Difference between revisions of "Office365 Exchange Online Restrict Access"

From Michael's Information Zone
Jump to navigation Jump to search
(Created page with "==Purpose== To restrict access to email to specific applications, locations, and users. ==Notes== *Want to use email containerization for devices outside the LAN. Internal us...")
 
 
(12 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
==Purpose==
 
==Purpose==
 
To restrict access to email to specific applications, locations, and users.
 
To restrict access to email to specific applications, locations, and users.
 +
 +
==Restrict OWA access based on client IP==
 +
Place holder to better organize content.
 +
==Access to Exchange Online==
 +
Log into exchange online.
 +
<pre>
 +
$livecred = get-credential
 +
$session = New-PSSession -configurationname microsoft.exchange -connectionuri https://ps.outlook.com/powershell/ -credential $livecred -authentication basic -allowredirection
 +
import-pssession $session
 +
</pre>
 +
 +
==Working with rules==
 +
*According to MS, you should create a priority 1 rule so that you do not accidentally lock yourself out. When first starting out there are no rules in a relatively fresh Office365 configuration. Running "get-clientaccessrule" returns nothing<ref>https://docs.microsoft.com/en-us/powershell/module/exchange/client-access/get-clientaccessrule?view=exchange-ps</ref>, so run the following so not to shoot yourself in the foot.
 +
<pre>
 +
New-ClientAccessRule -Name AllowRemotePS -Action Allow -AnyOfProtocols RemotePowerShell -Priority 1
 +
</pre>
 +
 +
Now check existing rules
 +
<pre>
 +
 +
PS C:\Users\michael.mast> Get-ClientAccessRule
 +
 +
Name            Priority Enabled DatacenterAdminsOnly
 +
----            -------- ------- --------------------
 +
AllowRemotePS  1        True    False
 +
OWA_Exceptions  2        True    False
 +
TEST_OWA        3        False  False
 +
OWA            4        True    False
 +
activesync_test 5        True    False
 +
</pre>
 +
 +
To get the actual settings for a rule, you have to format the object as a list.
 +
<pre>
 +
PS C:\Users\michael.mast> Get-ClientAccessRule -Identity activesync_test | Format-List
 +
 +
 +
RunspaceId                          : ff060c35-8e77-49a4-b971-072bb94b1de4
 +
Priority                            : 5
 +
Enabled                              : True
 +
DatacenterAdminsOnly                : False
 +
Action                              : DenyAccess
 +
AnyOfClientIPAddressesOrRanges      : {}
 +
ExceptAnyOfClientIPAddressesOrRanges : {xxx.xxx.xxx.xxx/24}
 +
AnyOfSourceTcpPortNumbers            : {}
 +
ExceptAnyOfSourceTcpPortNumbers      : {}
 +
UsernameMatchesAnyOfPatterns        : {*michael.mast}
 +
ExceptUsernameMatchesAnyOfPatterns  : {}
 +
UserIsMemberOf                      : {}
 +
ExceptUserIsMemberOf                : {}
 +
AnyOfAuthenticationTypes            : {}
 +
ExceptAnyOfAuthenticationTypes      : {}
 +
AnyOfProtocols                      : {ExchangeActiveSync}
 +
ExceptAnyOfProtocols                : {}
 +
UserRecipientFilter                  :
 +
Scope                                : All
 +
AdminDisplayName                    :
 +
ExchangeVersion                      : 0.20 (15.0.0.0)
 +
Name                                : activesync_test
 +
DistinguishedName                    : CN=activesync_test,CN=Client Access Rules,CN=Configuration,CN=xxx.onmicrosoft.com,CN=ConfigurationUnits,DC=NAMPR20A005,DC=PROD,DC=OUTLOOK,DC=COM
 +
Identity                            : activesync_test
 +
ObjectCategory                      : NAMPR20A005.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-Client-Access-Rule
 +
ObjectClass                          : {top, msExchClientAccessRule}
 +
WhenChanged                          : 4/30/2018 1:53:19 PM
 +
WhenCreated                          : 4/30/2018 1:00:11 PM
 +
WhenChangedUTC                      : 4/30/2018 5:53:19 PM
 +
WhenCreatedUTC                      : 4/30/2018 5:00:11 PM
 +
Id                                  : activesync_test
 +
Guid                                : xxx
 +
OriginatingServer                    : MWHPR20A005DC08.NAMPR20A005.PROD.OUTLOOK.COM
 +
IsValid                              : True
 +
ObjectState                          : Changed
 +
</pre>
 +
 +
At this point I want to create a rule to allow some exceptions to the lockout. These people are "special"
 +
 +
<pre>
 +
 +
PS C:\Users\michael.mast> New-ClientAccessRule -name "ActiveSyncExceptions" -Action Allow -AnyOfProtocols exchangeactivesync -Priority 5 -UsernameMatchesAnyOfPatterns *user1,*user2
 +
 +
Confirm
 +
Are you sure you want to perform this action?
 +
Creating Client Access Rule ActiveSyncExceptions - Modifying rules incorrectly may result in blocking access to your tenant for both administrators and users. Please ensure that your ruleset always allows some access to PowerShell so that you
