You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: exchange/exchange-ps/exchange/New-ClientAccessRule.md
+34-56Lines changed: 34 additions & 56 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,7 +12,6 @@ ms.reviewer:
12
12
# New-ClientAccessRule
13
13
14
14
## SYNOPSIS
15
-
16
15
This cmdlet is functional only in Exchange Server 2019 and in the cloud-based service. Some parameters and settings may be exclusive to one environment or the other.
17
16
18
17
Use the New-ClientAccessRule cmdlet to create client access rules. Client access rules help you control access to your organization based on the properties of the connection.
@@ -21,7 +20,7 @@ For information about the parameter sets in the Syntax section below, see [Excha
Client access rules are like mail flow rules (also known as transport rules) for client connections to your organization. You use conditions and exceptions to identify the connections based on their properties, and actions that allow or block the connections.
51
49
52
-
**Note**: Not all protocols support authentication type filters. Additionally, not all authentication types are supported for each protocol where authentication filters are supported. The supported authentication types per protocol are in the following table. Please use caution when mixing protocol and authentication types in the same rule.
**Note**: Not all protocols support authentication type filters, and even protocols that support authentication type filters don't support all authentication types. The supported combinations are described in the following lists. Use caution when mixing protocols and authentication types in the same rule.
51
+
52
+
Protocols that support authentication type filters:
53
+
54
+
- ExchangeActiveSync: BasicAuthentication, OAuthAuthentication, and CertificateBasedAuthentication.
55
+
- ExchangeAdminCenter: BasicAuthentication and AdfsAuthentication.
56
+
- IMAP4: BasicAuthentication and OAuthAuthentication.
57
+
- OutlookWebApp: BasicAuthentication and AdfsAuthentication.
58
+
- POP3: BasicAuthentication and OAuthAuthentication.
59
+
- RemotePowerShell: BasicAuthentication and NonBasicAuthentication.
60
+
61
+
Protcols that don't support authentication type filters:
62
+
63
+
- ExchangeWebServices
64
+
- OfflineAddressBook
65
+
- OutlookAnywhere
66
+
- PowerShellWebServices
67
+
- REST
68
+
- UniversalOutlook
69
69
70
70
You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see [Find the permissions required to run any Exchange cmdlet](https://docs.microsoft.com/powershell/exchange/find-exchange-cmdlet-permissions).
This example creates a highest priority rule that allows access to remote PowerShell. This rule is an important safeguard to preserve access to your organization. Without this rule, if you create rules that block your access to remote PowerShell, or that block all protocols for everyone, you'll lose the ability to fix the rules yourself (you'll need to call Microsoft Customer Service and Support).
The AnyOfClientIPAddressesOrRanges parameter specifies a condition for the client access rule that's based on the client's IPv4 or IPv6 address. Valid values are:
160
154
161
155
- Single IP address: For example, 192.168.1.1 or 2001:DB8::2AA:FF:C0A8:640A.
The Confirm switch specifies whether to show or hide the confirmation prompt. How this switch affects the cmdlet depends on if the cmdlet requires confirmation before proceeding.
238
229
239
230
- Destructive cmdlets (for example, Remove-\* cmdlets) have a built-in pause that forces you to acknowledge the command before proceeding. For these cmdlets, you can skip the confirmation prompt by using this exact syntax: `-Confirm:$false`.
This parameter is available only in on-premises Exchange.
258
248
259
249
The DomainController parameter specifies the ___domain controller that's used by this cmdlet to read data from or write data to Active Directory. You identify the ___domain controller by its fully qualified ___domain name (FQDN). For example, dc01.contoso.com.
The Enabled parameter specifies whether the client access rule is enabled or disabled. Valid values for this parameter are $true or $false. The default value is $true.
The ExceptAnyOfClientIPAddressesOrRanges parameter specifies an exception for the client access rule that's based on the client's IPv4 or IPv6 address. Valid values are:
325
312
326
313
- Single IP address: For example, 192.168.1.1 or 2001:DB8::2AA:FF:C0A8:640A.
This parameter is functional only in the cloud-based service.
420
403
421
404
The ExceptUsernameMatchesAnyOfPatterns parameter specifies an exception for the client access rule that's based on the user's account name in the format `<Domain>\<UserName>` (for example, `contoso.com\jeff`). This parameter accepts text and the wildcard character (\*) (for example, `*jeff*`, but not `jeff*`). Non-alphanumeric characters don't require an escape character.
The Priority parameter specifies a priority value for the rule that determines the order of rule processing. A lower integer value indicates a higher priority, the value 0 is the highest priority, and rules can't have the same priority value.
441
423
442
424
Valid values and the default value for this parameter depend on the number of existing rules. For example, if there are 8 existing rules:
This parameter is functional only in the cloud-based service.
