This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 9%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
I found that when a user (Android or iOS) uses the outlook app to access active sync. The user can use another device to access active sync bypassing quarantine as the mobile device registers either as an “Outlook” or “Outlook for iOS and Android device” under model and family. Thus, if a new user is quarantined and allowed email access via active sync by the admin, the user or any other user for that matter using the same credentials will be able to use another mobile device and be automatically allowed to access email bypassing quarantine.
How can I prevent this?
See if this works for you, not sure if you have tried this already :
https://www.usmanghani.co/restrict-exchange-active-sync-devices-in-exchange/
Thank you for the quick replies.
I'll give a shot and provide feedback.
Andy David, you are a star.
Worked like a charm. Created a new ThrottlingPolicy applied it to a mail account and tested from two different devices and only one physical device could connect. the other physical device timed out when outlook attempted to logon.
Great stuff.
Awesome! Hey, if you don't mind, can you accept an answer so we can close this up? Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 22%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKY%3C/text%3E%3C/svg%3E)
Hi, @Ragman99
Thanks for the update and glad to hear your question has been answered.
Please feel free to mark the helpful answers as the answer to the question.
It may be beneficial to other community members who have the same question.
Thanks for your understanding!
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
What's the goal? Do you want users to have only one device?
If so, you can set a global throttling policy:
https://learn.microsoft.com/en-us/answers/questions/181962/error-with-your-new-mobile-phone-partnership-in-ex.html
https://learn.microsoft.com/en-us/powershell/module/exchange/new-throttlingpolicy?view=exchange-ps
Set-ThrottlingPolicy <policy_name> –EASMaxDevices 1
You could also just add that ActiveSync Allowed ID once the user is allowed access and not allow the others
https://learn.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps
TheActiveSyncAllowedDeviceIDs parameter specifies one or more Exchange ActiveSync device IDs that are allowed to synchronize with the mailbox. A device ID is a text string that uniquely identifies the device. Use the Get-MobileDevice cmdlet to see the devices that have Exchange ActiveSync partnerships with the mailbox.
You can get that unique ID for Outlook Mobile:
Upon initial account login, Outlook for iOS and Android establishes a connection to the Microsoft 365- or Office 365-based architecture. A unique device ID is generated, and this device ID is what appears in Active Directory device records (which can be retrieved with cmdlets such as Get-MobileDevice in Exchange Online Powershell) and which appears in HTTP request headers.
Thanks, it sounds exactly what I am looking for.
I'll ready through and give a go.
Thanks for the info. It was exactly what I was looking for but unfortunately the way Exchange creates the ActiveSync device IDs prevents me from limiting the amount of physical devices a single user can use to access ActiveSync. The ActiveSync device IDs stays the same as long as you use Outlook. No mater how many devices you use.
I tested this by spinning up an Android VM and setting up my physical phone to ActiveSync in Outlook. They both came up with the message stating that they are Quarantined but in Exchange only one device came up when running the Get-MobileDeviceStatistics command. Allowing the single device on Exchange gave both physical devices access to email.
Do you perhaps know how to only allow a single physical device?
My end goal is to only allow one physical device per user to access ActiveSync.