Cortado Support

My Tickets Visit www.cortado.com
Welcome
Login
  1. Cortado Support
  2. Solution home
  3. How To
  4. Administration Portal

How to set up conditional access with Exchange quarantine and device ID synchronization

Documentation Team
Modified on: Mon, 30 Jun, 2025 at 9:44 AM

In this How-To we will show you how to set up Conditional Access for your mobile devices managed with Cortado. The scripts you will find at the end of this article are used for this. Conditional Access is a security function in Microsoft Entra ID that decides who can access company resources such as Exchange, when, how and from where.

Our conditional access logic is based on the Exchange quarantine feature and the comparison of the device IDs with the Exchange IDs of the end devices. Only managed devices that are on the Allow list are granted access to Exchange ActiveSync.

1. Activate Exchange quarantine

The quarantine function is activated in the Exchange Admin Center. This blocks all ActiveSync devices that are not on the Allow list.

Optional: Release existing devices in advance

To automatically allow devices that are already active before the quarantine is activated, the script Eintragen-AllowList_All.ps1 can be used. This script adds all currently connected ActiveSync devices to the Allow list.

2. Requirements for future device release

To ensure that only managed devices are automatically released, the Device ID from the MDM (e.g. Cortado) must be compared with the Exchange Device ID.

Important:

  • iOS: The Exchange ID is only identical to the MDM device ID when using an MDM-controlled mail profile (iOS Mail App).
  • Android: Gmail or Samsung Mailwith app configuration generate suitable IDs.

    Microsoft Outlook for Android generates different IDs and is therefore not suitable for this synchronization.

3. Manual adjustment

If no automated process is available, the release can be carried out manually:

  1. Export a report with Exchange ID and e-mail address in Cortado.
  2. The data is entered in the CSV template Input-Allow-MobileDevice.csv.
Note! The file name must not be changed.
  1. The CSV file is stored locally on the Exchange Server under the following path: D:\scriptePS\Input-Allow-MobileDevice.csv
  2. The script Liste-Eintragen-Allow-MobileDevice.ps1 is then executed.

       This script reads the file and enters the corresponding devices in the Allow list.

Note! The Exchange Management Shell (EMS) is always loaded first at the start of the scripts. This is necessary when running locally on the Exchange Server. The scripts must be executed with admin rights.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.

Related Articles