Skip to content

Search + Save a copy of mail items using PowerShell | Part 2#5

In the current article, we will review how to use the Search-Mailbox PowerShell cmdlet for performing a search on a specific Exchange mailbox + copy the search results to a “destination mailbox” (Target Mailbox).

Table of contents

Connect to Exchange Online PowerShell

To be able to run the PowerShell commands specified in the current article, you will need to Connect to Exchange Online PowerShell.

Start Windows PowerShell as administrator and run the cmdlet Connect-ExchangeOnline.

Connect-ExchangeOnline

Scenario description

The Goals

The goals we seek to achieve are:

  1. Perform a search in a specific Exchange mailbox (Bob Mailbox). The search is implemented by defining a specific Search Query (search criteria), that will help us to locate specific mail items that answer the Search Query
  2. The Search Results (mail items) will be copied to a Target Mailbox and saved in a dedicated folder (Target Folder)
  3. In addition, we want to create a detailed report (Log), about each mail items that appear in the Search Results (the Log/Report file will be saved in the Target Folder)

Source mailbox + Target mailbox (and Target Folder)

  • The Source Mailbox (the mailbox on which we perform the search) is Bob’s mailbox
  • The Target Mailbox which we use for storing the search result (the mail items) is Adele’s
  • The Target Folder name will be – Search Results – Bob
Scenario description - Search mailbox + Save search results to other mailbox

The mailbox search scope

By default, the Search-Mailbox cmdlet performs a search in the “Source Mailbox” that includes the following “Mailbox spaces”:

Primary mailbox

  1. The Search-Mailbox cmdlet will perform a search that relates to all folders and subfolders in the Primary Mailbox.
  2. Recovery mail folder – by default, the Search-Mailbox cmdlet will also search for mail items stored in the Recovery mail folder (the Dumpster).

Archive mailbox

In case that the Source Mailbox has Archive mailbox,

  1. The Search-Mailbox cmdlet will perform a search that relates to all folders and subfolders in the Archive mailbox.
  2. Recovery mail folder – by default, the Search-Mailbox cmdlet will also search for mail items stored in the mailbox archive Recovery mail folder (the Dumpster).

In the following screenshot, we can see an example to a scenario in which the Source Mailbox belongs to Bob, and the Target mailbox is – Adele’s mailbox.

The Search-Mailbox cmdlet creates a New folder (Target Folder) and stores all the Search Results (copy the mail items) in this folder (the Target folder).

The search results folder hierarchy includes two separated “spaces”:

  1. Archive mailbox (A in the screenshot)
  2. Primary mailbox (B in the screenshot)

Each of the “mailbox spaces” (Archive and Primary) includes a dedicated folder named – Recoverable Items, that store the Search Results that were “fetched” from the Recovery mail folder -the Dumpster (number 2 in the diagram), that include Soft deleted + Hard deleted mail items.

search mailbox - Mailbox and folder scope

Using the Search-Mailbox for performing a search | PowerShell command syntax

As mentioned, the Search-Mailbox cmdlet is a very powerful PowerShell cmdlet, that can use many types of Search Query filter that will help us to “fetch” (find and copy) very specific mail items.

In the following section, we review a couple of examples to the various Search Query that we can use.

Search and Copy mail items | ALL mail items

In this example, we use the Search-Mailbox cmdlet without any “filter” or Search query filters.

In this scenario, our goal is to copy all the mail items that exist in the Source Mailbox to the Target Mailbox. The search results will include all the mail items from the Primary Mailbox, Archive Mailbox (if exists) and the Recovery mail folder (the Dumpster).

Search + Save a copy ALL mail items | Search Query – NO Filter (no Search Query)

PowerShell command syntax:

Search-Mailbox <Source Mailbox> -TargetMailbox <Destination mailbox>-TargetFolder <Folder> -LogLevel Full

PowerShell command example:

Search-Mailbox Bob -TargetMailbox Adele -TargetFolder "Search Results - Bob" -LogLevel Full

Search and Copy mail items | Search query Filter – specific Type of Mail item

In this scenario, we want to locate (search) and copy only a specific type of mail items from the Source Mailbox.

Search + Save a copy of mail items | Search Query filter – Calendar items

Search for specific type of mail items – Calendar items.

