Test-ClientAccessRule

Note

Beginning in October 2022, we've disabled access to client access rules for all existing Exchange Online organizations that weren't using them. In September 2024, support for client access rules will end for all Exchange Online organizations. For more information, see Update: Deprecation of Client Access Rules in Exchange Online.

This cmdlet is functional only in Exchange Server 2019 and in the cloud-based service. Some parameters and settings may be exclusive to one environment or the other.

Use the Test-ClientAccessRule cmdlet to test how client access rules affect access to your organization. If any of the client properties you specify for this cmdlet match any client access rules, the rules are returned in the results.

For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.

Syntax

Test-ClientAccessRule
    -AuthenticationType <ClientAccessAuthenticationMethod>
    -Protocol <ClientAccessProtocol>
    -RemoteAddress <IPAddress>
    -RemotePort <Int32>
    -User <MailboxIdParameter>
    [-Confirm]
    [-OAuthClaims <Hashtable>]
    [-WhatIf]
    [<CommonParameters>]

Description

Client access rules are like mail flow rules (also known as transport rules) for client connections to your organization. You use conditions and exceptions to identify the connections based on their properties, and actions that allow or block the connections.

Note: Currently, not all authentication types are supported for all protocols. The supported authentication types per protocol are described in this list:

  • OutlookWebApp:BasicAuthentication and AdfsAuthentication.
  • ExchangeAdminCenter:BasicAuthentication and AdfsAuthentication.
  • RemotePowerShell:BasicAuthentication and NonBasicAuthentication.
  • ExchangeActiveSync:BasicAuthentication, OAuthAuthentication, and CertificateBasedAuthentication.

You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.

Examples

Example 1

Test-ClientAccessRule -AuthenticationType BasicAuthentication -Protocol OutlookWebApp -RemoteAddress 172.17.17.26 -RemotePort 443 -User [email protected]

This example tests client access by using the following client properties:

  • Authentication type: Basic
  • Protocol:OutlookWebApp
  • Remote address: 172.17.17.26
  • Remote port: 443
  • User: [email protected]

Parameters

-AuthenticationType

The AuthenticationType parameter specifies the client authentication type to test.

Valid values for this parameter are:

  • AdfsAuthentication
  • BasicAuthentication
  • CertificateBasedAuthentication
  • NonBasicAuthentication
  • OAuthAuthentication

In client access rules, authentication types are defined by the AnyOfAuthenticationTypes and ExceptAnyOfAuthenticationTypes parameters.

Type:ClientAccessAuthenticationMethod
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection

-Confirm

The Confirm switch specifies whether to show or hide the confirmation prompt. How this switch affects the cmdlet depends on if the cmdlet requires confirmation before proceeding.

  • Destructive cmdlets (for example, Remove-* cmdlets) have a built-in pause that forces you to acknowledge the command before proceeding. For these cmdlets, you can skip the confirmation prompt by using this exact syntax: -Confirm:$false.
  • Most other cmdlets (for example, New-* and Set-* cmdlets) don't have a built-in pause. For these cmdlets, specifying the Confirm switch without a value introduces a pause that forces you acknowledge the command before proceeding.
Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection

-OAuthClaims

The OAuthClaims parameter specifies the OAuth claims token of a middle-tier app.

Type:Hashtable
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection

-Protocol

The Protocol parameter specifies the client protocol to test.

Valid values for this parameter are:

  • ExchangeActiveSync
  • ExchangeAdminCenter
  • ExchangeWebServices
  • IMAP4
  • OfflineAddressBook
  • OutlookAnywhere
  • OutlookWebApp
  • POP3
  • PowerShellWebServices
  • RemotePowerShell
  • REST

In client access rules, protocol types are defined by the AnyOfProtocols and ExceptAnyOfProtocols parameters.

Type:ClientAccessProtocol
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection

-RemoteAddress

The RemoteAddress parameter specifies the client IP address to test. Valid input for this parameter is an IP address. For example, 192.168.1.50.

In client access rules, IP addresses are defined by the AnyOfClientIPAddressesOrRanges and ExceptAnyOfClientIPAddressesOrRanges parameters.

Type:IPAddress
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection

-RemotePort

The RemotePort parameter specifies the client TCP port to test. Valid input for this parameter is an integer from 1 to 65535.

Type:Int32
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection

-User

The User parameter specifies the user account to test.

For the best results, we recommend using the following values:

  • UPN: For example, [email protected] (users only).
  • Domain\SamAccountName: For example, contoso\user.

Otherwise, you can use any value that uniquely identifies the user. For example:

  • Name
  • Alias
  • Distinguished name (DN)
  • Canonical DN
  • Domain\Username
  • Email address
  • GUID
  • LegacyExchangeDN
  • SamAccountName
  • User ID or user principal name (UPN)

In client access rules, users are defined by the UsernameMatchesAnyOfPatterns, UserRecipientFilter, and ExceptUsernameMatchesAnyOfPatterns parameters.

Type:MailboxIdParameter
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection

-WhatIf

The WhatIf switch simulates the actions of the command. You can use this switch to view the changes that would occur without actually applying those changes. You don't need to specify a value with this switch.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online, Exchange Online Protection