -Replace "'","''")'`. Don't enclose integers or system values (for example, `500`, `$true`, `$false`, or `$null`).
494
-
495
-
You can chain multiple search criteria together using the logical operators `-and` and `-or`. For example, `"Criteria1 -and Criteria2"` or `"(Criteria1 -and Criteria2) -or Criteria3"`.
523
+
This parameter is functional only in the cloud-based service.
496
524
497
-
For detailed information about OPath filters in Exchange, see [Additional OPATH syntax information](https://docs.microsoft.com/powershell/exchange/recipient-filters#additional-opath-syntax-information).
525
+
The UserRecipientFilter parameter specifies a condition for the client access rule that uses OPath filter syntax to identify the user based on a limited set of attributes.
498
526
499
-
The filterable properties that you can use with this parameter are:
527
+
The filterable properties that you can use with this parameter are limited to the list below. Client Access Rules do not support the full list of recipient filters used by other features.
500
528
501
529
- City
502
530
- Company
503
-
- CountryOrRegion
531
+
- CountryOrRegion (ISO 3166-1 alpha-2 code for the country must be used.)
504
532
- CustomAttribute1 to CustomAttribute15
505
533
- Department
506
534
- Office
507
535
- PostalCode
508
536
- StateOrProvince
509
537
- StreetAddress
510
538
539
+
The syntax is `"Property -ComparisonOperator 'Value'"`
540
+
541
+
An example would be `"City -eq 'Redmond'"`
542
+
543
+
Another example would be `"CountryOrRegion -eq 'SG'"`
544
+
545
+
- Property is one of the filterable properties in the list above (for example `City` or `CustomAttribute1`).
546
+
- ComparisonOperator is an OPath comparison operator (for example `-eq` for equals and `-like` for string comparison). For more information about comparison operators, see [about_Comparison_Operators](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_comparison_operators).
547
+
- Value is the property value to search for. Enclose text values and variables in single quotation marks (`'Value'` or `'$Variable'`). If a variable value contains single quotation marks, you need to identify (escape) the single quotation marks to expand the variable correctly. For example, instead of `'$User'`, use `'$($User -Replace "'","''")'`. Do not enclose integers or system values (for example, `500`, `$true`, `$false`, or `$null` are all proper uses).
548
+
- Enclose the whole OPath filter in double quotation marks " ". If the filter contains system values (for example, `$true`, `$false`, or `$null`), use single quotation marks ' ' instead. Although this parameter is a string (not a system block), you can also use braces { }, but only if the filter doesn't contain variables.
549
+
550
+
You can chain multiple search criteria together using the logical operators `-and` and `-or`.
551
+
552
+
An example would be, `"CustomAttribute1 -eq 'AllowOWA' -and CountryOrRegion -eq AU'"`
553
+
554
+
Another example would be, `"(CountryOrRegion -eq 'US' -and Department -eq 'Sales') -or Department -eq 'Research'"`.
555
+
556
+
For detailed information about OPath filter syntax in Exchange, see [Additional OPATH syntax information](https://docs.microsoft.com/powershell/exchange/recipient-filters#additional-opath-syntax-information).
The WhatIf switch simulates the actions of the command. You can use this switch to view the changes that would occur without actually applying those changes. You don't need to specify a value with this switch.
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/p/?LinkID=113216).
542
591
543
592
## INPUTS
544
593
545
-
###
546
594
To see the input types that this cmdlet accepts, see [Cmdlet Input and Output Types](https://go.microsoft.com/fwlink/p/?linkId=616387). If the Input Type field for a cmdlet is blank, the cmdlet doesn't accept input data.
547
595
548
596
## OUTPUTS
549
597
550
-
###
551
598
To see the return types, which are also known as output types, that this cmdlet accepts, see [Cmdlet Input and Output Types](https://go.microsoft.com/fwlink/p/?linkId=616387). If the Output Type field is blank, the cmdlet doesn't return data.
0 commit comments