 +
can administer the tenant and modify Client Access Rules.
 +
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"):
 +
WARNING: Please note: your first rule may take up to 24 hours to be implemented. Any rule after the first one may take up to an hour to be implemented.
 +
 +
Name                Priority Enabled DatacenterAdminsOnly
 +
----                -------- ------- --------------------
 +
ActiveSyncExceptions 5        True    False
 +
 +
 +
PS C:\Users\michael.mast> Get-ClientAccessRule
 +
 +
Name                Priority Enabled DatacenterAdminsOnly
 +
----                -------- ------- --------------------
 +
AllowRemotePS        1        True    False
 +
OWA_Exceptions      2        True    False
 +
TEST_OWA            3        False  False
 +
OWA                  4        True    False
 +
ActiveSyncExceptions 5        True    False
 +
activesync_test      6        True    False
 +
</pre>
 +
If we want to add more users to the list, we have to include the users already in the list.
 +
<pre>
 +
PS C:\Users\michael.mast> Set-ClientAccessRule -Identity "ActiveSyncExceptions" -UsernameMatchesAnyOfPatterns *user1,*user2,*user3,*user4,*user5,*user6,*user7
 +
 +
Confirm
 +
Are you sure you want to perform this action?
 +
Confirm to change Client Access Rule ActiveSyncExceptions - Modifying rules incorrectly may result in blocking access
 +
to your tenant for both administrators and users. Please ensure that your ruleset always allows some access to
 +
PowerShell so that you can administer the tenant and modify Client Access Rules.
 +
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"):
 +
PS C:\Users\michael.mast> Get-ClientAccessRule -Identity "ActiveSyncExceptions" | format-list
 +
 +
 +
RunspaceId                          : ff060c35-8e77-49a4-b971-072bb94b1de4
 +
Priority                            : 5
 +
Enabled                              : True
 +
DatacenterAdminsOnly                : False
 +
Action                              : AllowAccess
 +
AnyOfClientIPAddressesOrRanges      : {}
 +
ExceptAnyOfClientIPAddressesOrRanges : {}
 +
AnyOfSourceTcpPortNumbers            : {}
 +
ExceptAnyOfSourceTcpPortNumbers      : {}
 +
UsernameMatchesAnyOfPatterns        : {*user1, *user2, *user3, *user4...}
 +
ExceptUsernameMatchesAnyOfPatterns  : {}
 +
UserIsMemberOf                      : {}
 +
ExceptUserIsMemberOf                : {}
 +
AnyOfAuthenticationTypes            : {}
 +
ExceptAnyOfAuthenticationTypes      : {}
 +
AnyOfProtocols                      : {ExchangeActiveSync}
 +
ExceptAnyOfProtocols                : {}
 +
UserRecipientFilter                  :
 +
Scope                                : All
 +
AdminDisplayName                    :
 +
ExchangeVersion                      : 0.20 (15.0.0.0)
 +
Name                                : ActiveSyncExceptions
 +
DistinguishedName                    : CN=ActiveSyncExceptions,CN=Client Access Rules,CN=Configuration,CN=xxx.onmicrosoft.com,CN=ConfigurationUnits,DC=NAMPR20A005,DC=PROD,DC=OUTLOOK,
 +
                                      DC=COM
 +
Identity                            : ActiveSyncExceptions
 +
ObjectCategory                      : NAMPR20A005.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-Client-Access-Rule
 +
ObjectClass                          : {top, msExchClientAccessRule}
 +
WhenChanged                          : 9/28/2018 12:09:57 PM
 +
WhenCreated                          : 9/28/2018 12:00:30 PM
 +
WhenChangedUTC                      : 9/28/2018 4:09:57 PM
 +
WhenCreatedUTC                      : 9/28/2018 4:00:30 PM
 +
Id                                  : ActiveSyncExceptions
 +
Guid                                : xxx
 +
OriginatingServer                    : MWHPR20A005DC08.NAMPR20A005.PROD.OUTLOOK.COM
 +
IsValid                              : True
 +
ObjectState                          : Changed
 +
</pre>
 +
 +
==Restrict MAPI==
 +
This was needed to prevent users from accessing MAPI remotely with Outlook installed on personal devices.<br>
 +
*I like to run three separate rules. If I leave the default allow for the subnet from our datacenter alone, then I can screw up the others and not worry an executive can't get their email.
 +
<pre>
 +
new-clientaccessrule -name OutlookAnywhere-Default -Action Allow -AnyOfProtocols OutlookAnywhere -AnyOfClientIPAddressesOrRanges xxx.xxx.xxx.xxx/xx -priority 10 -enabled $false
 +
new-clientaccessrule -name OutlookAnywhere-Exceptions -Action Allow -AnyOfProtocols OutlookAnywhere -UsernameMatchesAnyOfPatterns *michael.mast* -priority 11 -enabled $false
 +
new-clientaccessrule -name OutlookAnyhwere-Deny -Action DenyAccess -AnyOfProtocols OutlookAnywhere -priority 12 -enabled $false
 +
</pre>
  
