Shulou(Shulou.com)06/02 Report--

In some enterprises with higher security requirements, there is often a requirement for using Office365:

Enterprise administrators want some employees (such as finance and other sensitive users) to use email only on the company's intranet, but not without the company network. This also protects the data security of enterprises to some extent.

It is not difficult for locally deployed Exchange server to achieve this effect, and it can be configured in IIS, so how do you implement these functions on Exchange Online? The server enterprise administrator of Exchange Online is also unable to access, let alone configure IIS. In fact, there is a way. There is a client access policy for Online users. If you adjust the user's access based on network location according to this access policy, you will be unable to send and receive email without the company network.

First, you need to connect to Exchange Online PowerShell, execute the following command, or get the following command into a ps1 file and execute it through a script. Saving the script is also convenient for remote connection at any time in the future.

Set-ExecutionPolicy RemoteSigned

$UserCredential = Get-Credential

$Session = New-PSSession-ConfigurationName Microsoft.Exchange-ConnectionUri https://partner.outlook.cn/powershell-liveid/-Credential $UserCredential-Authentication Basic-AllowRedirection

Import-PSSession $Session-DisableNameChecking

If you are an international version, you need to replace partner.outlook.cn with outlook.office365.com

Open Windows PowerShell as an administrator, change to the directory where the ps script is located, and then use.\ nameofps1.ps1 to connect to Exchange Online. At this time, you will be prompted to enter a user name and password. Note that it is at least an Exchange Online administrator right here. Generally, we log in with a global administrator.

After logging in, we can create a new client access policy to control where these users can access the Exchange Online service

The application of the policy must have an object, how can we distinguish it for all users? The simplest thing is to edit the department in the user attributes, as long as users of this department can only use mail on the company's intranet.

First, let's create a test account and configure its department as it

Then determine the exit IP address of the enterprise to surf the Internet. Take the IP in my office as an example.

Let's start creating rules.

New-ClientAcce***ule-Name "Block"-Action DenyAccess-AnyOfProtocols ExchangeActiveSync,ExchangeAdminCenter,IMAP4,OfflineAddressBook,OutlookWebApp,POP3,PowerShellWebServices,RemotePowerShell,REST-ExceptAnyOfClientIPAddressesOrRanges 171.214.149.118-UserRecipientFilter {Department-eq "finance"}

If you still want the Outlook client to be unavailable on a network outside the company, you need to add OutlookAnyWhere after AnyOfProtocols, and if you want to disable EWS, you can add ExchangeWebServices.

If the enterprise has multiple Internet exits IP, then all exit public network IP addresses need to be added with English commas "," as a delimiter.

The ExceptAnyOfClientIPAddressesOrRanges parameter specifies an exception to the client access rule, which is based on the client's IP address:

A single IP address, such as 192.168.1.1

IP address range, such as: 192.168.0.1-192.168.0.200

IP address range, such as 192.168.2.0Universe 24

Check the details of the rule you created above to verify that the rule you created is valid. In fact, you can see a lot of information about the 365th background AD.

The above command only supports Exchange Server 2019 or Exchange Online, but unfortunately not 2013 or 2016

Then I will test the OWA of the login test account on the remote server.

Login OWA prompt is prohibited

It can be accessed normally in the office network.

In this way, we achieved our original goal.

-UserRecipientFilter parameter does not have to be a department can also be other parameters, available are

U city

ü co.

Country or place of registration of the user

Custom attributes 1-15

U department

U office

U Postal Code

U province

Street address

More often, you can choose to configure custom attributes to classify users, because individual users in some departments may need to use mail on the public network. Let's take a look at how to configure custom attributes:

Finally, use Get-Mailbox-Identity test | fl to check the custom attributes

So that users can be filtered based on customattribute.

The resulting scenario is that some users can use the internal network and some users can use the external network (only Exchange Server 2019 is supported. For more information, please see the New-ClientAcce***ule command).

-- add content-

Increase external access restrictions for outlookanywhere and EWS

Use the following PowerShell command to set

Set-ClientAcce***ule-Action DenyAccess-AnyOfProtocols OutlookAnyWhere,ExchangeWebServices,ExchangeActiveSync,ExchangeAdminCenter,IMAP4,OfflineAddressBook,OutlookWebApp,POP3,PowerShellWebServices,RemotePowerShell,REST-Identity "block"

Complete the setup

# #

The above settings are all reset once. If you just want to add one or two configurations, you can use @ {Add= ","...; Remove= ","...} syntax, as follows:

Set-ClientAcce***ule-Identity "block"-ExceptAnyOfClientIPAddressesOrRanges @ {Add= "12.68.1.10"}

Set-ClientAcce***ule-Identity "block"-ExceptAnyOfClientIPAddressesOrRanges @ {remove= "171.214.149.118"}

# #

Configure outlook on my machine beforehand, and then get back home. My Internet IP has changed.

When IP changes, outlook keeps trying to connect but cannot connect to Exchange Server

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.