Managing Exchange ActiveSync device partnerships (in a world where we all use too many devices)

This is the text of an article that I wrote for Windows IT Pro magazine that was never published. It might be of some interest and use to folks grappling with ActiveSync partnerships, so I decided to publish it here. Enjoy!

Update: See this post for information about how Microsoft has automated some aspects of partnership management in Exchange 2013, Exchange 2016, and Exchange Online (Office 365)

Managing Exchange ActiveSync device partnerships

An interesting aspect of the Bring-Your-Own-Device (BYOD) device phenomena allied to the growing role of Exchange ActiveSync (EAS) as the de facto protocol for mobile device connectivity is that some organizations running Exchange 2010 SP1 or later releases have experienced situations where users have exceeded the number of permitted ActiveSync partnerships for their mailbox. When this happens, Exchange sends a message to the user the next time that they attempt to add a new device to their mailbox:

Subject: Error with your new mobile phone partnership
Importance: High

 You have 10 phone partnerships out of the maximum allowed 10 partnerships. After you reach the maximum, you can’t create additional partnerships until you delete existing ones from your account. To do so, sign in to Outlook Web App, click Options > Phone > Mobile Phones, and delete any unused partnerships.

In this article I explain how Exchange 2010 manages ActiveSync device partnerships and how you can increase the number of partnerships allowed for a mailbox, plus how to locate old partnerships that might belong to devices that are no longer in use and then how to script a procedure that you could run on a regular basis to remove obsolete partnerships. Unless otherwise indicated, the code listed here should work well with Exchange 2010, Exchange 2013, or Exchange Online (Office 365). The explanation of how Exchange throttles ActiveSync connections is specific to Exchange 2010 SP1 and later releases.

Storing ActiveSync partnerships


Figure 1: Listing ActiveSync partnerships from Outlook Web App (Exchange 2010)

Exchange 2010 and Exchange 2013 store details of ActiveSync device partnerships (the connection between a mobile device and a mailbox) as properties of the Active Directory account that owns the mailbox. Although there’s no technical reason that limits Active Directory to storing more than 10 partnerships, someone in the Exchange development group took the view that ten seemed a good number, certainly sufficient to meet the needs of all but the most hyper-connected user. The restriction on ActiveSync partnerships through throttling policies was first introduced in Exchange 2010 SP1 and also applies to Exchange Online tenant organizations in Office 365. The limit proved appropriate until recently when BYOD challenged the assumption that users would be happy with ten devices.

I don’t consider myself to be anything more than averagely connected, so I decided to follow the advice in the message and use Outlook Web App (OWA) to check what partnerships are registered for my mailbox. As shown in Figure 1, OWA duly reported that four partnerships were in place.

I only use one of these partnerships on a regular basis. Fortunately, much of the mystery behind a partnership can be dispelled by clicking on the Details icon, which reveals the information about the selected partnership shown in Figure 2. In this case the partnership links my Windows Phone (Nokia Lumia 800 at the time the article was written) with Exchange. We can see the version of the phone O/S (7.8) and various other information, including (if you scroll to the bottom), the version of ActiveSync used by the connection and the number of folders that Exchange synchronizes with the device.


Figure 2: Viewing partnership properties

Four partnerships seemed like three too many.  The most obvious of the other partnerships was for an old iPhone 3GS that I used before I bought my Nokia. The others were surprising: “TestActiveSyncConnectivity” was created by the Exchange Remote Connectivity Analyzer to test ActiveSync connectivity while “WindowsMail” was created by the Windows 8 Mail application to synchronize with my Exchange Online mailbox.

Even though Outlook 2013 uses ActiveSync to connect to Hotmail (or instead of the older Hotmail connector, you won’t find this connection listed as an ActiveSync partnership. It is, after all, not used to connect to an Exchange mailbox.

Given that I have two surprising partnerships, it’s easy to see how someone who has been using Exchange 2010 for a while and likes to experiment with the many varied mobile devices that you can connect to Exchange with ActiveSync (iPhone, iPad, Windows Phone, and lots of different Android devices) might exceed the limit. To get an overview from an organization perspective, you could use MVP Brian Desmond’s script to create a CSV file containing details of the partnerships known for all mailboxes (Figure 3).


