Mobile Device Quarantine Loop - Exchange Online

We have 2 users whose mobile devices keep getting stuck in Quarantined Devices in Office 365 Exchange Online mobile device access. Constant loop of allowing device, hour later we get the "A device that belongs to USER has been quarantined" and then allow again - Loop.

We have 50+ other users allowed OK with no problems but these 2 have just popped up in the last couple of weeks.

By default we Quarantine new devices until we allow - set through normal Exchange ActiveSync Access settings (Not intune or an MDM). Default policy applies.

One user has an iPhone, other an Android. We've got them to try inbuilt mail apps and MS Outlook app for mail but still keeps getting stuck. I've checked but Device ID or details never change when allowed and blocked. Restarting and updating phones etc. Have removed phones completely through portal and got users to re-connect again but still same problem.

Example Quarantine details:

Device model:

Outlook for iOS and Android

Device type:

Outlook

Device ID:

REMOVED

Device OS:

9

Device user agent:

Outlook-Android/2.0

Device phone number:

Device IMEI:

Exchange ActiveSync version:

1.0

Device policy applied:

COMPANY.onmicrosoft.com\Default

Device policies status:

AppliedInFull

Device access state:

Quarantined

Device access state reason:

Global

Device access control rule:

Any ideas? Feel like i'm missing something simple.

Thanks.

|

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

This issue started for my org as of 3 days ago and has the same symptoms here like devices going in and out of quarantine and manually allowing device ID's not working. I have been working with Microsoft for the past 2 days with no answer. Out of 120 users this is effecting 31 of them.

Microsoft support confirmed they'd found a problem and rolled out a fix but don't think it ever worked. We decided to enroll all mobile devices with intune MDM instead and control access with conditional access. Had no problems since. 

Not a fix but permanent workaround solution I suppose! More secure as well as can control devices properly. 

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Hi,

How did you find out that it was a replication issue?  I did a Repadmin /replsummary on all my domain controllers, and it showed success.  When you found out yours was a replication issue, did you receive an error from this command or how did you find out? I am trying to make sure that this is not our issue. Thanks.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Did anyone found a fix to this? We also had a bunch of random emails that came out overnight.  Users were previously approved already, and suddenly these quarantine emails arrived again.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Hi Hamid,

We are having similar issues and wondered if you were able to share your experience of the issue and the resolution?

Many thanks,

Guy

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

This was the issue for me too- replication error between DC's with an on prem Exchange server.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

I am using Office 365. I have the same problem, slowly creeping up. This entire platform is on 365 - so I have no control or even attempt to control on DC replications whatsoever.
the art of peace begins with you

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

I opened a ticket with Microsoft.  The issue was an effect of a change they made late last year (seems to take effect on many people around November/late December 2020).  There's no fix for it.  Here's the explanation they gave me.  In summary, the fix is to do one of these:  To manually manage the device as they come, to create a conditional Acess in Azure, or modify your Exchange Mobile Device rule according to your need.

 https://techcommunity.microsoft.com/t5/exchange-team-blog/upcoming-exchange-online-device-access-and-conditional-access/ba-p/1464261

https://docs.microsoft.com/en-us/exchange/troubleshoot/mobile-devices/mobile-devices-not-quarantined-as-expected 


In the past, if the tenant has Intune CAP(Conditional Access Policies), the EXO's ABQ settings would be ignored. Now if the tenant has some CAP, but doesn't match the device, then it falls back to ABQ settings.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Thank you very much for the update and I can understand what they've done and the repercussions to some extent.

Just venting from now on :-)

However - since we are doing a vanilla setup, with  no customizations or modifications on the GPO/CAP side anywhere, falling into this trap is just not fair. 

I am one of the affected ones, and I am enterprise admin. I literally haven't done anything wrong and my device is quarantined all of a sudden with no explanation :-) Imagine how lost I was when a user complained about not receiving emails - looking at the screen hidden away in the Classic Exchange Administration view was not anywhere on my checklist of possible problem points!

What Microsoft needs to do is modify the default policy to handle the situation - not ask us to create exceptions for the normalcy.

Case in point their explanation doesn't even make any sense.

See, that's my device. They are all my device - all of them, the same device! I cannot Unquarantine the top two lines no matter how many times I click the Allow button. Repeat: There's no way to unquarantine a device right now. I'll read those links you provided and see if I can create exception rules on policies - but the policies in effect block do not block any devices for any actions. So I don't know where the quarantine rule comes from... 😠

Meanwhile, the same "supposedly quarantined device" can receive emails IF I USE OUTLOOK ON IT!!! 🤣 Go figure that out. 

I was using Blackberry Hub on Android and that's when I noticed that I can no longer see calendar items. Then the emails started getting blocked. Then the forum search and policy check and this post... 

Out of frustration after this post yesterday I tried different email clients on the phone: Samsung Mail, Gmail, and voila, Outlook has no problem getting emails, or seeing calendar items... 

Whatthe?!?

In summary - I don't think they broke what they think they broke. I think they did something else and that's why it's hard to fix, or maybe not even possible to fix. Meanwhile, use Outlook on Android and things will work. 

My Android phone has OneDrive, OneNote, Outlook - they can all operate without a problem since yesterday

Meanwhile the other user has an Apple device and I haven't gotten around to helping him yet - he was the first to complain and I couldn't figure it out. Then it happened to me. I'm expecting more people to bang on my door soon :-)

Venting done... Thank you for listening and thank you for the reply.

Be safe out there.

the art of peace begins with you

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

You're welcome.  We were in the same boat.  I am also an admin and I was so lost when one day, several users lost connections to their emails in the middle of the night!  Yes, no matter how much you click that GUI, it won't get approved.  Don't rely on that.  That's what I also learned from my experience managing these devices.  

If you want a quick handle of it as they come:

1. Get-CASMailbox *** Email address is removed for privacy *** | fl - This will list all the allowed devices for the users.  Go back to the GUI and check the Device ID of the device in quarantine.  If it's not in the approved list, add it.


2.  Set-CASMailbox *** Email address is removed for privacy *** ActiveSyncAllowedDeviceIDs abclkdfkasdfsdfds - IMPORTANT: Add all the allowed device ID "PLUS" the new id that got blocked. If you only add the device missing, you will be removing everything else.  So ADD all device IDs in the approved list in addition to the missing GUID. For example

Set-CASMailbox *** Email address is removed for privacy *** -ActiveSyncAllowedDeviceIDs abcadfasdf,adsfasdf,adasdfdsafsd = This format.

The user needs to wait a bit (15 mins to 2 hours for the setting to take effect) in my experience.

If you want an immediate but painful route, you have to delete the device in the GUI.  User needs to restart their phone, and re-add the device. Now you have to approve again. The key is that the device in the GUI needs to be deleted + restart of the device. The instructions I wrote above is if you need to fix it with less user interaction.

Yes, it doesn't fix the problem. Microsoft Support can't do anything either and I needed to handle all the users asap at that time. When I opened a ticket with Microsoft, support team had to get the answer from the Development Team.  Nothing support technicians can do at this point but do one of those things, unfortunately.  It was a horrible experience.

3 people found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Hi Hamid

what do you mean by DC ? 

i dont get the acronym sorry

i have this issue developing with 2 of my users for no reason whatsoever 

it seems to go away and come back on its own 

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

 
 

Question Info


Last updated December 27, 2021 Views 13,850 Applies to: