See if this works for you, not sure if you have tried this already :
https://www.usmanghani.co/restrict-exchange-active-sync-devices-in-exchange/
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I found that when a user (Android or iOS) uses the outlook app to access active sync. The user can use another device to access active sync bypassing quarantine as the mobile device registers either as an “Outlook” or “Outlook for iOS and Android device” under model and family. Thus, if a new user is quarantined and allowed email access via active sync by the admin, the user or any other user for that matter using the same credentials will be able to use another mobile device and be automatically allowed to access email bypassing quarantine.
How can I prevent this?
See if this works for you, not sure if you have tried this already :
https://www.usmanghani.co/restrict-exchange-active-sync-devices-in-exchange/
What's the goal? Do you want users to have only one device?
If so, you can set a global throttling policy:
https://learn.microsoft.com/en-us/answers/questions/181962/error-with-your-new-mobile-phone-partnership-in-ex.html
https://learn.microsoft.com/en-us/powershell/module/exchange/new-throttlingpolicy?view=exchange-ps
Set-ThrottlingPolicy <policy_name> –EASMaxDevices 1
You could also just add that ActiveSync Allowed ID once the user is allowed access and not allow the others
https://learn.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps
TheActiveSyncAllowedDeviceIDs parameter specifies one or more Exchange ActiveSync device IDs that are allowed to synchronize with the mailbox. A device ID is a text string that uniquely identifies the device. Use the Get-MobileDevice cmdlet to see the devices that have Exchange ActiveSync partnerships with the mailbox.
You can get that unique ID for Outlook Mobile:
Upon initial account login, Outlook for iOS and Android establishes a connection to the Microsoft 365- or Office 365-based architecture. A unique device ID is generated, and this device ID is what appears in Active Directory device records (which can be retrieved with cmdlets such as Get-MobileDevice in Exchange Online Powershell) and which appears in HTTP request headers.