Figure 3: Viewing a CSV file containing device partnership data

Manipulating a CSV file with Excel is an effective way to understand what kind of mobile devices are connecting to Exchange, including some that might surprise because you didn’t expect to find them listed. Larger organizations might prefer to load the data into a more robust query and reporting tool such as Access or even SQL.

Increasing the limit for ActiveSync partnerships

The limit is controlled by the EASMaxDevices property in the throttling policy applied to the mailbox. Throttling policies serve to restrict the amount of system resources that an individual mailbox can consume and were first introduced in Exchange 2010 SP1. Unless assigned a specific throttling policy, every mailbox comes under the control of the default throttling policy, which sets EASMaxDevices to 10. You can therefore increase the limit by either updating the default throttling policy to allow the desired number of partnerships or by creating a new throttling policy and then applying that policy to the mailboxes of the hyperconnected users.

For example, if your organization only has a default throttling policy, the following Exchange Management Shell (EMS) command will increase the limit to allow twenty partnerships:

Get-ThrottlingPolicy | Set-ThrottlingPolicy –EASMaxDevices 20

It’s possible that your users might want to use all of their ActiveSync devices at one time. If so, you should also updated the EASMaxConcurrency property to the same value as EASMaxDevices.

The *-ThrottlingPolicy cmdlets are only available to on-premises administrators.  The reason being that Microsoft doesn’t want its cloud tenant administrators messing around with commands that have the potential to affect other tenants.

The alternative is to create a new throttling policy. The following commands create a new policy that contains the desired settings (the other settings for the policy will be inherited from the default throttling policy) and then applies the new policy to a specific mailbox:

New-ThrottlingPolicy –Name “HyperConnected ActiveSync” –EASMaxDevices 20 –EASMaxConcurrency 20

Set-Mailbox –Identity “Tony” –ThrottlingPolicy “HyperConnected ActiveSync”

Immediately the Set-Mailbox cmdlet runs successfully, the user will be able to create additional partnerships.

Locating old partnerships

It’s the nature of mobile devices that some are quickly discarded as new and more attractive devices become available on the market. However, these devices leave a lingering indication of their presence as an ActiveSync partnership that will eventually have to be removed to keep a user under their permitted limit.

OWA allows users to remove partnerships using the delete (X) option shown in Figure 1. However, the problem with relying on this strategy is that users are unlikely to know about the option (how many users know about ActiveSync partnerships) and so they’ll never navigate through the OWA options to the right place. Even if they find the option to list partnerships, even fewer will be brave enough to delete a partnership on the basis that they won’t know if this action will affect their other mobile devices. All in all, cleaning up the debris of obsolete partnerships is likely to remain a task for Exchange administrators.

Neither the Exchange Management Console (EMC) nor the Exchange Control Panel (ECP) contain options to allow an administrator to manage device partnerships across the organization. EMC ignores ActiveSync completely, possibly on the basis that Microsoft knew that they were going to replace this console with the new Exchange Administration Center (EAC) in Exchange 2013. ECP knows about partnerships, but only if you take the option to “Manage another user” to be able to access the partnerships for a selected user. The options presented by ECP under “Manage your organization” are restricted to ActiveSync device access settings. There’s nothing for it but to resort to PowerShell.

Two cmdlets are of interest. The first is Get-ActiveSyncDevice (or, if you want to be fashionable and use Exchange 2013, the Get-MobileDevice cmdlet, as it will eventually replace Get-ActiveSyncDevice), which returns information about devices known through partnerships with a mailbox. For example, the following command returns information about all the device partnerships associated with my mailbox:

Get-ActiveSyncDevice –Mailbox “Tony”

The information shown is essentially that displayed in Figure 2. As with many PowerShell cmdlets, the output can be a tad verbose. A better command that limits the information to the essential information is:

Get-ActiveSyncDevice –Mailbox “Tony” |Format-List DeviceId, DeviceType, DeviceModel, DeviceOS, FriendlyName, Name

The following information is displayed for each device:

DeviceId     : 1140B5A5508D422741F2E87CE114E115
DeviceType   : WP
DeviceModel  : NOKIA
DeviceOS     : Windows Phone7.10.8773
FriendlyName : Tony's Nokia
Name         : WP§1140B5A5508D422741F2E87CE114E115

The DeviceId property is important if you need to focus in on a specific device from a list. For example, to delete the partnership for the device shown above, I can use the command:

Get-ActiveSyncDevice | where {$_.DeviceId -eq “1140B5A5508D422741F2E87CE114E115”} | Remove-ActiveSyncDevice

It’s possible that you’ll find two entries in the list for the same device. From experience, this seems to happen when a device goes through a factory reset and is then used to create a new ActiveSync partnership. The clue as to which partnership is active and which belongs to the device prior to its reset is the date that the last synchronization occurred, which brings us to the reason why a second cmdlet is required.

Although it’s a useful command to get started with, Get-ActiveSyncDevice doesn’t tell us what partnerships might be obsolete because it doesn’t report information about the synchronization state of a device. It’s reasonable to assume that a device is active and in use if it is synchronizing regularly with Exchange. On the other hand, if a device has not synchronized in the last 90 or 120 days, there’s a fair chance that it has been tossed into a desk drawer or found some other dark corner to hide.

The Get-ActiveSyncDeviceStatistics cmdlet comes to our aid. This cmdlet reports information about device activity. Thus, a command like this will provide us with a good overview of the device activity for a specific mailbox:

Get-ActiveSyncDeviceStatistics –Mailbox “JSmith” | Format-Table DeviceID, DeviceType, FirstSyncTime, LastSuccessSync

DeviceID         DeviceType FirstSyncTime       LastSuccessSync
--------         ---------- -------------       ---------------
ApplV50396X7Z38  iPad       06-08-2012 10:48:23 11-08-2012 22:54:42
Appl820101JN3NP  iPhone     06-08-2012 10:48:23 03-05-2012 15:28:56
Appl87945F3Q3NQ  iPhone     06-08-2012 10:48:23 16-02-2012 23:36:07
ApplDNQHHGDLDTD2 iPhone     06-08-2012 10:48:23 17-08-2012 07:32:51

This article was written on August 17, 2012 (shown as 17-08-2012 on my system), so we can see that two of the devices have been synchronized reasonably recently (the first and last in the list) whilst two others haven’t been synchronized since May 3 and February 16 respectively. These two partnerships are therefore candidates to be removed on the basis that they are defunct. Of course, there might be a good reason why the user hasn’t synchronized a device for a long time. For instance, they might keep a device as a backup in case their primary device fails. For this reason, it’s a good idea to check with users before expunging anything.

Get-ActiveSyncDeviceStatistics can also provide an interesting insight into the mobile devices that are in use within the organization. For example, this code forms a collection of user mailboxes, then uses that collection to scan for all the mobile devices that have partnerships with the mailboxes before finally producing a count for each device type. As you can see from the results, Apple is clearly winning the battle for mobile devices in this organization.

$Mbx = Get-Mailbox –RecipientTypeDetails UserMailbox –ResultSize Unlimited

$Mobile = $Mbx | %{Get-ActiveSyncDeviceStatistics –Mailbox $_.Identity}

$Mobile | Group-Object –Property DeviceType –NoElement

Count Name
----- ----
1 WindowsMail
17 WP
21 iPad
113 iPhone

If you substitute “DeviceUserAgent” for “DeviceType” in the last line of code, you’ll get a count of the different versions of operating systems in use. This can be an interesting way to discover whether some obsolete or unusual mobile devices are connected.