PowerShell command syntax:

Search-Mailbox <Source Mailbox> -SearchQuery "Kind:meetings" -TargetMailbox <Destination mailbox> -TargetFolder <Folder> -LogLevel Full

PowerShell command example:

Search-Mailbox "Bob" -SearchQuery "Kind:meetings" -TargetMailbox Adele -TargetFolder "Search Results - Bob" -LogLevel Full

Search + Save a copy of mail items | Search Query – Contact items

Search for a specific type of mail items – Contacts items.

PowerShell command syntax:

Search-Mailbox <Source Mailbox> -SearchQuery "Kind:contacts" -TargetMailbox <Destination mailbox> -TargetFolder <Folder> -LogLevel Full

PowerShell command example:

Search-Mailbox "Bob" -SearchQuery "Kind:contacts" -TargetMailbox Adele -TargetFolder "Search Results - Bob" -LogLevel Full

Note: By default, if not specified, the Search-Mailbox cmdlet will look for all types of message types.

When using the option the “kind” search filter, valid values can be one or more of the following:

  • Email
  • Meetings
  • Tasks
  • Notes
  • Docs
  • Journals
  • Contacts
  • IM

Search and Copy mail items | Search query Filter – Text String

In this section, we use Search Query that looks for mail items that include a specific text string.

General note – because we use the quotation marks, the search will fetch only results in which all the words in the text string that we define appear.

For example, in our example, we look for the text string: “A meeting in New York.” Mail items that include the words “New York” or “meeting” will not appear in the Search Results.

Only mail items that include all the text phrases that appear inside the quotation marks, will be considered as “valid mail items” that answer the Search Query (exact phrases or keywords in subjects of items).

Search + Save a copy of mail items | Search Query – Mail items with Text String in mail SUBJECT

Search for mail items with a specific TEXT string that appears in an E-mail Message Subject line.

PowerShell command syntax:

Search-Mailbox <Source Mailbox> -SearchQuery Subject:"<Text String>" -TargetMailbox <Destination mailbox> -TargetFolder <Folder> -LogLevel Full

PowerShell command example:

Search-Mailbox "Bob" -SearchQuery Subject:"A meeting in New York" -TargetMailbox Adele -TargetFolder "Search Results - Bob" -LogLevel Full

Search + Save a copy of mail items | Search Query – Mail items with Text String in mail BODY

Search for mail items with a specific TEXT string that appears in an E-mail Body.

PowerShell command syntax:

Search-Mailbox <Source Mailbox> -SearchQuery body:"<Text String>" -TargetMailbox <Destination mailbox> -TargetFolder <Folder> -LogLevel Full

PowerShell command example:

Search-Mailbox "Bob" -SearchQuery Subject:"A meeting in New York" -TargetMailbox Adele -TargetFolder "Search Results - Bob" -LogLevel Full

Search + Save a copy of mail items | Search Query – Mail items with Text String in mail BODY or Mail Subject

Search for mail items with a specific TEXT string that appears in an E-mail Message Subject line or Mail Subject.

PowerShell command syntax:

Search-Mailbox <Source Mailbox> -SearchQuery "<Text String>" -TargetMailbox <Destination mailbox> -TargetFolder <Folder> -LogLevel Full

Powershell command example:

Search-Mailbox "Bob" -SearchQuery "A meeting in New York" -TargetMailbox Adele -TargetFolder "Search Results - Bob" -LogLevel Full

Additional PowerShell command syntax that we can use for performing a search that includes two types of search criteria is:

PowerShell command example:

Search-Mailbox "Bob" -SearchQuery {Subject:"A meeting in New York" OR body:"A meeting in New York"} -TargetMailbox Adele -TargetFolder "Search Results - Bob" -LogLevel Full

Search and Copy mail items | Search query Filter – specific Date or Date Range

General information about the subject of “Date and Date format.”

The subject of the date format that we use in the Search-Mailbox query is a little tricky because the date format is affected by the Windows OS Date format, the Exchange Online Mailbox Date format, etc.

Case 1 – most of the time, the date format that you need to use in the Search Query is your Windows OS Date format.

Case 2 – when using a date format in Search-Mailbox queries needs to be in a format that conforms to the Exchange server’s Regional settings.

In case you get an error such as – “The KQL parser threw an exception,”, use the “month name” instead of the format of “month number.”

For example, instead of using the Date format – 07/21/2017 use the following format –  02/July/2017.

Search + Save a Copy of mail items | Search Query – Emails SENT on a Specific date

Search for mail items with Sent on a specific Date.

