What does "Permission to sync not established" mean?

This error indicates the mobile device is not authorized to sync with Exchange. The device may be quarantined pending admin approval, blocked by device access rules, or the user lacks ActiveSync permissions in their mailbox settings.

Why is my device quarantined in Exchange?

Exchange can quarantine new devices for security. Admins must approve each device before it can sync. This is controlled by the Device Access State in ActiveSync organization settings and Mobile Device Mailbox Policies.

How do I approve a quarantined device?

Use Set-CASMailbox or the Exchange Admin Center to allow the device. Run Get-ActiveSyncDeviceStatistics to find the device ID, then Set-CASMailbox -ActiveSyncAllowedDeviceIDs to approve it.

Can I automatically allow all devices for certain users?

Yes, set the user mailbox to bypass device approval with Set-CASMailbox -ActiveSyncAllowedDeviceIDs $null. Or configure the organization-wide setting to allow all devices by default instead of quarantining.

Why can one user sync but another cannot?

Check individual mailbox settings with Get-CASMailbox. Users may have different ActiveSyncEnabled settings, different device access rules applied, or different Mobile Device Mailbox Policies with varying security requirements.

What does "Permission to sync not established" mean?

This error indicates the mobile device is not authorized to sync with Exchange. The device may be quarantined pending admin approval, blocked by device access rules, or the user lacks ActiveSync permissions in their mailbox settings.

Why is my device quarantined in Exchange?

Exchange can quarantine new devices for security. Admins must approve each device before it can sync. This is controlled by the Device Access State in ActiveSync organization settings and Mobile Device Mailbox Policies.

How do I approve a quarantined device?

Use Set-CASMailbox or the Exchange Admin Center to allow the device. Run Get-ActiveSyncDeviceStatistics to find the device ID, then Set-CASMailbox -ActiveSyncAllowedDeviceIDs to approve it.

Can I automatically allow all devices for certain users?

Yes, set the user mailbox to bypass device approval with Set-CASMailbox -ActiveSyncAllowedDeviceIDs $null. Or configure the organization-wide setting to allow all devices by default instead of quarantining.

Why can one user sync but another cannot?

Check individual mailbox settings with Get-CASMailbox. Users may have different ActiveSyncEnabled settings, different device access rules applied, or different Mobile Device Mailbox Policies with varying security requirements.

Permission to Sync Not Established

"Permission to sync not established" prevents mobile devices from connecting to Exchange, even with correct credentials. This guide explains how to diagnose permission issues and enable device synchronization.

Our Mobile Device Support Team specializes in ActiveSync configuration and mobile access management.

Error Overview: Device Sync Permissions

Exchange ActiveSync includes several layers of access control. When a device attempts to sync, it must pass through device access rules, user mailbox settings, and mobile device policies before synchronization is allowed.

Error Messages

# Device shows:
"Account could not be verified. Please check your settings."
"Permission to sync not established"
"Your device is not allowed to sync"

# iOS specific:
"Cannot Verify Account"
"The mail server is not responding"

# Android specific:
"Unable to open connection to server"
"Authentication failed"

# In Exchange logs:
"DeviceAccessState: Quarantined"
"DeviceAccessState: Blocked"
"ActiveSync: Access denied for device"

Symptoms & Business Impact

What Users Experience:

Cannot add Exchange account on mobile device
Existing sync stops working after policy change
Different devices work for same user but one doesn't
New device fails but old device works
Password is correct but sync still fails

What Admins See:

Devices showing as Quarantined in EAC
Blocked devices in Get-ActiveSyncDeviceStatistics
Users requesting device approval
ActiveSync access state errors in logs

Check Device Access State

# Check user's device access
$user = "john.doe@domain.com"
Get-ActiveSyncDeviceStatistics -Mailbox $user | Select-Object DeviceId, DeviceType, DeviceAccessState, DeviceAccessStateReason

# Check organization-wide settings
Get-ActiveSyncOrganizationSettings | Select-Object DefaultAccessLevel, UserMailInsert

# Check user's CAS mailbox settings
Get-CASMailbox -Identity $user | Select-Object ActiveSyncEnabled, ActiveSyncAllowedDeviceIDs, ActiveSyncBlockedDeviceIDs

Common Causes

1. Device Quarantine (35%)

Organization is configured to quarantine new devices pending administrator approval. The device must be explicitly allowed.