 
==Notes==
 
==Notes==
Line 7: Line 168:
 
*Conditional access could be used, but appears to not support all email clients<ref>https://core.co.uk/blog/restricting-access-office-365/</ref><ref>https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-mam</ref>
 
*Conditional access could be used, but appears to not support all email clients<ref>https://core.co.uk/blog/restricting-access-office-365/</ref><ref>https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-mam</ref>
 
*Activesync device access might be ideal if you can restrict based on application family. For example; Sophos Secure Email containers show up starting with "SecurePIM" in the name. If you could only allow devices that fall within this family, and no other mail client uses this family, then you would have restricted access.<ref>https://blogs.technet.microsoft.com/exchange/2010/11/15/controlling-exchange-activesync-device-access-using-the-allowblockquarantine-list/</ref><ref>https://social.technet.microsoft.com/Forums/msonline/en-US/6559babe-7d09-4f91-a2d7-fc0b58d3cb4f/office-365-device-access-rules?forum=onlineservicesexchange</ref>
 
*Activesync device access might be ideal if you can restrict based on application family. For example; Sophos Secure Email containers show up starting with "SecurePIM" in the name. If you could only allow devices that fall within this family, and no other mail client uses this family, then you would have restricted access.<ref>https://blogs.technet.microsoft.com/exchange/2010/11/15/controlling-exchange-activesync-device-access-using-the-allowblockquarantine-list/</ref><ref>https://social.technet.microsoft.com/Forums/msonline/en-US/6559babe-7d09-4f91-a2d7-fc0b58d3cb4f/office-365-device-access-rules?forum=onlineservicesexchange</ref>
 +
<br>
 +
<br>
 +
There are two methods to follow
 +
#A restrictive technical control model
 +
#A less restrictive policy based model
 +
<br>
 +
In the first model we would restrict access to exchange online to the datacenter, then run a proxy. In the less restrictive model we would tell users they are not allowed to use any other client except the approved app, then monitor for violations using auditing<ref>https://blogs.technet.microsoft.com/exovoice/2017/03/14/how-to-see-the-ip-addresses-from-where-your-office-365-users-are-accessing-owa/</ref><ref>https://support.office.com/en-us/article/Enable-mailbox-auditing-in-Office-365-aaca8987-5b62-458b-9882-c28476a66918</ref>. If a violation occurs business can handle disciplinary messures.
 +
<br>
 +
<br>
 +
It may be possible to restrict access for MAPI clients using Client access rules, then restrict activesync connections using ActiveSync Device Access and specifying the device family.

Latest revision as of 16:46, 3 December 2019

Purpose

To restrict access to email to specific applications, locations, and users.

Restrict OWA access based on client IP

Place holder to better organize content.

Access to Exchange Online

Log into exchange online.