PowerShell command syntax:

Search-Mailbox <Source Mailbox> -SearchQuery sent:mm/dd/yyyy -TargetMailbox <Destination mailbox> -TargetFolder <Folder> -LogLevel Full

PowerShell command example:

Search-Mailbox "Bob" -SearchQuery sent:21/07/2017 -TargetMailbox Adele -TargetFolder "Search Results - Bob" -LogLevel Full

Search + Save a copy of mail items | Search Query – Emails SENT in a specific Date Range

Search for mail items with Sent on a specific Date Range.

PowerShell command syntax:

Search-Mailbox <Source Mailbox> -SearchQuery {sent:mm/dd/yyyy..mm/dd/yyyy} -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -LogLevel Full

PowerShell command example:

Search-Mailbox "Bob" -SearchQuery {sent:21/06/2017..07/21/2017} -TargetMailbox Adele -TargetFolder "Search Results - Bob" -LogLevel Full

Search + Save a copy of mail items | Search Query – Emails RECEIVED in a specific Date Range

Search for mail items that were Received on a specific Date range.

PowerShell command syntax:

Search-Mailbox <Source Mailbox> -SearchQuery {Received:mm/dd/yyyy..mm/dd/yyyy} -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -LogLevel Full

PowerShell command example:

Search-Mailbox "Bob" -SearchQuery {Received:21/06/2017..21/07/2017} -TargetMailbox Adele -TargetFolder "Search Results - Bob" -LogLevel Full

Search + Save a copy of mail items | Search Query – Emails SENT in a specific Date + Emails RECEIVED in a specific Date

Search for mail items that were Sent or Received on a specific Date range.

PowerShell command syntax:

Search-Mailbox <Source Mailbox> -SearchQuery {sent:mm/dd/yyyy OR Received: mm/dd/yyyy} -TargetMailbox <Destination mailbox> -TargetFolder <Folder> -LogLevel Full

PowerShell command example:

Search-Mailbox "Bob" -SearchQuery {sent:30/07/2017 OR Received:30/07/2017}-TargetMailbox Adele -TargetFolder "Search Results - Bob" -LogLevel Full

Search and Copy mail items | Search query Filter – sender, or by Recipient

In this section, we would like to search for mail items that were sent from a specific sender or reach to a specific recipient.

Search + Save a copy of mail items | Filter scope – Email sent by a specific SENDER

Search for mail items that were Sent from a specific Sender (the FROM mail field).

PowerShell command syntax:

Search-Mailbox <Source Mailbox> -SearchQuery from:"<E-mail address>" -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -LogLevel Full

PowerShell command example:

Search-Mailbox "Bob" -SearchQuery from:"John@o365info.com" -TargetMailbox Adele -TargetFolder "Search Results - Bob" -LogLevel Full

Search + Save a copy of mail items | Filter scope – Emails sent TO a specific RECIPIENT

Search for mail items that were Received from a specific Recipient (sent to a specific recipient – the TO mail field).

PowerShell command syntax:

Search-Mailbox <Source Mailbox> -SearchQuery to:"<E-mail address>" -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -LogLevel Full

PowerShell command example:

Search-Mailbox "Bob" -SearchQuery to:"Alice@outlook.com" -TargetMailbox Adele -TargetFolder "Search Results - Bob" -LogLevel Full

Search and Copy mail items | Search query Filter – E-mail Attachments

In this section, we would like to search mail items that have an attachment.

Search + Save a copy of mail items | Filter scope – Emails that include a specific attachment file name

Search for mail items that have an attachment with a specific File extension.

PowerShell command syntax:

Search-Mailbox <Source Mailbox> -SearchQuery attachment:"<Attachment file name>" -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -LogLevel Full

PowerShell command example:

Search-Mailbox "Bob" -SearchQuery attachment:"Customer.pdf" -TargetMailbox Adele -TargetFolder "Search Results - Bob" -LogLevel Full

Search + Save a copy of mail items | Filter scope – specific attachment type (suffix)

Search for mail items, that have an attachment with a specific file name suffix.

PowerShell command syntax:

Search-Mailbox <Source Mailbox> -SearchQuery {Attachment -like "*.<suffix>"} -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -LogLevel Full

PowerShell command example:

Search-Mailbox "Bob" -SearchQuery {Attachment -like "*.PDF"} -TargetMailbox Adele -TargetFolder "Search Results - Bob" -LogLevel Full

Search + Save a copy of mail items | Filter scope – Emails with Attachment

Search for mail items, that have an attachment.

