How to block external access to the Exchange Admin Center
Thank to: http://www.expta.com/ When I was at Microsoft Ignite last week, several customers asked me how to block external access to the Exchange Admin Center. These customers have already completed all their mailbox migrations to Exchange Online and understand they'll need to keep that last Exchange server on-prem as a management server to manage mailboxes, groups, contacts, etc. But now that everyone in their organization has been migrated to Exchange Online, there's no need to allow external access to the hybrid servers for OWA or ECP. There are several ways to do this: Remove the OWA/ECP namespace from external DNS so external clients can't resolve the FQDN Disable external EAC access on all ECP virtual directories using the following cmdlet (thanks to @markes20754 for reminding me) : Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdminEnabled $false Note that the command above will disable EAC on all Exchange servers, both internally and externally.