$livecred = get-credential
$session = New-PSSession -configurationname microsoft.exchange -connectionuri https://ps.outlook.com/powershell/ -credential $livecred -authentication basic -allowredirection
import-pssession $session

Working with rules

  • According to MS, you should create a priority 1 rule so that you do not accidentally lock yourself out. When first starting out there are no rules in a relatively fresh Office365 configuration. Running "get-clientaccessrule" returns nothing[1], so run the following so not to shoot yourself in the foot.
New-ClientAccessRule -Name AllowRemotePS -Action Allow -AnyOfProtocols RemotePowerShell -Priority 1

Now check existing rules


PS C:\Users\michael.mast> Get-ClientAccessRule

Name            Priority Enabled DatacenterAdminsOnly
----            -------- ------- --------------------
AllowRemotePS   1        True    False
OWA_Exceptions  2        True    False
TEST_OWA        3        False   False
OWA             4        True    False
activesync_test 5        True    False

To get the actual settings for a rule, you have to format the object as a list.

PS C:\Users\michael.mast> Get-ClientAccessRule -Identity activesync_test | Format-List


RunspaceId                           : ff060c35-8e77-49a4-b971-072bb94b1de4
Priority                             : 5
Enabled                              : True
DatacenterAdminsOnly                 : False
Action                               : DenyAccess
AnyOfClientIPAddressesOrRanges       : {}
ExceptAnyOfClientIPAddressesOrRanges : {xxx.xxx.xxx.xxx/24}
AnyOfSourceTcpPortNumbers            : {}
ExceptAnyOfSourceTcpPortNumbers      : {}
UsernameMatchesAnyOfPatterns         : {*michael.mast}
ExceptUsernameMatchesAnyOfPatterns   : {}
UserIsMemberOf                       : {}
ExceptUserIsMemberOf                 : {}
AnyOfAuthenticationTypes             : {}
ExceptAnyOfAuthenticationTypes       : {}
AnyOfProtocols                       : {ExchangeActiveSync}
ExceptAnyOfProtocols                 : {}
UserRecipientFilter                  :
Scope                                : All
AdminDisplayName                     :
ExchangeVersion                      : 0.20 (15.0.0.0)
Name                                 : activesync_test
DistinguishedName                    : CN=activesync_test,CN=Client Access Rules,CN=Configuration,CN=xxx.onmicrosoft.com,CN=ConfigurationUnits,DC=NAMPR20A005,DC=PROD,DC=OUTLOOK,DC=COM
Identity                             : activesync_test
ObjectCategory                       : NAMPR20A005.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-Client-Access-Rule
ObjectClass                          : {top, msExchClientAccessRule}
WhenChanged                          : 4/30/2018 1:53:19 PM
WhenCreated                          : 4/30/2018 1:00:11 PM
WhenChangedUTC                       : 4/30/2018 5:53:19 PM
WhenCreatedUTC                       : 4/30/2018 5:00:11 PM
Id                                   : activesync_test
Guid                                 : xxx
OriginatingServer                    : MWHPR20A005DC08.NAMPR20A005.PROD.OUTLOOK.COM
IsValid                              : True
ObjectState                          : Changed

At this point I want to create a rule to allow some exceptions to the lockout. These people are "special"


PS C:\Users\michael.mast> New-ClientAccessRule -name "ActiveSyncExceptions" -Action Allow -AnyOfProtocols exchangeactivesync -Priority 5 -UsernameMatchesAnyOfPatterns *user1,*user2

Confirm
Are you sure you want to perform this action?
Creating Client Access Rule ActiveSyncExceptions - Modifying rules incorrectly may result in blocking access to your tenant for both administrators and users. Please ensure that your ruleset always allows some access to PowerShell so that you
 can administer the tenant and modify Client Access Rules.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"):
WARNING: Please note: your first rule may take up to 24 hours to be implemented. Any rule after the first one may take up to an hour to be implemented.

Name                 Priority Enabled DatacenterAdminsOnly
----                 -------- ------- --------------------
ActiveSyncExceptions 5        True    False


PS C:\Users\michael.mast> Get-ClientAccessRule

Name                 Priority Enabled DatacenterAdminsOnly
----                 -------- ------- --------------------
AllowRemotePS        1        True    False
OWA_Exceptions       2        True    False
TEST_OWA             3        False   False
OWA                  4        True    False
ActiveSyncExceptions 5        True    False
activesync_test      6        True    False

If we want to add more users to the list, we have to include the users already in the list.

PS C:\Users\michael.mast> Set-ClientAccessRule -Identity "ActiveSyncExceptions" -UsernameMatchesAnyOfPatterns *user1,*user2,*user3,*user4,*user5,*user6,*user7

Confirm
Are you sure you want to perform this action?
Confirm to change Client Access Rule ActiveSyncExceptions - Modifying rules incorrectly may result in blocking access
to your tenant for both administrators and users. Please ensure that your ruleset always allows some access to
PowerShell so that you can administer the tenant and modify Client Access Rules.
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"):
PS C:\Users\michael.mast> Get-ClientAccessRule -Identity "ActiveSyncExceptions" | format-list


RunspaceId                           : ff060c35-8e77-49a4-b971-072bb94b1de4
Priority                             : 5
Enabled                              : True
DatacenterAdminsOnly                 : False
Action                               : AllowAccess
AnyOfClientIPAddressesOrRanges       : {}
ExceptAnyOfClientIPAddressesOrRanges : {}
AnyOfSourceTcpPortNumbers            : {}
ExceptAnyOfSourceTcpPortNumbers      : {}
UsernameMatchesAnyOfPatterns         : {*user1, *user2, *user3, *user4...}
ExceptUsernameMatchesAnyOfPatterns   : {}
UserIsMemberOf                       : {}
ExceptUserIsMemberOf                 : {}
AnyOfAuthenticationTypes             : {}
ExceptAnyOfAuthenticationTypes       : {}
AnyOfProtocols                       : {ExchangeActiveSync}
ExceptAnyOfProtocols                 : {}
UserRecipientFilter                  :
Scope                                : All
AdminDisplayName                     :
ExchangeVersion                      : 0.20 (15.0.0.0)
Name                                 : ActiveSyncExceptions
DistinguishedName                    : CN=ActiveSyncExceptions,CN=Client Access Rules,CN=Configuration,CN=xxx.onmicrosoft.com,CN=ConfigurationUnits,DC=NAMPR20A005,DC=PROD,DC=OUTLOOK,
                                       DC=COM
Identity                             : ActiveSyncExceptions
ObjectCategory                       : NAMPR20A005.PROD.OUTLOOK.COM/Configuration/Schema/ms-Exch-Client-Access-Rule
ObjectClass                          : {top, msExchClientAccessRule}
WhenChanged                          : 9/28/2018 12:09:57 PM
WhenCreated                          : 9/28/2018 12:00:30 PM
WhenChangedUTC                       : 9/28/2018 4:09:57 PM
WhenCreatedUTC                       : 9/28/2018 4:00:30 PM
Id                                   : ActiveSyncExceptions
Guid                                 : xxx
OriginatingServer                    : MWHPR20A005DC08.NAMPR20A005.PROD.OUTLOOK.COM
IsValid                              : True
ObjectState                          : Changed

Restrict MAPI

This was needed to prevent users from accessing MAPI remotely with Outlook installed on personal devices.

  • I like to run three separate rules. If I leave the default allow for the subnet from our datacenter alone, then I can screw up the others and not worry an executive can't get their email.
new-clientaccessrule -name OutlookAnywhere-Default -Action Allow -AnyOfProtocols OutlookAnywhere -AnyOfClientIPAddressesOrRanges xxx.xxx.xxx.xxx/xx -priority 10 -enabled $false
new-clientaccessrule -name OutlookAnywhere-Exceptions -Action Allow -AnyOfProtocols OutlookAnywhere -UsernameMatchesAnyOfPatterns *michael.mast* -priority 11 -enabled $false
new-clientaccessrule -name OutlookAnyhwere-Deny -Action DenyAccess -AnyOfProtocols OutlookAnywhere -priority 12 -enabled $false

Notes

  • Want to use email containerization for devices outside the LAN. Internal users can access from terminal servers or virtual desktops.
  • Client access rules can be used to restrict access to just the datacenter using IP whitelisting.[2][3]
  • Conditional access could be used, but appears to not support all email clients[4][5]
  • Activesync device access might be ideal if you can restrict based on application family. For example; Sophos Secure Email containers show up starting with "SecurePIM" in the name. If you could only allow devices that fall within this family, and no other mail client uses this family, then you would have restricted access.[6][7]



There are two methods to follow

  1. A restrictive technical control model
  2. A less restrictive policy based model


In the first model we would restrict access to exchange online to the datacenter, then run a proxy. In the less restrictive model we would tell users they are not allowed to use any other client except the approved app, then monitor for violations using auditing[8][9]. If a violation occurs business can handle disciplinary messures.

It may be possible to restrict access for MAPI clients using Client access rules, then restrict activesync connections using ActiveSync Device Access and specifying the device family.