Quarantined Mobile Devices - Powershell

Iron Contributor

Hey Everyone --


I am trying to put together a Powershell script to approve a device that has been quarantined.  By default, we quarantine everything and allow only what we want.

$MobileDevice = Get-MobileDevice -Mailbox jdoe -Filter {DeviceAccessState -eq 'Quarantined'}
# allow the device
Set-CASMailbox -Identity jdoe -ActiveSyncAlloweDeviceIDs $MobileDevice.DeviceId


By doing this - mail is now working on that mobile device, however, it still shows up in the list of quarantined devices.   Furthermore - It is still returned as a quarntined device in the Get-MobileDevice cmdlet.


Using powershell - how do you get it so it is no longer in the quarantined list?




12 Replies

The cmdlet you are using overrides the list of allowed devices, instead you should be adding to it:


Set-CASMailbox -Identity jdoe -ActiveSyncAlloweDeviceIDs @{add=$MobileDevice.DeviceId}

Thank you - in this particular case, overriding was exactly what I was looking to do. I am still stuck as to why is shows up under my list of Quarantined Devices in the ECP portal. Any idea why that is?

Have you checked the ActiveSyncOrganizationSettings for your tenant using Get-ActiveSyncOrganizationSettings?

What's the DefaultAccessLevel?

Are there any Intune policies in use?


Default Access Level = Quarantine.


We moved to Exchange Online in 2016.  From day 1, we have had this policy - all mobile devices get Quarantined until approved by administrator.  All of the mobile devices that we have allowed have been allowed manually.  When we approve a device manaually (from the Mobile page) - the device is approved and removed from that list.  


I am just looking to do the same thing - but with Powershell.  Should involve less clicks, pages, and waiting for things to load.


We don't currently have any intune policies in place.  

The device state is stored in an Active Directory attribute which needs to be replicated across all domain controllers until the state is properly returned when queried by a Get-MobileDevice cmdlet.

Is the device shown in the list of quarantined devices still? Even after some hours after the device has been allowed?



Thanks for getting back.  Yes - it still is showing in the list of Quarantined devices.  


I am running Exchange Hybrid - 100% online.  I have 1 server on prem for management.  Given that, mobile device information would not be stored in my on-prem AD, correct?





That's correct. Registered mobile devices for cloud mailbox users are not stored in an on-premises AD. The device information is stored in the Office 365.

It seems to be a glitch in the UI, when mailbox access works for allowed device and the device still shows up as quarantined in the Admin Center.

- Thomas

So here is what I just found out -- here is what I was running, and the device was still in the quarantined list.


$MobileDevice = Get-MobileDevice -Mailbox jdoe -Filter {DeviceAccessState -eq 'Quarantined'}
# allow the device
Set-CASMailbox -Identity jdoe -ActiveSyncAlloweDeviceIDs $MobileDevice.DeviceId


If I then run:


$MobileDevice.DeviceAccessState = 'Allowed'
$MobileDevice.DeviceAccessStateReason = 'Individual'

The device is no longer shown in the mobile device list as quarantined.



@Stephen Bell 


Nearly perfect. A small typo on this line:


Set-CASMailbox -Identity jdoe -ActiveSyncAlloweDeviceIDs $MobileDevice.DeviceId


Throws an error. This should work:


Set-CASMailbox -Identity jdoe -ActiveSyncAllowedDeviceIDs $MobileDevice.DeviceId




We were rolling out Android devices and wanted a way to allow all these whilst the roll out was happening.   With help from this thread I wrote this;



$BlockedDevices = @(Get-MobileDevice -Filter 'DeviceAccessState -eq "Blocked"')
Get-CASMailbox -Filter "ActiveSyncBlockedDeviceIDs -eq `'$($_.DeviceId)`'" | Set-CASMailbox -ActiveSyncAllowedDeviceIDs @{add=$($_.DeviceId)}


You would probably want to narrow down the Get-MobileDevice filter so BlockedDevices only contains the Devices you want allowing (DeviceModel for example if you are rolling out same hardware)


We ran it on a schedule during the rollout.


Hope this helps someone


Thank you very much for the script. That saved us a lot of work. 


Unable to the parameter ActiveSyncAllowedDeviceIDs binding to the target. Exception occurs when set "ActiveSyncAllowedDeviceIDs" : "this attribute length is too long. The maximum length is 256 and the length of the supplied value is 557."

Location C:\Users\xuliang.tao\AppData\Local\Temp\tmp_350par2z.3gp\ tMP_350PAR2Z.3Gp.pSM1:70471 characters: 9

+ $steppablePipeline.End()

+ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

+ CategoryInfo : WriteError: (:) [Set-CASMailbox], ParameterBindingException

+ FullyQualifiedErrorId : ParameterBindingFailed,Microsoft.Exchange.Management.RecipientTasks.SetCASMailbox

There are too maney devices,show this error