Exchange Online users who use Outlook for iOS and Android and Device Access (ABQ) rules are unexpectedly quarantined


Exchange Online users who use Outlook for iOS and Android and who also use Device Access (ABQ) rules find that they've been unexpectedly quarantined. This problem occurs in the following scenario:
  • The tenant’s DefaultAccessLevel property that's configured through Set-ActiveSyncOrganizationSettings is set to a value of either Quarantine or Block.
  • The tenant administrator previously allowed Outlook for iOS and Android by stamping the DeviceID in the ActiveSyncAllowedDeviceIDs property of the mailbox.
  • The devices aren't managed by Microsoft Intune.


A back-end protocol change in how Office 365 mailbox data is accessed through Outlook for iOS and Android applications changes the DeviceID that the app uses to connect to Exchange Online. As a result of the DeviceID change, devices that were previously allowed become quarantined as they are seen as new devices.


Contact Support and ask the customer service representative to help you unblock the device.

Or, use one of the following methods to unblock the device:
  • Use the Exchange admin center to unblock individual devices. To do this, follow these steps:
    1. Sign in to the Exchange admin center. For more information, see Exchange admin center in Exchange Online.
    2. Click mobile, and then under Quarantined Devices, select the Allow button for each Outlook for iOS and Android app device that needs to be unblocked.
  • Use remote PowerShell to unblock all devices. To do this, follow these steps:
    1. Connect to Exchange Online by using remote PowerShell. For more information, see Connect to Exchange Online PowerShell.
    2. Copy and paste the following code to your remote PowerShell session:
      function FixUnblock
      $Mbxs = Get-CASMailbox -ResultSize 10000 | ?{$_.ActiveSyncAllowedDeviceIDs -ne $null }
      foreach($Mbx in $Mbxs)
      write-host $Mbx.Id
      $IdList = Get-MobileDevice -Mailbox $Mbx.Id | where {$_.DeviceModel -eq "Outlook for iOS and Android"
      -and $_.ClientType -eq "REST" -and $_.DeviceAccessState -ne "Allowed" -and $_.FirstSyncTime -ge "9/13/2016"}
      $CasDevice = Get-CasMailbox $Mbx.Id
      foreach( $Id in $IdList) { $CasDevice.ActiveSyncAllowedDeviceIDs += $Id.DeviceId }
      Set-CasMailbox $Mbx.Id -ActiveSyncAllowedDeviceIDs $CasDevice.ActiveSyncAllowedDeviceIDs
    3. In your remote PowerShell session, run the function. To do this, type FixUnblock, and then press Enter.


Microsoft has confirmed this is an issue with Exchange Online and the Outlook for iOS and Android app. Microsoft is developing and will deploy a long-term solution to address the underlying issue and prevent future reoccurrences.


Still need help? Go to Microsoft Community.

Article ID: 3193518 - Last Review: Dec 29, 2016 - Revision: 1

Microsoft Exchange Online