How to Create Mobile Device Mailbox Policy in Microsoft 365

Have you ever considered the risks when an employee uses a non-compliant mobile device to access organization emails? Without proper security measures, these mobile devices become gateways for malicious actors to steal sensitive data or delete emails, jeopardizing your Microsoft 365 security.

To avoid these circumstances Exchange Online mobile device mailbox policies step in as a vital defense. These policies restrict non-compliant devices from accessing emails and allow you to remotely wipe email data from lost, stolen or non-compliant mobile devices. In this blog, we’ll walk you through the steps to configure mobile device mailbox policies in Microsoft 365, ensuring your organization’s email environment stays secure and compliant, no matter the threat.

A mobile device mailbox policy in Microsoft 365 is a set of security rules that are applied to mobile devices to make it compliant for connecting to an Exchange Online mailbox. You can use these policies to manage different settings such as:

• Require a password for mobile device security.
• Set a minimum length to ensure stronger passwords.
• Allow PINs or enforce special characters for added protection.
• Lock devices after inactivity, requiring reauthentication.
• Erase data after multiple failed login attempts to prevent unauthorized access.

These security settings are defined within the policy and then applied to users’ mailboxes, ensuring that mobile devices comply with the organization’s security standards.

A default mobile device mailbox policy is created in every Microsoft 365 tenant. However, you can add custom mobile device mailbox policy to your organization. There are two ways you can create mobile device mailbox policies.

• Using Exchange admin center (EAC)
• Using Exchange Online PowerShell

Let’s see each method clearly.

To create the mobile device mailbox policies in EAC follow the steps below.

• Login to the Exchange admin center and navigate to Mobile –> Mobile device mailbox policy.
• Here, you can see the default mobile device mailbox policy.
• To create a new mobile mailbox policy, click New and enter the name for your policy. Then, choose the following options based on your requirements.
  • If you want to make this policy the default one, then select the This is the default policy checkbox.
  • If you want to allow mobile devices to sync with EXO even if they don’t fully comply with the policy, then select the Allow mobile devices that don’t fully support these policies to sync option.
  • Once done, click Next.

Note: You can configure only password settings for mobile device mailbox policies in the EAC. For other security settings, you’ll need to use EXO PowerShell.

• In the Add security settings section, configure the following policy settings that you want to enable for Exchange ActiveSync mobile devices.
  • Require a mobile device mailbox password
    • Enables you to set password requirement for all mobile devices to sync with Exchange Online.
  • Allow simple passwords
    • Allows passwords like “1234” or “0000.”
  • Require an alphanumeric password
    • Passwords must include both letters (A-Z, a-z) and numbers (0-9). You can define the required complexity using the Password must include this many character sets drop-down menu.
  • Minimum password length
    • Sets the minimum number of characters or digits required for the PIN or password.
  • Number of sign-in failures before device is wiped
    • Defines how many incorrect attempts are allowed before all data is erased from the user’s mobile device mailbox.
  • Require sign-in after the device has been inactive for (minutes)
    • Sets how long the device can stay idle before it signs out the session and requires a password.
  • Enforce password lifetime (days)
    • Forces users to change their password after a specific number of days.
  • Password recycle count
    • Prevents users from reusing old passwords. For example, if you set value of 0 means they cannot use their last password again.

• Finally, review the policy name and its security settings, then hit Create.

How to Edit the Mobile Device Mailbox Policy in Microsoft 365?

You can edit a mobile device mailbox policy in Exchange admin center. To modify the policy, select the required mobile mailbox policy and click Edit from the toolbar. Use the General and Security tabs to adjust the policy settings, then Save the changes.

Even though you can create, modify, or delete mobile device mailbox policies in the Exchange admin center, it only provides the subset of settings. To cover all the mobile device mailbox policy settings, you need to use the Exchange Online PowerShell.

Before that connect to the Exchange Online PowerShell and run the below cmdlet to create mobile device mailbox policy in Microsoft 365 using PowerShell.

