Search-Mailbox (Exchange 2013, 2016, Online): Attributes

Applies to: Exchange 2016, Exchange 2013, Exchange Online. Some information may also apply to Exchange 2010.

The -SearchQuery parameter available in the Search-Mailbox command allows you to filter items stored in Exchange mailboxes using a set of item attributes and properties.

Microsoft doesn’t offer documentation regarding attributes that can be used with the -SearchQuery parameter, so I decided to create my own list.

Unfortunately, not all properties indexed by Exchange search are available (but there are a few extra ones that may come in handy).

Queryable attributes and values

AttributeValue typeDescriptionExample
subjectStringExact phrases or keywords in subjects of items.subject:"invoice for"
bodyStringAny item property that contains the specified string value.body:microsoft
attachmentStringExact phrases or keywords in attachment filenames.attachment:specialoffer.zip
toStringSMTP address, display name, or alias of user in TO field.to:"George Kaplan"
fromStringAs above for the FROM field.from:i.johnson@alphaville.fr
ccStringAs above for the CC field.cc:kowalski +codetwo.com
bccStringAs above for the BCC field.bcc:harry lime
participantsStringAs above for all people fields.participants:administrator
categoryStringNames or parts of names of default Outlook categories.category:category -green
importanceStringAvailable values: normal, high, low. Default is "normal".importance: high OR low
kindItem typeAvailable values:
- contacts
- docs
- email
- faxes
- im
- journals
- meetings
- notes
- posts
- rssfeeds
- tasks
- voicemail
kind:email OR contacts
sentDateSpecific date or time range in which the item was sent.

Format: MM/dd/yyyy or date interval (today, yesterday, this week, this month, last month, this year, last year)
sent:9/1/2014..9/1/2016

sent:"last month"
receivedDateAs above for when the item was received.received>=1/1/2015
hasattachmentBooleanTrue if item has at least 1 attachment. (only Exchange 2016 and Online)hassattachment:true
isflaggedBooleanTrue if item is flagged. (only Exchange 2016 and Online)isflagged:true
isreadBooleanTrue if item is read. (only Exchange 2016 and Online)isread:false
sizeNumberSize of item (including attachments) in bytes.size>1000000

Operations on multiple attributes and values

Search-Mailbox queries are performed using a slightly simplified version of Microsoft’s Keyword Query Language (KQL).

All attributes and their values listed in the table above can be combined using logical operators AND, OR and NOT (case sensitive).

Note: + / can also be used as substitutes for AND/NOT.

For example:

Search-Mailbox -SearchQuery '(subject:"invoice for" -codetwo) AND (from:sales OR accounting)' ...

translates to: Search for items sent by people with “sales” or “accounting” in names or addresses, and the phrase “invoice for” in the Subject field, excluding those with the string “codetwo” in the Subject.

Numerical values (and date intervals!) can be compared using the following operators:

OperatorAttribute value ...
:... contains specified value (accepts numerical and text values).
=... is equal to specified value (accepts numerical and text values).
>... is larger than specified value.
<... is smaller than specified value.
>=... is larger than or equal to specified value.
<=... is smaller than or equal to specified value.
<>... is not equal to specified value.
..... falls in the range of specified values (does not accept date intervals).

Note: On Exchange 2010 you may have to precede comparison operators with a colon (:).

As I mentioned, date intervals (today, yesterday, this week, this month, last month, this year, last year) are interpreted as numerical values, but cannot be used with the .. operator.

Dates have to be provided in the MM/dd/yyyy format (although this could be region-specific).

Dates provided as MM/dd are interpreted as MM/dd/current_year.

For example:

Search-Mailbox -SearchQuery 'received="last month" AND received>10/10/2016' ...

translates to: items received between the 10/10/2016 and 10/31/2016 (since last month was October).

Search-Mailbox -SearchQuery 'size:1000..900000' ...

translates to: items with size falling between 1000 and 900000 bytes.

If you have questions or comments about any of the above information, post them in the comments section – I will try to respond as soon as possible.

Further reading

How to delete email from mailboxes on Exchange 2016 / 2013 / 2010 / Online

CodeTwo solutions for Exchange on-premises

CodeTwo solutions for Office 365

18 thoughts on “Search-Mailbox (Exchange 2013, 2016, Online): Attributes


    • Hi Yaniv,
      No, the only date-related attributes available for e-mails are their sent and received date.

  1. Thank you for a great article. Can I search for messages sent to and received from a certain domain using this query?

    If so,
    ‘(to:*.xyz.com) AND (from:*.xyz.com)’
    or
    ‘(to:xyz.com) AND (from:xyz.com)’
    would be correct?