503
482
504
483
The UsernameMatchesAnyOfPatterns parameter specifies a condition for the client access rule that's based on the user's account name in the format `<Domain>\<UserName>` (for example, `contoso.com\jeff`). This parameter accepts text and the wildcard character (\*) (for example, `*jeff*`, but not `jeff*`). Non-alphanumeric characters don't require an escape character. This parameter does not work with the -AnyOfProtocols UniversalOutlook parameter.
This parameter is functional only in the cloud-based service.
524
502
525
-
The UserRecipientFilter parameter specifies a condition for the client access rule that uses OPath filter syntax to identify the user based on a limited set of attributes.
503
+
The UserRecipientFilter parameter specifies a condition for the client access rule that uses OPath filter syntax to identify the user based on a limited set of recipient properties. Client Access Rules don't support the full list of available recipient properties.
526
504
527
-
The filterable properties that you can use with this parameter are limited to the list below. Client Access Rules do not support the full list of recipient filters used by other features.
505
+
You can use the following properties with this parameter:
528
506
529
507
- City
530
508
- Company
531
-
- CountryOrRegion (ISO 3166-1 alpha-2 code for the country must be used.)
509
+
- CountryOrRegion (ISO 3166-1 alpha-2 country code.)
532
510
- CustomAttribute1 to CustomAttribute15
533
511
- Department
534
512
- Office
535
513
- PostalCode
536
514
- StateOrProvince
537
515
- StreetAddress
538
516
539
-
The syntax is `"Property -ComparisonOperator 'Value'"`
540
-
541
-
An example would be `"City -eq 'Redmond'"`
542
-
543
-
Another example would be `"CountryOrRegion -eq 'SG'"`
517
+
The basic syntax for this parameter is `"Property -ComparisonOperator 'Value'"`:
544
518
545
519
- Property is one of the filterable properties in the list above (for example `City` or `CustomAttribute1`).
546
520
- ComparisonOperator is an OPath comparison operator (for example `-eq` for equals and `-like` for string comparison). For more information about comparison operators, see [about_Comparison_Operators](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_comparison_operators).
547
-
- Value is the property value to search for. Enclose text values and variables in single quotation marks (`'Value'` or `'$Variable'`). If a variable value contains single quotation marks, you need to identify (escape) the single quotation marks to expand the variable correctly. For example, instead of `'$User'`, use `'$($User -Replace "'","''")'`. Do not enclose integers or system values (for example, `500`, `$true`, `$false`, or `$null` are all proper uses).
521
+
- Value is the property value to search for. Enclose text values and variables in single quotation marks (`'Value'` or `'$Variable'`). If a variable value contains single quotation marks, you need to identify (escape) the single quotation marks to expand the variable correctly. For example, instead of `'$User'`, use `'$($User -Replace "'","''")'`. Don't enclose integers or system values in quotation marks (for example, use `500`, `$true`, `$false`, or `$null` instead).
548
522
- Enclose the whole OPath filter in double quotation marks " ". If the filter contains system values (for example, `$true`, `$false`, or `$null`), use single quotation marks ' ' instead. Although this parameter is a string (not a system block), you can also use braces { }, but only if the filter doesn't contain variables.
549
523
550
-
You can chain multiple search criteria together using the logical operators `-and` and `-or`.
524
+
For example:
525
+
526
+
- `"City -eq 'Redmond'"`
527
+
- `"CountryOrRegion -eq 'SG'"`.
551
528
552
-
An example would be, `"CustomAttribute1 -eq 'AllowOWA' -and CountryOrRegion -eq AU'"`
529
+
You can chain multiple search criteria together using the logical operators `-and` and `-or`. For example:
553
530
554
-
Another example would be, `"(CountryOrRegion -eq 'US' -and Department -eq 'Sales') -or Department -eq 'Research'"`.
- `"(CountryOrRegion -eq 'US' -and Department -eq 'Sales') -or Department -eq 'Research'"`.
555
533
556
534
For detailed information about OPath filter syntax in Exchange, see [Additional OPATH syntax information](https://docs.microsoft.com/powershell/exchange/recipient-filters#additional-opath-syntax-information).
The WhatIf switch simulates the actions of the command. You can use this switch to view the changes that would occur without actually applying those changes. You don't need to specify a value with this switch.
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](https://go.microsoft.com/fwlink/p/?LinkID=113216).
591
567
592
568
## INPUTS
593
569
570
+
###
594
571
To see the input types that this cmdlet accepts, see [Cmdlet Input and Output Types](https://go.microsoft.com/fwlink/p/?linkId=616387). If the Input Type field for a cmdlet is blank, the cmdlet doesn't accept input data.
595
572
596
573
## OUTPUTS
597
574
575
+
###
598
576
To see the return types, which are also known as output types, that this cmdlet accepts, see [Cmdlet Input and Output Types](https://go.microsoft.com/fwlink/p/?linkId=616387). If the Output Type field is blank, the cmdlet doesn't return data.
0 commit comments