There will be times when you, as an Exchange administrator, may want to restrict the use of Exchange Admin Center (EAC) for External users for security reasons.
If you disable EAC access on Exchange 2013/2016 Client access servers, it will be disabled for all internal and external users. If you need access to EAC for internal use only, you have to deploy a separate Client Access Server role and configure it to handle internal requests only through the following cmdlet:
Set-ECPVirtualDirectory -Identity "Exchange01\ecp (default web site)" -AdminEnabled $True
The following command will turn off EAC access for all users on server Exchange01
:
Set-ECPVirtualDirectory -Identity "Exchange01\ecp (default web site)" -AdminEnabled $False