You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: exchange/exchange-ps/exchange/Set-ClientAccessRule.md
+36-57Lines changed: 36 additions & 57 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,7 +12,6 @@ ms.reviewer:
12
12
# Set-ClientAccessRule
13
13
14
14
## SYNOPSIS
15
-
16
15
This cmdlet is functional only in Exchange Server 2019 and in the cloud-based service. Some parameters and settings may be exclusive to one environment or the other.
17
16
18
17
Use the Set-ClientAccessRule cmdlet to modify existing client access rules. Client access rules help you control access to your organization based on the properties of the connection.
@@ -21,7 +20,7 @@ For information about the parameter sets in the Syntax section below, see [Excha
Client access rules are like mail flow rules (also known as transport rules) for client connections to your organization. You use conditions and exceptions to identify the connections based on their properties, and actions that allow or block the connections.
53
51
54
-
**Note**: Not all protocols support authentication type filters. Additionally, not all authentication types are supported for each protocol where authentication filters are supported. The supported authentication types per protocol are in the following table. Please use caution when mixing protocol and authentication types in the same rule.
**Note**: Not all protocols support authentication type filters, and even protocols that support authentication type filters don't support all authentication types. The supported combinations are described in the following lists. Use caution when mixing protocols and authentication types in the same rule.
53
+
54
+
Protocols that support authentication type filters:
55
+
56
+
- ExchangeActiveSync: BasicAuthentication, OAuthAuthentication, and CertificateBasedAuthentication.
57
+
- ExchangeAdminCenter: BasicAuthentication and AdfsAuthentication.
58
+
- IMAP4: BasicAuthentication and OAuthAuthentication.
59
+
- OutlookWebApp: BasicAuthentication and AdfsAuthentication.
60
+
- POP3: BasicAuthentication and OAuthAuthentication.
61
+
- RemotePowerShell: BasicAuthentication and NonBasicAuthentication.
62
+
63
+
Protcols that don't support authentication type filters:
64
+
65
+
- ExchangeWebServices
66
+
- OfflineAddressBook
67
+
- OutlookAnywhere
68
+
- PowerShellWebServices
69
+
- REST
70
+
- UniversalOutlook
71
71
72
72
You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see [Find the permissions required to run any Exchange cmdlet](https://docs.microsoft.com/powershell/exchange/find-exchange-cmdlet-permissions).
@@ -84,7 +83,6 @@ This example adds the IP address range 172.17.17.27/16 to the existing client ac
84
83
## PARAMETERS
85
84
86
85
### -Identity
87
-
88
86
The Identity parameter specifies the client access rule that you want to modify. You can use any value that uniquely identifies the client access rule. For example:
This parameter is functional only in the cloud-based service.
127
123
128
124
The AnyOfAuthenticationTypes parameter specifies a condition for the client access rule that's based on the client's authentication type.
@@ -139,7 +135,7 @@ To enter multiple values and overwrite any existing entries, use the following s
139
135
140
136
To add or remove one or more values without affecting any existing entries, use the following syntax: `@{Add="Value1","Value2"...; Remove="Value3","Value4"...}`.
141
137
142
-
**Note**: Please refer to the table in the beginning of this article to understand what authentication types may be used with what protocols.
138
+
**Note**: Refer to the Description section to see which authentication types can be used with what protocols.
The AnyOfClientIPAddressesOrRanges parameter specifies a condition for the client access rule that's based on the client's IPv4 or IPv6 address. Valid values are:
160
155
161
156
- Single IP address: For example, 192.168.1.1 or 2001:DB8::2AA:FF:C0A8:640A.
The Confirm switch specifies whether to show or hide the confirmation prompt. How this switch affects the cmdlet depends on if the cmdlet requires confirmation before proceeding.
242
234
243
235
- Destructive cmdlets (for example, Remove-\* cmdlets) have a built-in pause that forces you to acknowledge the command before proceeding. For these cmdlets, you can skip the confirmation prompt by using this exact syntax: `-Confirm:$false`.
This parameter is available only in on-premises Exchange.
262
253
263
254
The DomainController parameter specifies the ___domain controller that's used by this cmdlet to read data from or write data to Active Directory. You identify the ___domain controller by its fully qualified ___domain name (FQDN). For example, dc01.contoso.com.
This parameter is functional only in the cloud-based service.
298
287
299
288
The ExceptAnyOfAuthenticationTypes parameter specifies an exception for the client access rule that's based on the client's authentication type.
@@ -310,7 +299,7 @@ To enter multiple values and overwrite any existing entries, use the following s
310
299
311
300
To add or remove one or more values without affecting any existing entries, use the following syntax: `@{Add="Value1","Value2"...; Remove="Value3","Value4"...}`.
312
301
313
-
**Note**: Please refer to the table in the beginning of this article to understand what authentication types may be used with what protocols.
302
+
**Note**: Refer to the Description section to see which authentication types can be used with what protocols.
The ExceptAnyOfClientIPAddressesOrRanges parameter specifies an exception for the client access rule that's based on the client's IPv4 or IPv6 address. Valid values are:
331
319
332
320
- Single IP address: For example, 192.168.1.1 or 2001:DB8::2AA:FF:C0A8:640A.
This parameter is functional only in the cloud-based service.
