Parameter Attribute DataType Description Allowed Values
Name Key String The Name parameter specifies the friendly name of the mobile device mailbox policy.
AllowApplePushNotifications Write Boolean The AllowApplePushNotifications parameter specifies whether push notifications are allowed to Apple mobile devices.
AllowBluetooth Write String The AllowBluetooth parameter specifies whether the Bluetooth capabilities are allowed on the mobile phone. The available options are Disable, HandsfreeOnly, and Allow. The default value is Allow. Disable, HandsfreeOnly, Allow
AllowBrowser Write Boolean The AllowBrowser parameter indicates whether Microsoft Pocket Internet Explorer is allowed on the mobile phone. This parameter doesn't affect third-party browsers.
AllowCamera Write Boolean The AllowCamera parameter specifies whether the mobile phone's camera is allowed.
AllowConsumerEmail Write Boolean The AllowConsumerEmail parameter specifies whether the mobile phone user can configure a personal email account on the mobile phone.
AllowDesktopSync Write Boolean The AllowDesktopSync parameter specifies whether the mobile phone can synchronize with a desktop computer through a cable.
AllowExternalDeviceManagement Write Boolean The AllowExternalDeviceManagement parameter specifies whether an external device management program is allowed to manage the mobile phone.
AllowGooglePushNotifications Write Boolean The AllowGooglePushNotifications parameter controls whether the user can receive push notifications from Google for Outlook on the web for devices.
AllowHTMLEmail Write Boolean The AllowHTMLEmail parameter specifies whether HTML email is enabled on the mobile phone.
AllowInternetSharing Write Boolean The AllowInternetSharing parameter specifies whether the mobile phone can be used as a modem to connect a computer to the Internet.
AllowIrDA Write Boolean The AllowIrDA parameter specifies whether infrared connections are allowed to the mobile phone.
AllowMobileOTAUpdate Write Boolean The AllowMobileOTAUpdate parameter specifies whether the Exchange ActiveSync mailbox policy can be sent to the mobile phone over a cellular data connection.
AllowMicrosoftPushNotifications Write Boolean The AllowMicrosoftPushNotifications parameter specifies whether push notifications are enabled on the mobile device.
AllowNonProvisionableDevices Write Boolean The AllowNonProvisionableDevices parameter specifies whether all mobile phones can synchronize with the server running Exchange.
AllowPOPIMAPEmail Write Boolean The AllowPOPIMAPEmail parameter specifies whether the user can configure a POP3 or IMAP4 email account on the mobile phone.
AllowRemoteDesktop Write Boolean The AllowRemoteDesktop parameter specifies whether the mobile phone can initiate a remote desktop connection.
AllowSimplePassword Write Boolean The AllowSimplePassword parameter specifies whether a simple device password is allowed. A simple device password is a password that has a specific pattern, such as 1111 or 1234.
AllowSMIMEEncryptionAlgorithmNegotiation Write String The AllowSMIMEEncryptionAlgorithmNegotiation parameter specifies whether the messaging application on the mobile device can negotiate the encryption algorithm if a recipient's certificate doesn't support the specified encryption algorithm. AllowAnyAlgorithmNegotiation, BlockNegotiation, OnlyStrongAlgorithmNegotiation
AllowSMIMESoftCerts Write Boolean The AllowSMIMESoftCerts parameter specifies whether S/MIME software certificates are allowed.
AllowStorageCard Write Boolean The AllowStorageCard parameter specifies whether the mobile phone can access information stored on a storage card.
AllowTextMessaging Write Boolean The AllowTextMessaging parameter specifies whether text messaging is allowed from the mobile phone.
AllowUnsignedApplications Write Boolean The AllowUnsignedApplications parameter specifies whether unsigned applications can be installed on the mobile phone.
AllowUnsignedInstallationPackages Write Boolean The AllowUnsignedInstallationPackages parameter specifies whether unsigned installation packages can be executed on the mobile phone.
AllowWiFi Write Boolean The AllowWiFi parameter specifies whether wireless Internet access is allowed on the mobile phone.
AlphanumericPasswordRequired Write Boolean The AlphanumericPasswordRequired parameter specifies whether the password for the mobile phone must be alphanumeric.
ApprovedApplicationList Write StringArray[] The ApprovedApplicationList parameter specifies a list of approved applications for the mobile phone.
AttachmentsEnabled Write Boolean The AttachmentsEnabled parameter specifies whether attachments can be downloaded.
DeviceEncryptionEnabled Write Boolean The DeviceEncryptionEnabled parameter specifies whether encryption is enabled.
DevicePolicyRefreshInterval Write String The DevicePolicyRefreshInterval parameter specifies how often the policy is sent from the server to the mobile phone.