New-MobileDeviceMailboxPolicy -Name:<PolicyName> -AllowBluetooth:"HandsfreeOnly" -AllowBrowser:$true -AllowCamera:$true -AllowPOPIMAPEmail:$false -PasswordEnabled:$true -AlphanumericPasswordRequired:$true -PasswordRecoveryEnabled:$true -MaxEmailAgeFilter:10 -AllowWiFi:$true -AllowStorageCard:$true

In this cmdlet, replace the <PolicyName> with desired name to your policy before executing it. You can see we have included following additional settings to the mobile mailbox policy.

Allow Bluetooth	This setting specifies whether a mobile device allows Bluetooth connections. The available options are Disable, HandsFree Only, and Allow. The default value is Allow.
Allow Browser	This setting specifies whether Pocket Internet Explorer is allowed on the mobile device. This setting doesn’t affect third-party browsers installed on the mobile device. The default value is $true.
Allow Camera	This setting specifies whether the mobile device camera can be used. The default value is $true.
Allow POPIMAPEmail	This setting specifies whether the user can configure a POP3 or an IMAP4 email account on the mobile device. The default value is $true. This setting doesn’t control access by third-party email programs.
Allow Wi-Fi	This setting specifies whether wireless Internet access is allowed on the mobile device. The default value is $true.
Allow storage card	This setting specifies whether the mobile device can access information that’s stored on a storage card.

To know more additional policy settings to configure, run the following cmdlet.

Get-MobileDeviceMailboxPolicy -Identity <PolicyName>

This will display all the properties and policy settings. You can also use this cmdlet to verify that you’ve successfully created a mobile device mailbox policy.

To edit the settings of the mobile device mailbox policy in Exchange Online, use the Set-MobileDeviceMailboxPolicy cmdlet.

For example, if you want to make any other policy as the default and add additional settings like mentioned before, you can use the cmdlet below.

Set-MobileDeviceMailboxPolicy -Identity:<PolicyName> -PasswordEnabled:$true -AlphanumericPasswordRequired:$true -PasswordRecoveryEnabled:$true -MaxEmailAgeFilter:3 -AllowStorageCard:$true -AllowWiFi:$false -AllowPOPIMAPEmail:$false -AllowTextMessaging:$true -IsDefault:$true -Confirm:$true

The above example updates the following settings in the mobile device mailbox policy in Exchange Online.

• Enforces a password and requires an alphanumeric password
• Enables password recovery
• Limits email sync to the last 3 days
• Allows storage cards and text messaging
• blocks Wi-Fi and POP/IMAP email
• Sets this policy as the default and prompts for confirmation before applying changes.

By default, all users are assigned with the default mobile mailbox policy, but certain scenarios like frontline workers using older devices may require adjusted policies for device compatibility.

In such cases, assigning different policies to specific users makes your organization email access security more efficient.

To change mobile device mailbox policy for the user, follow the steps below.

• In Exchange admin center, navigate to the Recipients → Mailboxes.
• Now, click the desired user mailbox display name.
• In the mailbox flyout pane General tab, click Manage mobile devices under Email apps & mobile devices.

• Then, click Browse and select the desired mobile device mailbox policy to apply.
• Finally, hit Save. It will take up to 5 minutes to update the policy to the mailbox.

Android 10 and later versions shifted away from direct device administration for password policies, prioritizing user privacy. Instead of apps setting passwords, they now utilize the getPasswordComplexity API to query the device’s or work profile’s screen lock complexity level. If the current complexity doesn’t meet the app’s requirements, the user is redirected to the system’s screen lock settings to update their security, ensuring the app never accesses or knows the actual password while maintaining the ability to enforce password strength standards.

What Would Happen If the Mobile Device Configured with Biometrics?

Exchange mobile device mailbox policies do not control whether users can use biometrics like touch ID, face ID instead of a PIN. Policies can enforce a device PIN, but users decide whether to use biometrics after meeting the PIN requirement.

That’s it! I hope this blog has provided you with clear steps and insights on configuring mobile device mailbox policy in Microsoft 365. If you have any questions or need assistance, don’t hesitate to reach out in the comments section.