📱 Mirket ActiveSync MFA Integration for Microsoft Exchange
Mirket ActiveSync MFA agent brings Multi-Factor Authentication to the Exchange ActiveSync layer, enabling an additional security layer for mobile device access. This ensures that newly syncing devices go through a user-approved MFA flow before being granted access.
📦 Agent Download & Installation
🧭 Where to Download
The agent can be downloaded from the Mirket Portal:
Path:Configuration → Active Sync → Manage → Full Setup
🛠 Installation Steps
Download and unzip the package.
Open the extracted folder MirketActiveSync.
Edit the config.json file and fill in:
accountId
apiKey
These values can be retrieved from the Mirket Admin Portal.
Save and close the file.
Run the install.bat script as Administrator to complete the installation.
After installation, a Windows service named:
will be created.
👤 Service Account Configuration
Open Services on the Exchange server.
Locate and double-click MirketActiveSyncAgentService.
Go to the Log On tab.
Enter credentials of a user who has permission to run Exchange Management Shell.
Click OK.
Start or Restart the service to activate the agent.
📲 Exchange Quarantine Settings for New Devices
To ensure that all newly connecting devices go into quarantine by default (and thus go through the Mirket MFA flow), run the following command in Exchange Management Shell:
Safely Changing ActiveSync DefaultAccessLevel to “Quarantine”
⚠️ Important Warning
Before changing the DefaultAccessLevel to Quarantine, make sure all existing devices are explicitly set to “Allowed (Individual)”.
Otherwise, any devices currently inheriting the default policy (Global or Inherited devices) will immediately fall into quarantine once the default policy is changed.
1) Check the current default behavior
2) Mark all existing devices as “Allowed (Individual)”
The following script retrieves each user’s mailbox, gets their connected device IDs, and adds them to their personal Allowed Device List (without removing existing entries).
Optional verification: randomly check a few users
3) Change the default behavior to “Quarantine”
Once all existing devices are whitelisted, run:
Verify the change:
4) Expected behavior
Existing devices: Remain allowed because they are explicitly set as “Individual Allowed”.
Newly connecting devices: Are automatically quarantined and await admin approval.
✅ Note: Mirket does not interfere with existing devices — only newly detected devices are affected.
🔄 5. How It Works
Once installed and configured:
The agent monitors quarantined device events on the Exchange server.
When a new device enters quarantine, its details (including Display Name) are sent to the Mirket Portal.
Device-to-user matching is done using Display Name, so this must be consistent with what’s used in Mirket.
🔔 6. Device Approval Workflow
✅ If Mirket Push is Enabled (default: disabled):
When a matching user is found, a Push Notification is sent to the user.
If the user approves, the agent automatically removes the device from quarantine.
Approval takes effect within 10–15 seconds.
🛠 Admin Options:
In the Mirket Admin Portal → Configuration → Active Sync, admins can:
View quarantined devices
Manually approve and remove devices from quarantine
Users can also:
Log into the User Portal
Navigate to Settings → Devices
View and manually approve their quarantined devices
🔍 7. Viewing Quarantined Devices (PowerShell)
To list recently quarantined devices:
🔗 The DisplayName must match what’s used in the Mirket Portal for proper user association.
✅ Summary
Component
Description
Agent Location
Installed on the Exchange Server
Service Name
MirketActiveSyncAgentService
Quarantine Required?
Yes – enforced via Set-ActiveSyncOrganizationSettings
