Forum Discussion

rhinoman's avatar
rhinoman
Copper Contributor
Mar 19, 2025

Mobile Device Access Rules

Hello - I have been trying to figure out how to permit all current Active Sync mobile devices before switching the Exchange Online Active Sync to Quarantine. I found an old script that supposedly all...
exchange online
VasilMichev's avatar
VasilMichev
MVP
Mar 20, 2025

You have to add them to the list of -ActiveSyncAllowedDeviceIDs for the respective user. Nothing has changed in the process in maybe a decade... perhaps share the script you are using?

rhinoman's avatar
rhinoman
Copper Contributor
Mar 20, 2025

Well, after trouble shooting using CoPilot, I have been trying to use the following scripts. However, the import never finishes.

 

Retrieve mobile list first

 

$mailboxes = Get-Mailbox -ResultSize Unlimited

 

$devices = @()
foreach ($mailbox in $mailboxes) {
    $devices += Get-MobileDeviceStatistics -Mailbox $mailbox.Alias | Select-Object DeviceID, DeviceModel, DeviceOS, LastSuccessSync
}

 

$devices | Export-Csv -Path "C:\AllowedDevices.csv" -NoTypeInformation

 

Import Allowed devices

 

$mailboxes = Get-Mailbox -ResultSize Unlimited

 

$allowedDevices = Import-Csv -Path "C:\AllowedDevices.csv"
foreach ($mailbox in $mailboxes) {
    foreach ($device in $allowedDevices) {
        try {
            Set-CASMailbox -Identity $mailbox.Alias -ActiveSyncAllowedDeviceIDs $device.DeviceID
        } catch {
            Write-Error "Failed to set allowed device for mailbox $($mailbox.Alias): $_"
        }
    }
}
Write-Output "Allowed devices import is complete."

 

Verify Devices are now marked allowed

 

Get-CASMailbox | Select-Object DisplayName, ActiveSyncAllowedDeviceIDs | Export-Csv -Path "C:\AllowedDevicesList.csv" -NoTypeInformation

 

 

Then set to Quarantine all devices after the import of allowed devices

 

Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Quarantine

  • VasilMichev's avatar
    VasilMichev
    MVP
    Mar 21, 2025

    That script basically tries to add all deviceIDs across the company as allowed for each and every mailbox you have. Pretty sure it's not the experience you want, and it's likely striking out by reaching the limit of ActiveSyncAllowedDeviceIDs per mailbox.

    You should export the mobile device details along with the corresponding mailbox ID, and then in the import part, process each mailbox and deviceID combo only once.

    • rhinoman's avatar
      rhinoman
      Copper Contributor
      Mar 21, 2025

      Nothing worked as planned. I did export all the devices, then imported them with logging to make sure it was working. Then switched to Quarantine all devices. Well, may import of allowed devices said it was working on the screen and in the log. However, it did not and quarantined every device. I manually allowed all devices all day yesterday and evening, then more this morning. It was a disaster for the most part. 

Resources