430
414
431
415
The ExceptUsernameMatchesAnyOfPatterns parameter specifies an exception for the client access rule that's based on the user's account name in the format `<Domain>\<UserName>` (for example, `contoso.com\jeff`). This parameter accepts text and the wildcard character (\*) (for example, `*jeff*`, but not `jeff*`). Non-alphanumeric characters don't require an escape character.
The Priority parameter specifies a priority value for the client access rule. A lower integer value indicates a higher priority, and a higher priority rule is evaluated before a lower priority rule. The default value is 1.
This parameter is functional only in the cloud-based service.
524
503
525
504
The UsernameMatchesAnyOfPatterns parameter specifies a condition for the client access rule that's based on the user's account name in the format `<Domain>\<UserName>` (for example, `contoso.com\jeff`). This parameter accepts text and the wildcard character (\*) (for example, `*jeff*`, but not `jeff*`). Non-alphanumeric characters don't require an escape character.
This parameter is functional only in the cloud-based service.
547
525
548
-
The UserRecipientFilter parameter specifies a condition for the client access rule that uses OPath filter syntax to identify the user based on a limited set of attributes.
526
+
The UserRecipientFilter parameter specifies a condition for the client access rule that uses OPath filter syntax to identify the user based on a limited set of recipient properties. Client Access Rules don't support the full list of available recipient properties.
549
527
550
-
The filterable properties that you can use with this parameter are limited to the list below. Client Access Rules do not support the full list of recipient filters used by other features.
528
+
You can use the following properties with this parameter:
551
529
552
530
- City
553
531
- Company
554
-
- CountryOrRegion (ISO 3166-1 alpha-2 code for the country must be used.)
532
+
- CountryOrRegion (ISO 3166-1 alpha-2 country code.)
555
533
- CustomAttribute1 to CustomAttribute15
556
534
- Department
557
535
- Office
558
536
- PostalCode
559
537
- StateOrProvince
560
538
- StreetAddress
561
539
562
-
The syntax is `"Property -ComparisonOperator 'Value'"`
563
-
564
-
An example would be `"City -eq 'Redmond'"`
565
-
566
-
Another example would be `"CountryOrRegion -eq 'SG'"`
540
+
The basic syntax for this parameter is `"Property -ComparisonOperator 'Value'"`:
567
541
568
542
- Property is one of the filterable properties in the list above (for example `City` or `CustomAttribute1`).
569
543
- ComparisonOperator is an OPath comparison operator (for example `-eq` for equals and `-like` for string comparison). For more information about comparison operators, see [about_Comparison_Operators](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_comparison_operators).
570
-
- Value is the property value to search for. Enclose text values and variables in single quotation marks (`'Value'` or `'$Variable'`). If a variable value contains single quotation marks, you need to identify (escape) the single quotation marks to expand the variable correctly. For example, instead of `'$User'`, use `'$($User -Replace "'","''")'`. Do not enclose integers or system values (for example, `500`, `$true`, `$false`, or `$null` are all proper uses).
544
+
- Value is the property value to search for. Enclose text values and variables in single quotation marks (`'Value'` or `'$Variable'`). If a variable value contains single quotation marks, you need to identify (escape) the single quotation marks to expand the variable correctly. For example, instead of `'$User'`, use `'$($User -Replace "'","''")'`. Don't enclose integers or system values in quotation marks (for example, use `500`, `$true`, `$false`, or `$null` instead).
571
545
- Enclose the whole OPath filter in double quotation marks " ". If the filter contains system values (for example, `$true`, `$false`, or `$null`), use single quotation marks ' ' instead. Although this parameter is a string (not a system block), you can also use braces { }, but only if the filter doesn't contain variables.
572
546
573
-
You can chain multiple search criteria together using the logical operators `-and` and `-or`.
547
+
For example:
574
548
575
-
An example would be, `"CustomAttribute1 -eq 'AllowOWA' -and CountryOrRegion -eq AU'"`
549
+
- `"City -eq 'Redmond'"`
550
+
- `"CountryOrRegion -eq 'SG'"`.
576
551
577
-
Another example would be, `"(CountryOrRegion -eq 'US' -and Department -eq 'Sales') -or Department -eq 'Research'"`.
552
+
You can chain multiple search criteria together using the logical operators `-and` and `-or`. For example:
- `"(CountryOrRegion -eq 'US' -and Department -eq 'Sales') -or Department -eq 'Research'"`.
578
556
579
557
For detailed information about OPath filter syntax in Exchange, see [Additional OPATH syntax information](https://docs.microsoft.com/powershell/exchange/recipient-filters#additional-opath-syntax-information).
The WhatIf switch simulates the actions of the command. You can use this switch to view the changes that would occur without actually applying those changes. You don't need to specify a value with this switch.
597
574
598
575
```yaml
@@ -614,10 +591,12 @@ This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable
614
591
615
592
## INPUTS
616
593
594
+
###
617
595
To see the input types that this cmdlet accepts, see [Cmdlet Input and Output Types](https://go.microsoft.com/fwlink/p/?linkId=616387). If the Input Type field for a cmdlet is blank, the cmdlet doesn't accept input data.
618
596
619
597
## OUTPUTS
620
598
599
+
###
621
600
To see the return types, which are also known as output types, that this cmdlet accepts, see [Cmdlet Input and Output Types](https://go.microsoft.com/fwlink/p/?linkId=616387). If the Output Type field is blank, the cmdlet doesn't return data.
0 commit comments