Users who use Outlook for iOS and Android and Device Access (ABQ) rules are unexpectedly quarantined
Original KB number: 3193518
Symptoms
Exchange Online users who use Outlook for iOS and Android and who also use Device Access (ABQ) rules find that they've been unexpectedly quarantined. This problem occurs in the following scenario:
- The tenant's
DefaultAccessLevelproperty that's configured throughSet-ActiveSyncOrganizationSettingsis set to a value of either Quarantine or Block. - The tenant administrator previously allowed Outlook for iOS and Android by stamping the DeviceID in the
ActiveSyncAllowedDeviceIDsproperty of the mailbox. - The devices aren't managed by Microsoft Intune.
Cause
A back-end protocol change in how Microsoft 365 mailbox data is accessed through Outlook for iOS and Android applications changes the DeviceID that the app uses to connect to Exchange Online. The expected behavior is that the new DeviceID will automatically be added to the ActiveSyncAllowedDeviceID for the user. But in certain scenarios, the device may be quarantined. In such cases, follow the steps in the Resolution section. This issue is not expected to occur repeatedly.
Resolution
Contact Support and ask the customer service representative to help you unblock the device.
Or, use one of the following methods to unblock the device:
Use the Exchange admin center to unblock individual devices. To do this, follow these steps:
- Sign in to the Exchange admin center. For more information, see Exchange admin center in Exchange Online.
- Select mobile, and then under Quarantined Devices, select the Allow button for each Outlook for iOS and Android app device that needs to be unblocked.
Use remote PowerShell to unblock all devices. To do this, follow these steps:
Connect to Exchange Online by using remote PowerShell. For more information, see Connect to Exchange Online PowerShell.
Copy and paste the following code to your remote PowerShell session:
function FixUnblock { $Mbxs = Get-CASMailbox -ResultSize 10000 | ?{$_.ActiveSyncAllowedDeviceIDs -ne $null } foreach($Mbx in $Mbxs) { write-host $Mbx.Id $IdList = Get-MobileDevice -Mailbox $Mbx.Id | where {$_.DeviceModel -eq "Outlook for iOS and Android" -and $_.ClientType -eq "REST" -and $_.DeviceAccessState -ne "Allowed" -and $_.FirstSyncTime -ge "9/13/2016"} $CasDevice = Get-CasMailbox $Mbx.Id foreach( $Id in $IdList) { $CasDevice.ActiveSyncAllowedDeviceIDs += $Id.DeviceId } Set-CasMailbox $Mbx.Id -ActiveSyncAllowedDeviceIDs $CasDevice.ActiveSyncAllowedDeviceIDs } }In your remote PowerShell session, run the function. To do this, type FixUnblock, and then press Enter.
More information
Users with modern authentication-enabled accounts need to follow the steps in Account setup with modern authentication in Exchange Online to set up their Outlook for iOS and Android accounts.
Still need help? Go to Microsoft Community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for