Microsoft to Block Outdated Exchange ActiveSync Devices from Exchange Online Starting March 2026

Microsoft announced on Monday that it will begin blocking mobile devices running outdated email software from accessing Exchange Online services starting March 1, 2026. The change specifically targets devices using Exchange ActiveSync (EAS) protocol versions below 16.1, a nearly decade-old standard that the company says no longer meets modern security and functionality requirements.

This decision affects organizations worldwide that rely on Microsoft's cloud-based email infrastructure and have employees using native email applications on smartphones and tablets. While the timeline provides over a year for preparation, IT administrators should begin auditing their device fleets immediately to identify potentially affected users and plan remediation strategies.

Understanding the Exchange ActiveSync Protocol Change

Exchange ActiveSync is a Microsoft-developed synchronization protocol that enables mobile devices to access email, calendar, contacts, and tasks from an Exchange server. The protocol has been a cornerstone of enterprise mobile email since its introduction, and it remains enabled by default for all new user mailboxes in Exchange Online. For those unfamiliar with this technology, our guide on What is Exchange ActiveSync provides a comprehensive overview of how the protocol works and why it matters for enterprise email.

"We want to inform our users and organizations about an important upcoming change regarding Exchange ActiveSync (EAS) device connectivity to Exchange Online," the Exchange Team stated in their announcement. "Starting March 1, 2026, devices running ActiveSync versions lower than 16.1 will no longer be able to connect to our services. EAS 16.1 was released as a part of Exchange Server and Exchange Online in June 2016."

The requirement for EAS 16.1 or higher represents Microsoft's effort to standardize on protocol versions that support modern security features and improved synchronization capabilities. Devices running older protocol versions may lack support for important security mechanisms, including enhanced authentication methods and improved data protection features.

What Devices and Applications Are Affected

The scope of this change is specifically limited to devices using native email applications that connect to Exchange Online via the ActiveSync protocol. This is an important distinction that determines which users need to take action:

Native email apps on Android devices using EAS versions below 16.1

Third-party email clients that have not updated their ActiveSync implementation

Older mobile devices that cannot be updated to support newer protocol versions

Legacy enterprise mobility solutions that rely on older EAS versions

Importantly, several major platforms and applications are not affected by this change. Microsoft Outlook Mobile, the company's dedicated mobile email application, does not use the Exchange ActiveSync protocol and will continue to function normally. Similarly, on-premises Exchange Server installations are not subject to this requirement—the change applies exclusively to Exchange Online, Microsoft's cloud-based email service.

Apple iOS Devices

Apple users can breathe easy. The iOS Mail app has supported ActiveSync 16.1 since iOS 10, which was released in September 2016. This means any iPhone or iPad running iOS 10 or later is already compatible with Microsoft's new requirements. Given that Apple's current minimum supported iOS version is significantly newer than iOS 10, the vast majority of Apple devices in active use today will experience no disruption.

Android Devices

The Android ecosystem presents a more complex picture due to its fragmented nature. Google and Samsung are currently updating their native email applications to support the newer protocol version. Users of Google's Gmail app or Samsung Email should ensure their applications are updated to the latest versions before the March 2026 deadline. Other Android device manufacturers may also need to issue updates for their native email clients.

Impact on Enterprise Organizations

For IT departments managing corporate email access, this announcement represents a significant operational consideration. Organizations with Bring Your Own Device (BYOD) policies may face particular challenges, as they have less control over the devices employees use to access corporate email. Understanding Microsoft 365 Mobile Device Management capabilities becomes essential for administrators who need to enforce compliance with the new requirements.

The decision comes after what Microsoft describes as "extensive collaboration with multiple licensed device and application vendors to ensure a smooth transition for as many users as possible." This coordination suggests that most major mobile platform providers and email application developers have been given advance notice and are working on compliance.

Auditing Your Organization's Device Fleet

Microsoft has provided IT administrators with a PowerShell command to identify all devices within their organization that are currently using older EAS versions. For administrators who need to build proficiency with these tools, our guide on Exchange Online PowerShell for IT Administrators covers the essential commands and techniques for managing Exchange Online environments.

The following PowerShell command generates a report of all devices using EAS versions below 16.1:

This command retrieves all mobile devices connected via ActiveSync, filters for those running versions below 16.1, and outputs a sorted list including the user's display name, email address, device ID, and device model. IT administrators should run this audit regularly between now and the March 2026 deadline to track remediation progress.

Timeline and Preparation Steps

With the enforcement date set for March 1, 2026, organizations have approximately 14 months to prepare. Microsoft recommends the following approach:

Immediately audit your device fleet: Run the PowerShell command to identify affected devices and users.

Communicate with affected users: Notify employees who need to update their devices or applications.

Update applications: Ensure native email apps are updated to the latest versions that support EAS 16.1.

Consider Outlook Mobile: For devices that cannot be updated, migrating to Outlook Mobile is a reliable alternative.

Plan device replacements: Legacy devices that cannot support EAS 16.1 may need to be retired.

Re-audit periodically: Run the audit command monthly to track progress and identify newly added non-compliant devices.

Security Implications of the Change

While Microsoft frames this change primarily as a modernization effort, there are legitimate security reasons for deprecating older protocol versions. Exchange ActiveSync 16.1 and later versions include improvements in authentication handling, data synchronization reliability, and support for modern security features that align with Microsoft's broader security initiatives.

Older ActiveSync versions may not fully support features like OAuth 2.0 authentication, which Microsoft has been progressively mandating across its services. By requiring EAS 16.1 or higher, Microsoft ensures that all connected devices support the authentication and security mechanisms necessary for protecting sensitive email data in the cloud.

Context: Recent Exchange ActiveSync Issues

This announcement comes on the heels of a recent issue that affected Microsoft 365 users connecting via Exchange ActiveSync. Last month, Microsoft resolved a bug that prevented some users from connecting to email servers via ActiveSync using Outlook desktop clients. While unrelated to the protocol version deprecation, it highlights the ongoing maintenance and evolution of the ActiveSync infrastructure.

The Exchange Team emphasized their commitment to minimizing disruption: "If users and organizations keep their devices and applications updated to the latest supported versions, there should be minimal disruption in service. We encourage everyone to verify their devices and applications are up to date before the change takes effect."

What Organizations Should Do Now

For IT administrators and security teams, the immediate priority should be visibility. Understanding which devices and users are affected is the essential first step toward planning remediation. Organizations should:

Run the provided PowerShell audit command to generate a baseline report of affected devices

Review mobile device management policies to understand current enforcement capabilities

Develop communication plans for notifying affected users well in advance of the deadline

Evaluate whether Outlook Mobile can serve as a standardized solution for mobile email access

Budget for potential device replacements where legacy hardware cannot support the required protocol version

With over a year of lead time, this change should be manageable for most organizations that begin planning now. The key is early identification of affected systems and proactive communication with end users to ensure a smooth transition before the March 1, 2026 enforcement date.

Learn More

To better understand the technologies and concepts discussed in this article, explore our educational resources:

What is Exchange ActiveSync? — A complete guide to understanding the EAS protocol and how it enables mobile email synchronization.

Microsoft 365 Mobile Device Management — Learn how to secure corporate email access on personal and corporate mobile devices.

Exchange Online PowerShell for IT Administrators — Master the essential commands for managing Exchange Online, including device auditing and reporting.