IrmEnabled Write Boolean The IrmEnabled parameter specifies whether Information Rights Management (IRM) is enabled for the mailbox policy.
IsDefault Write Boolean The IsDefault parameter specifies whether this policy is the default Mobile Device mailbox policy.
MaxAttachmentSize Write String The MaxAttachmentSize parameter specifies the maximum size of attachments that can be downloaded to the mobile phone.
MaxCalendarAgeFilter Write String The MaxCalendarAgeFilter parameter specifies the maximum range of calendar days that can be synchronized to the device. All, TwoWeeks, OneMonth, ThreeMonths, SixMonths
MaxEmailAgeFilter Write String The MaxEmailAgeFilter parameter specifies the maximum number of days of email items to synchronize to the mobile phone. All, OneDay, ThreeDays, OneWeek, TwoWeeks, OneMonth
MaxEmailBodyTruncationSize Write String The MaxEmailBodyTruncationSize parameter specifies the maximum size at which email messages are truncated when synchronized to the mobile phone. The value is specified in kilobytes (KB).
MaxEmailHTMLBodyTruncationSize Write String The MaxEmailHTMLBodyTruncationSize parameter specifies the maximum size at which HTML-formatted email messages are synchronized to the mobile phone. The value is specified in KB.
MaxInactivityTimeLock Write String The MaxInactivityTimeDeviceLock parameter specifies the length of time that the mobile phone can be inactive before the password is required to reactivate it.
MaxPasswordFailedAttempts Write String The MaxPasswordFailedAttempts parameter specifies the number of attempts a user can make to enter the correct password for the mobile phone. You can enter any number from 4 through 16 or the value Unlimited.
MinPasswordComplexCharacters Write String The MinPasswordComplexCharacters parameter specifies the character sets that are required in the password of the mobile device.
MinPasswordLength Write String The MinPasswordLength parameter specifies the minimum number of characters in the mobile device password.
PasswordEnabled Write Boolean The PasswordEnabled parameter specifies whether a password is required on the mobile device.
PasswordExpiration Write String The PasswordExpiration parameter specifies how long a password can be used on a mobile device before the user is forced to change the password.
PasswordHistory Write String The PasswordHistory parameter specifies the number of unique new passwords that need to be created on the mobile device before an old password can be reused.
PasswordRecoveryEnabled Write Boolean The PasswordRecoveryEnabled parameter specifies whether the recovery password for the mobile device is stored in Exchange.
RequireDeviceEncryption Write Boolean The RequireDeviceEncryption parameter specifies whether encryption is required on the mobile device.
RequireEncryptedSMIMEMessages Write Boolean The RequireEncryptedSMIMEMessages parameter specifies whether the mobile device must send encrypted S/MIME messages.
RequireEncryptionSMIMEAlgorithm Write String The RequireEncryptionSMIMEAlgorithm parameter specifies the algorithm that's required to encrypt S/MIME messages on a mobile device. DES, TripleDES, RC240bit, RC264bit, RC2128bit
RequireManualSyncWhenRoaming Write Boolean The RequireSignedSMIMEAlgorithm parameter specifies the algorithm that's used to sign S/MIME messages on the mobile device.
RequireSignedSMIMEAlgorithm Write String The RequireSignedSMIMEAlgorithm parameter specifies the algorithm that's used to sign S/MIME messages on the mobile device. SHA1, MD5
RequireSignedSMIMEMessages Write Boolean The RequireSignedSMIMEMessages parameter specifies whether the mobile device must send signed S/MIME messages.
RequireStorageCardEncryption Write Boolean The RequireStorageCardEncryption parameter specifies whether storage card encryption is required on the mobile device.
UnapprovedInROMApplicationList Write StringArray[] The UnapprovedInROMApplicationList parameter specifies a list of applications that can't be run in ROM on the mobile device.
UNCAccessEnabled Write Boolean The UNCAccessEnabled parameter specifies whether access to Microsoft Windows file shares is enabled from the mobile device.
WSSAccessEnabled Write Boolean The WSSAccessEnabled parameter specifies whether access to Microsoft Windows SharePoint Services is enabled from the mobile device.
Ensure Write String Specify if the Mobile Device Mailbox Policy should exist or not. Present, Absent
Credential Write PSCredential Credentials of the Exchange Global Admin
ApplicationId Write String Id of the Azure Active Directory application to authenticate with.
TenantId Write String Id of the Azure Active Directory tenant used for authentication.
CertificateThumbprint Write String Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.
CertificatePassword Write PSCredential Username can be made up to anything but password will be used for CertificatePassword
CertificatePath Write String Path to certificate used in service principal usually a PFX file.
ManagedIdentity Write Boolean Managed ID being used for authentication.


This resource configures Mobile Device Mailbox Policies in Exchange Online.



To authenticate with Microsoft Exchange, this resource required the following permissions:


  • Recipient Policies, View-Only Recipients, Mail Recipient Creation, View-Only Configuration, Mail Recipients

Role Groups

  • Organization Management


Example 1

This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.

Configuration Example
        [Parameter(Mandatory = $true)]
    Import-DscResource -ModuleName Microsoft365DSC

    node localhost
        EXOMobileDeviceMailboxPolicy 'ConfigureMobileDeviceMailboxPolicy'
            Name                                     = "Default"
            AllowApplePushNotifications              = $True
            AllowBluetooth                           = "Allow"
            AllowBrowser                             = $True
            AllowCamera                              = $True
            AllowConsumerEmail                       = $True
            AllowDesktopSync                         = $True
            AllowExternalDeviceManagement            = $False
            AllowGooglePushNotifications             = $True
            AllowHTMLEmail                           = $True
            AllowInternetSharing                     = $True
            AllowIrDA                                = $True
            AllowMicrosoftPushNotifications          = $True
            AllowMobileOTAUpdate                     = $True
            AllowNonProvisionableDevices             = $True
            AllowPOPIMAPEmail                        = $True
            AllowRemoteDesktop                       = $True
            AllowSimplePassword                      = $True
            AllowSMIMEEncryptionAlgorithmNegotiation = "AllowAnyAlgorithmNegotiation"
            AllowSMIMESoftCerts                      = $True
            AllowStorageCard                         = $True
            AllowTextMessaging                       = $True
            AllowUnsignedApplications                = $True
            AllowUnsignedInstallationPackages        = $True
            AllowWiFi                                = $True
            AlphanumericPasswordRequired             = $False
            ApprovedApplicationList                  = @()
            AttachmentsEnabled                       = $True
            DeviceEncryptionEnabled                  = $False
            DevicePolicyRefreshInterval              = "Unlimited"
            IrmEnabled                               = $True
            IsDefault                                = $True
            MaxAttachmentSize                        = "Unlimited"
            MaxCalendarAgeFilter                     = "All"
            MaxEmailAgeFilter                        = "All"
            MaxEmailBodyTruncationSize               = "Unlimited"
            MaxEmailHTMLBodyTruncationSize           = "Unlimited"
            MaxInactivityTimeLock                    = "Unlimited"
            MaxPasswordFailedAttempts                = "Unlimited"
            MinPasswordComplexCharacters             = 1
            PasswordEnabled                          = $False
            PasswordExpiration                       = "Unlimited"
            PasswordHistory                          = 0
            PasswordRecoveryEnabled                  = $False
            RequireDeviceEncryption                  = $False
            RequireEncryptedSMIMEMessages            = $False
            RequireEncryptionSMIMEAlgorithm          = "TripleDES"
            RequireManualSyncWhenRoaming             = $False
            RequireSignedSMIMEAlgorithm              = "SHA1"
            RequireSignedSMIMEMessages               = $False
            RequireStorageCardEncryption             = $False
            UnapprovedInROMApplicationList           = @()
            UNCAccessEnabled                         = $True
            WSSAccessEnabled                         = $True
            Ensure                                   = "Present"
            Credential                               = $credsGlobalAdmin