Scripting to expunge old devices

Now that we understand the capabilities of the two cmdlets that report information about ActiveSync devices, we can put everything together to create a procedure that can be run on a periodic basis to expunge obsolete device partnership. On the basis that there’s usually some previous work that can be found on the Internet to provide a good start, you use the script provided by MVP Mike Crowley and adapt it to meet your needs. The script features all of the cmdlets that we’ve explored and is as follows:

$DevicesToRemove = Get-ActiveSyncDevice -Result Unlimited | Get-ActiveSyncDeviceStatistics | Where {$_.LastSuccessSync -le (Get-Date).AddDays(“-30”)}

$DevicesToRemove | Remove-ActiveSyncDevice

Going through the code we find:

  • A variable is used to collect the set of device partnerships is created ($DevicesToRemove).
  • The variable is populated as a result of running the Get-ActiveSyncDevice and Get-ActiveSyncDeviceStatistics cmdlets
  • The call to Get-ActiveSyncDevice collects all device partnerships in the organization (-Result Unlimited). In large organizations you might restrict this to look for specific devices (for example, process all iPhones in one run, all iPads in another, Android devices in a third).
  • The output from Get-ActiveSyncDevice is piped to Get-ActiveSyncDeviceStatistics, which will process each device in turn and check to see if the last successful synchronization date (LastSuccessSync) is more than 30 days ago. You could increase this interval to be whatever you need.
  • Any devices that meet the criteria are added to the variable, which is then piped as input to the Remove-ActiveSyncDevice cmdlet to remove the device partnerships.

If this script doesn’t meet your needs, there are others available on the Internet. For example, here’s some code that takes a slightly different approach by beginning with a call to the Get-CASMailbox cmdlet and filtering the results so that only mailboxes with an ActiveSync device partnership are processed.

Get-CASMailbox -ResultSize unlimited -Filter{(HasActiveSyncDevicePartnership -eq $true) -AND (name -notlike “cas_*”) -AND (name -notlike “DiscoverysearchMailbox*”)} | ForEach {Get-ActiveSyncDeviceStatistics -Mailbox $_.Identity | Where-Object {$_.LastSuccessSync -le ((Get-Date).AddDays(“-7”))} | Remove-ActiveSyncDevice} 

As with all scripts, it’s wise to test this code on a non-production server to make sure that it does what you need.


Exchange ActiveSync has come a long way since it was first released in Exchange 2003 SP2 in 2005. Microsoft’s success in licensing ActiveSync to companies such as Apple and Google has greatly assisted the spread and widespread adoption of the protocol. As we head further into the BYOD era, the need exists to manage ActiveSync more thoroughly than before. Making sure that device partnerships remain current is part of that work. It’s easy to do, once you know what’s happening and have a little PowerShell code to hand.

Follow Tony @12Knocksinna


About Tony Redmond

Lead author for the Office 365 for IT Pros eBook and writer about all aspects of the Office 365 ecosystem.
This entry was posted in Exchange, Exchange 2010, Office 365, Outlook 2013 and tagged , , , , , , , , , , , . Bookmark the permalink.

40 Responses to Managing Exchange ActiveSync device partnerships (in a world where we all use too many devices)

  1. dameluthas says:

    Awesome article Tony.. I look forward to meeting you at MEC14.

    Will you be speaking or do you have a designated area \ booth?

    Dame Luthas

  2. John Lee says:

    Yep, Looking forward to meet Tony (The King of Exchange On-Premises) 🙂 at MEC14.

  3. Pingback: NeWay Technologies – Weekly Newsletter #78 – January 16, 2014 | NeWay

  4. Pingback: NeWay Technologies – Weekly Newsletter #78 – January 17, 2014 | NeWay

  5. Steen Pedersen says:

    Thanks for another great article. Looking forward to listen to you live at MEC14.

  6. Pingback: interesting things i see on the internet – 27/01/2014 | 503 5.0.0 polite people say HELO

  7. Pingback: Adapting Exchange on-premises scripts for Exchange Online | Thoughtsofanidlemind's Blog

  8. Pingback: How to change the max number of ActiveSync device partnerships Exchange 2013 | digitalbamboo's Blog

  9. Monte Welch says:

    Tony, timely article. I have several windowsmail clients, and one of them is being chatty. Do you know where I would look on the device to find the device ID?

  10. jvanwink says:

    Thanks Tony, setting a throttling policy for my hyper-connected self, helped me out of a Jam. I would’ve used our webmail portal, but the option to manage devices is broken. it just keeps prompting for login. The joys of on-premise systems.


    PS – I’ve reblogged your article. !

  11. Ian Fischer says:

    I have looked high and low for an Exchange 2013 version of this and have been unsuccessful. Simply changing the command to Get-mobiledevicestatistics doesn’t work. Any ideas?


