In on-premises Exchange and Exchange Online the default mobile device mailbox policy (previously referred to as an ActiveSync mailbox policy) allows non-provisionable devices.


[PS] C:\>Get-MobileDeviceMailboxPolicy | fl name,allownon*

Name                         : Default
AllowNonProvisionableDevices : True

This default configuration creates the least friction with onboarding mobile device users for Exchange and Exchange Online. However, Microsoft TechNet states:

This setting specifies whether mobile devices that may not support application of all policy settings are allowed to connect to Exchange by using Exchange ActiveSync. Allowing non-provisionable mobile devices has security implications. For example, some non-provisionable devices may not be able to implement an organization’s password requirements.

The recommended practice is to not allow non-provisionable mobile devices in your default mobile device mailbox policy.

If you do have specific devices or applications that you want to allow as exceptions to that rule, create a second mobile device mailbox policy that is not the default policy, and assign that to approved users on a case by case basis.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for


  1. filip

    Thnx 4 the tip

Leave a Reply