In Exchange 2016, you can harden access to the Exchange Admin Center (EAC) by creating a rule/s in IIS.
To do this you will need to add an additional feature to IIS called “IP and Domain Restrictions”. This can be done from Server Manager and selecting “Add Roles and Features” as shown below:
Once installed, you can launch IIS Manager and then expand your Sites -> Default Web Site and then click on the ECP directory.
Double click “IP address and Domain Restrictions” and then click on “Add Allow Entry” on the right hand side as shown below:
Once you click that action item, a new window will show as below, you can restrict a single IP or a range. Range can be as follows:
- IP: 192.168.0.1
- Mask: 255.255.255.0
Click OK when done, you will be taken back to the “IP Address and Domain Restrictions” page where the information provided above will show. Now click on Edit Feature Settings on the right hand side as shown below:
On the Edit Page, Select Deny as shown below as well as “Not Found” under the Action Type section:
Click OK when done.
Restart IIS by doing an IISRESET from an elevated prompt or restart the server.
**Warning**, if you decide to decide to remove the IP, it can potentially break the EAC.
Hope it helps.