2. Device Access Rules (25%)

Device access rules block specific device types, operating systems, or user agents based on organization policy.

3. ActiveSync Disabled (20%)

ActiveSync is disabled for the user's mailbox, preventing any mobile device sync regardless of device approval status.

4. Blocked Device IDs (15%)

The specific device ID is on the user's blocked list, possibly from a previous security action.

5. Mobile Device Policy (5%)

The assigned Mobile Device Mailbox Policy requires features the device doesn't support, causing sync rejection.

Quick Diagnosis

Step 1: Check User's ActiveSync Settings

# Verify ActiveSync is enabled
$user = "john.doe@domain.com"
$cas = Get-CASMailbox -Identity $user

Write-Host "ActiveSync Enabled: $($cas.ActiveSyncEnabled)"
Write-Host "Allowed Devices: $($cas.ActiveSyncAllowedDeviceIDs -join ', ')"-join ', ')"
Write-Host "Blocked Devices: $($cas.ActiveSyncBlockedDeviceIDs -join ', ')"-join ', ')"
Write-Host "Device Policy: $($cas.ActiveSyncMailboxPolicy)"

Step 2: Check Device Status

# Get device details
$user = "john.doe@domain.com"
Get-ActiveSyncDeviceStatistics -Mailbox $user | Format-Table DeviceId, DeviceType, DeviceModel, DeviceAccessState, DeviceAccessStateReason, FirstSyncTime, LastSuccessSync -AutoSize

# Check for quarantined devices specifically
Get-ActiveSyncDeviceStatistics -Mailbox $user | Where-Object { $_.DeviceAccessState -eq "Quarantined" }

Step 3: Check Organization Settings

# Check default access level
Get-ActiveSyncOrganizationSettings | Format-List DefaultAccessLevel, AdminMailRecipients, UserMailInsert

# Default levels:
# - Allow = All devices allowed by default
# - Block = All devices blocked by default
# - Quarantine = New devices quarantined for approval

# Check device access rules
Get-ActiveSyncDeviceAccessRule | Format-Table Name, AccessLevel, Characteristic, QueryString

Quick Fix

Allow a Quarantined Device

# Get the device ID
$user = "john.doe@domain.com"
$devices = Get-ActiveSyncDeviceStatistics -Mailbox $user
$devices | Format-Table DeviceId, DeviceType, DeviceAccessState

# Allow specific device
$deviceId = "AppleDQ7xxxxx"  # Replace with actual device ID
Set-CASMailbox -Identity $user -ActiveSyncAllowedDeviceIDs @{Add=$deviceId}

# Verify
Get-CASMailbox -Identity $user | Select-Object ActiveSyncAllowedDeviceIDs

Write-Host "Device approved. User should retry sync on device."

Enable ActiveSync for User

# If ActiveSync is disabled
$user = "john.doe@domain.com"
Set-CASMailbox -Identity $user -ActiveSyncEnabled $true

# Verify
Get-CASMailbox -Identity $user | Select-Object DisplayName, ActiveSyncEnabled

Detailed Solutions

Solution 1: Change Organization Default Access

Configure Default Device Access

# Check current settings
Get-ActiveSyncOrganizationSettings | Format-List

# Option 1: Allow all devices by default (least secure)
Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Allow

# Option 2: Quarantine new devices for approval (balanced)
Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Quarantine -AdminMailRecipients admin@domain.com -UserMailInsert "Your device is pending approval. Please contact IT."

# Option 3: Block all by default, whitelist specific (most secure)
Set-ActiveSyncOrganizationSettings -DefaultAccessLevel Block

# After setting Quarantine or Block, approve devices individually
# Or create Device Access Rules for automatic approval

Solution 2: Create Device Access Rules

Auto-Approve by Device Type

# Allow all iPhones automatically
New-ActiveSyncDeviceAccessRule -QueryString "iPhone" -Characteristic DeviceType -AccessLevel Allow

# Allow all iOS devices
New-ActiveSyncDeviceAccessRule -QueryString "iOS" -Characteristic DeviceOS -AccessLevel Allow

# Allow Android devices
New-ActiveSyncDeviceAccessRule -QueryString "Android" -Characteristic DeviceOS -AccessLevel Allow

# Block specific problematic device types
New-ActiveSyncDeviceAccessRule -QueryString "OutlookBasicAuth" -Characteristic UserAgent -AccessLevel Block

