Turn off access to the Exchange Admin Center (or ECP)

Applies to: Exchange Server 2013

For security purposes, some organizations may want to restrict access to the Exchange admin center (EAC) for users coming from the Internet. This procedure shows you how to turn off access to the EAC. This procedure doesn’t prevent users from accessing the Options in Outlook Web App.

This procedure disables EAC administrator access entirely on the CAS server where the steps are applied. The procedure applies only to on-premises deployments of Exchange Server 2013. If you to enable EAC administrator for internal users, you should install a separate CAS server and configure it to only handle internal requests using the following command:
Set-ECPVirtualDirectory -Identity "InternalCAS\ecp (default web site)" -AdminEnabled $True

This example turns off the access to the EAC on server CAS01.

Set-ECPVirtualDirectory -Identity "CAS01\ecp (default web site)" -AdminEnabled $false

To verify that you have successfully turned off access to the EAC, do the following:

1. Using your Internet browser, type your organization’s internal or external URL for accessing Outlook Web App but replace the /owa identifier with /ecp. For example, if your external URL for accessing Outlook Web App is https://primary.tailspintoys.com/owa, use https://primary.tailspintoys.com/ecp.
2. If access is turned off, you’ll receive a 404 – website not found error.