    • Hi Bill,
      I would write the following query: -SearchQuery: ‘to:”abc.com” AND from:”xyz.com” ’ the query will search all messages sent to domain abc.com (j.doe@abc.com, l.smith@abc.com…) from domain xyz.com. If you use “*.xyz.com” the query will search for messages sent from/to addresses which have an additional dot, like: j.doe@sales.xyz.com. The asterisk is expendable when put in front of a value or after it.

  2. Does search-mailbox command work with office 365 exchange online? I’ve archived info off for a mailbox and want to delete all emails before a certain date range. I keep hitting road blocks and getting errors that search-mailbox isn’t recognized as a cmdlet.

    • Hi Wendell,
      Search-mailbox should work perfectly with Exchange Online. It looks like cmdlets have not been downloaded to the temporary module. Please make sure you have completed all steps necessary to connect to Office 365, because it seems you have not downloaded the cmdlets by using Import-PSSession $Session cmdlet. You can find all steps in How to start remote PowerShell session to Exchange or Office 365.

  3. Exchange 2010, search-mailbox as Get-Mailbox | Search-Mailbox -SearchQuery Body:”Test” -TargetMailbox “Discovery Search Mailbox” -TargetFolder “Test-folder” -LogLevel Full

    Results return with incorrect date and time in the sent and received field. It is one day ahead. For example, today is 5/11/2017 and I saw 5/12/2017

    So, please help, greatly appreciate, thanks!

    • According to documentation provided by Microsoft, the dates returned by Search-Mailbox cmdlet are in UTC time (Coordinated Universal Time). Please check if the time and date are correct if you change your time to UTC.

  4. Hi Adam,
    I have used following command on exch 2010 to get count for specific message class
    Search-Mailbox -Identity UserName -SearchQuery “IPM.NOTE.EnterpriseVault.Shortcut” –EstimateResultOnly
    But, on exch 2013, same command, output is: ResultItemsCount: 0 even if there are
    thousands of ev shorcuts in the mailbox.  
    how to use -searchquery option to find specific messageclass (ipm.note for example) on exchange 2013?

    Thank you so much in advanced.
    Rajesh

    • Hi Rajesh,
      I’m sorry, but from what I know, Exchange 2013 does not support finding items with a specific message class with Search-Mailbox cmdlet. Some people say it’s an Exchange 2013 bug, but I haven’t found any official confirmation on the web.

  5. Hi Adam,

    Yes, i used the same command to search the mailbox. However i am getting the result of items received to mailbox within this particular time range. For Example, the conversations stored in conversation history, Sent Items etc,. But i expect only to show the emails RECEIVED (Which we can see when we do a mail trace) by the mailbox within that time range. How to achieve that? Thanks in advance for help again.

    • From what I found out, Search-mailbox does not have a default option to filter only the received emails (e.g. by limiting its search to Inbox folder). If I was to search a single mailbox, I would add e.g. AND to:”m.doe” to the query. For more mailboxes, I would use the same method and iterate through a list with a foreach loop.

  6. Hi Adam,

    This article is of great help.
    I have one question.
    We often get emails missing requests and mostly the query will be on data range. When i submit the search, it includes the other items as well. I am expecting only to find the items received on that particular time range. How we can achieve that?

    Regards,
    Suresh

    • Hi Suresh,
      Let me show this on an example: The following cmdlet searches mailbox of m.doe on the date range from the January 1, 2017 up to April 14, 2017 and exports the results to Administrator mailbox, folder test search

      ‘Search-Mailbox “m.doe” –SearchQuery “Received:1/1/2017..04/14/2017” –TargetMailbox “Administrator” –TargetFolder “test search”

      If you want to add more attributes, you can look at the examples in the article above
      Hope it helps!

  7. isread does not seem to be a valid attribute for Exchange 2013. Can you elaborate how you were able to determine that this attribute will work in Search-Mailbox -SearchQuery?

    I’ve been trying to get a script to work with isread for quite some time and have hit many roadblocks.

  8. How do search successfully with a subject that includes a colon? For example: I have an email I need to delete out of a mailbox with the following subject:

    RE: this a bad email

    Notice the colon. When I try to use search-mailbox, it returns zero results. I would assume this is because a colon something recognized by the query language and thus the search is not carried out correctly.

    • Hi Tom,

      Please try using this syntax:

      -SearchQuery 'subject=RE: this a bad email'

      If it doesn’t work, please let me know what version of Exchange you are running.

      Best regards,
      Adam

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

*