# View all rules
Get-ActiveSyncDeviceAccessRule | Format-Table Name, Characteristic, QueryString, AccessLevel

Solution 3: Remove Device from Blocked List

Unblock Device

# Check if device is explicitly blocked
$user = "john.doe@domain.com"
$cas = Get-CASMailbox -Identity $user
Write-Host "Blocked Devices: $($cas.ActiveSyncBlockedDeviceIDs)"

# Remove device from blocked list
$deviceId = "AppleDQ7xxxxx"
Set-CASMailbox -Identity $user -ActiveSyncBlockedDeviceIDs @{Remove=$deviceId}

# Or clear all blocked devices
Set-CASMailbox -Identity $user -ActiveSyncBlockedDeviceIDs $null

# Add to allowed list
Set-CASMailbox -Identity $user -ActiveSyncAllowedDeviceIDs @{Add=$deviceId}

# Verify
Get-CASMailbox -Identity $user | Select-Object ActiveSyncBlockedDeviceIDs, ActiveSyncAllowedDeviceIDs

Solution 4: Assign Compatible Device Policy

Check and Assign Device Policy

# List available Mobile Device Mailbox Policies
Get-MobileDeviceMailboxPolicy | Select-Object Name, IsDefault, PasswordEnabled, AllowSimpleDevicePassword, MinDevicePasswordLength

# Check what policy is assigned
$user = "john.doe@domain.com"
Get-CASMailbox -Identity $user | Select-Object ActiveSyncMailboxPolicy

# Create a less restrictive policy if needed
New-MobileDeviceMailboxPolicy -Name "StandardDevices" -PasswordEnabled $false -AllowNonProvisionableDevices $true -AllowSimpleDevicePassword $true

# Assign policy to user
Set-CASMailbox -Identity $user -ActiveSyncMailboxPolicy "StandardDevices"

# Or use default policy
Set-CASMailbox -Identity $user -ActiveSyncMailboxPolicy "Default"

Solution 5: Bulk Approve Devices

Approve All Quarantined Devices

# Get all quarantined devices
$quarantined = Get-ActiveSyncDevice -ResultSize Unlimited | Where-Object { $_.DeviceAccessState -eq "Quarantined" }

Write-Host "Found $($quarantined.Count) quarantined devices"

# Approve each device
foreach ($device in $quarantined) {
    $mailbox = $device.Identity -split "\\" | Select-Object -First 1
    $deviceId = $device.DeviceId

    Write-Host "Approving $deviceId for $mailbox"$mailbox"
    Set-CASMailbox -Identity $mailbox -ActiveSyncAllowedDeviceIDs @{Add=$deviceId}
}

Write-Host "All quarantined devices approved"

Verify the Fix

Verify Device Can Sync

$user = "john.doe@domain.com"

# Check device is now allowed
$devices = Get-ActiveSyncDeviceStatistics -Mailbox $user
$devices | Format-Table DeviceId, DeviceType, DeviceAccessState, LastSuccessSync

# Verify all states are "Allowed" not "Quarantined" or "Blocked""Quarantined" or "Blocked"
$blocked = $devices | Where-Object { $_.DeviceAccessState -ne "Allowed" }
if ($blocked) {
    Write-Host "Some devices still not allowed:" -ForegroundColor Yellow
    $blocked | Format-Table DeviceId, DeviceAccessState
} else {
    Write-Host "All devices allowed" -ForegroundColor Green
}

# Have user retry sync on device
Write-Host ""
Write-Host "User should now:"
Write-Host "1. Remove the Exchange account from device"
Write-Host "2. Re-add the account"-add the account"
Write-Host "3. Sync should now work"

Prevention Tips

Best Practices

Document device approval process for users
Create device access rules for common device types
Set up admin notifications for quarantined devices
Use Mobile Device Mailbox Policies appropriate for your security needs
Consider self-service device approval where appropriate
Regularly review and clean up old device partnerships

When to Escalate

Contact Exchange specialists if:

Device shows allowed but still cannot sync
Need to implement complex device access policies
Conditional access integration issues
Certificate-based authentication for mobile
Hybrid or M365 coexistence scenarios

Need Expert Help?

Our Mobile Device Team provides comprehensive ActiveSync policy configuration and troubleshooting.