  12. jonsisk says:

    Great write up, thanks!

  13. Pingback: Limit of 10 ActiveSync devices for Exchange mailbox | IT(jon)

  14. reisbaron says:

    Thank you for posting this. One of our owners has been pegging the 10-device limit lately. This worked like a charm!

  15. erich says:

    This is fantastic stuff! I’ve use this to identify and clean up some outdated devices. Thank you! I would like to run a scrip once a week that tells me when there are new device associations. I’d like to know the device ID, device type, device OS, user, and first sync time. Do you know if this is possible? Can you point me in the right direction?

  16. Pingback: Code With Grappling Devices | Brazilian Jiu Jitsu Training Tips

  17. Peter Highlander says:

    It is all nice and peachy, but how do I see all Microsoft Outlooks that are paired with a given mailbox? Better yet, how do I make sure nobody is snooping in other peoples’ emails? I know, good passwords, etc., yet we all know people. They write their passwords on posted notes and I’d like to be able to tell John, “nobody is snooping on you, except for the govth obviously”, or “there is an Outlook such and such, that is not your work Outlook, and it is linked with your mailbox.”.

    How do we do that? Thanks!

  18. tomas says:

    Hello Tony, great articule!!

    Can I assign a policy to a group?


    • You mean to a distribution group? Yes, by first using Get-DistributionGroupMember to expand the membership and then feeding the resulting sets of objects to Set-CASMailbox to set the policy on the mailboxes.

      • tomas says:

        Ohh… OK. It would be a little bit difficult to maintain in a company but that’s OK. What if the distribution groups begin to have more users? Should I perform the procedure every time this happen?

        Thanks Tony for the answers!!!!

      • If you attempt to apply a policy to a mailbox that already has the policy it will be null operation and nothing changes. So it would be safe enough to have a regular scan of a distribution group and use that as the basis of setting policy on a group of mailboxes.


  19. Elaine says:

    I have an owner that uses iPad air 2 and iPhone. We, IT have spare devices setup and ready at all times in two different locations the US and France. His admins in two different locations also have one to be able to support him. We have come across the issue of too many devices connected to his account and I have been monitoring that through OWA for some time now. The issue I am having is trying to determine which device is who’s. When clicking on the details in the Mobile Phones area it gives me device ID #s Imei #s ccdid #s modle, but none of them match any of the information on any of the devices. They all have the same OS version so that doesn’t help. They are all iPad Air 2 devices so that doesn’t help. When it is time to delete one for restore \replacement purposes I can’t figure out which one to remove. The sync date is the only thing I can go by. This is really not a safe way since some devices are used at the same time. Why doesn’t the ID number or the imei number match the actual devices? Where do the numbers in the details section come from?

    • The answer is that I don’t know how Apple identifies its devices via ActiveSync. I gave up on iOS about 4 years ago and have used Windows Phone (for my pains) ever since. I suspect that some quarantine rules will expose what identities belong to what device but you probably don’t want to go along that route because the user will lose access for a short while until the device is released from quarantine. Can you tell based on the OS version running on the devices? Or have a look at Paul Cunningham’s guide to ActiveSync on as he is quite an iOS expert as well as on ActiveSync…

  20. Roman says:

    Hi Tony, What if you have an issue where devices are still polling the Exchange server but the users are no longer active on Exchange? Is there any way to block certain devices (that don’t have any current active Exchange user associated with them)?

  21. Roman says:

    Hi Tony we can see in the IIS logs there are several devices repeatedly polling non-existent accounts and have been for several months. eg they used to be users with devices, the users no longer exist but the devices are still polling.

  22. Roman says:

    Thanks Tony! Apologies! Just thought you may now have seen the subsequent question. We will fille a support ticket with Microsoft (wish me luck)!

  23. Daniel Usrey says:

    Nice article Tony. I ran across the last script posted somewhere else and I was wondering if this part is even necessary?
    -AND (name -notlike “cas_*”) -AND (name -notlike “DiscoverysearchMailbox*”)

  24. Pingback: Exchange ActiveSync: too many devices | Bert's notes

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.