PowerShell command syntax:

Search-Mailbox <Source Mailbox> -SearchQuery {HasAttachment -eq $true} -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -LogLevel Full

PowerShell command example:

Search-Mailbox "Bob" -SearchQuery -SearchQuery {HasAttachment -eq $true} -TargetMailbox Adele -TargetFolder "Search Results - Bob" -LogLevel Full

Search and Copy mail items | Search query Filter – Additional search queries

Search for mail items, that their size is “bigger” (greater) than a specific size.

Search + Save a copy of mail items | Filter scope – E-mail items size greater than X MB

PowerShell command syntax:

Search-Mailbox <Source Mailbox> -SearchQuery {Size -gt <size in KB or MB>} -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -LogLevel Full

PowerShell command example:

Search-Mailbox "Bob" -SearchQuery -SearchQuery {Size -gt 5MB} -TargetMailbox Adele -TargetFolder "Search Results - Bob" -LogLevel Full

Search-Mailbox | Mailbox Search scope| The Recovery mail folder (Dumpster) and Archive Mailbox

In the following section, I would like to briefly review the subject of “Mailboxes search scope.”

As mentioned, the Search-Mailbox cmdlet will perform by default search in all the following mailbox locations:

  1. Primary mailbox
  2. Primary mailbox – Recovery mail folder (the Dumpster)
  3. Archive mailbox
  4. Archive mailbox – Recovery mail folder (the Dumpster)

The Search-Mailbox cmdlet enables us to define a specific mailbox search scope or to exclude a specific mailbox scope from the search results.

Mailbox scope Recovery mail folder (the Dumpster)

One of the most conspicuous advantages of the Search-Mailbox cmdlets is, the ability that it provides to Exchange administrator to view (search) the content of the Recovery mail folder (the Dumpster) and “fetch” a copy of Soft Deleted + Hard Deleted mail items stored in the Recovery mail folder.

By default, the Search-Mailbox cmdlets will perform a search in the Primary mailbox + in the Recovery mail folder (the Dumpster).

For example, in case that we don’t define a specific mailbox scope filter the search task will include the Primary mailbox space + the Recovery mail folder (the Dumpster).

Search-Mailbox <Source Mailbox> -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -LogLevel Full

Exclude the Recovery mail folder (dumpster) search

In case that we want to exclude the Recovery mail folder (the Dumpster) from the search, we can use the parameter SearchDumpster and set the switch to $False, for example -SearchDumpster:$False.

Search-Mailbox <Source Mailbox> -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -SearchDumpster:$false -LogLevel Full

Search Dumpster Only

In case that we want to perform a search only in the Recovery mail folder (the Dumpster), we can use the parameter -SearchDumpsterOnly which specifies that only the Recoverable Items folder of the specified mailbox be searched.

Search-Mailbox <Source Mailbox> -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -SearchDumpsterOnly -LogLevel Full

Archive mailbox scope

By default, in case that as specific Exchange mailbox has an archive, the archive is always searched.

To exclude the Archive from the search, use the DoNotIncludeArchive parameter.

Search-Mailbox <Source Mailbox> -TargetMailbox <Target mailbox> -TargetFolder <Target Folder> -DoNotIncludeArchive -LogLevel Full

Writing advanced/combined search filters.

An additional part that I would like to briefly, mention is the subject of defining a more advanced or more sophisticated search query that combines two or more “filter” or search conditions.

To define two or more filters, we can use logical operators such as – “OR”, “AND” and more.

In the following diagram, we can see some example of the syntax that we use for defining a more advanced Search Query.

Using a combination of Search Query parameters

Example 1

Look for all mail items, that answer the following search criteria’s:

E-mail items that have attachment + in addition, the mail subject is “Test”.

Search-Mailbox <Source Mailbox> -SearchQuery {HasAttachment -eq $true and subject:Test} -TargetMailbox <Target mailbox> -TargetFolder <Target Folder>

Example 2

Look for all mail items, that answers the following search criteria’s:

E-mail message mail items or calendar mail items or Contact.

Search-Mailbox <Source Mailbox> -SearchQuery {kind:email OR kind:meetings} -TargetMailbox <Target mailbox> -TargetFolder <Target Folder>

Example 3

Look for all mail items, that answers the following search criteria’s:

Mail items that have the subject Test + sent from john@o365info.com + sent on a specific date 30/07/2017.

Search-Mailbox <Source Mailbox> -SearchQuery {Subject:"Test" AND From:"john@o365info.com" AND Sent:"30/07/2017"} -TargetMailbox <Target mailbox> -TargetFolder <Target Folder>

o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *