[Update]: This blog post was updated on March 7. 2019
Applies to: Exchange 2019, Exchange 2016, Exchange 2013, Exchange Online. Some information may also apply to Exchange 2010.
The -SearchQuery parameter available in the Search-Mailbox command allows you to filter items stored in Exchange mailboxes using a set of item attributes and properties.
Microsoft doesn’t offer documentation regarding attributes that can be used with the -SearchQuery parameter, so I decided to create my own list.
Unfortunately, not all properties indexed by Exchange search are available (but there are a few extra ones that may come in handy).
Queryable attributes and values
|subject||String||Exact phrases or keywords in subjects of items.||subject:"invoice for"|
|body||String||Any item property that contains the specified string value.||body:microsoft|
|attachment||String||Exact phrases or keywords in attachment filenames.||attachment:specialoffer.zip|
|to||String||SMTP address, display name, or alias of user in TO field.||to:"George Kaplan"|
|from||String||As above for the FROM field.||from:email@example.com|
|cc||String||As above for the CC field.||cc:kowalski +codetwo.com|
|bcc||String||As above for the BCC field.||bcc:harry lime|
|participants||String||As above for all people fields.||participants:administrator|
|category||String||Names or parts of names of default Outlook categories.||category:category -green|
|importance||String||Available values: normal, high, low. Default is "normal".||importance: high OR low|
|kind||Item type||Available values:|
|kind:email OR contacts|
|sent||Date||Specific date or time range in which the item was sent.|
Format: MM/dd/yyyy or date interval (today, yesterday, this week, this month, last month, this year, last year)
|received||Date||As above for when the item was received.||received>=1/1/2015|
|hasattachment||Boolean||True if item has at least 1 attachment. (only Exchange 2016 and Online)||hassattachment:true|
|isflagged||Boolean||True if item is flagged. (only Exchange 2016 and Online)||isflagged:true|
|isread||Boolean||True if item is read. (only Exchange 2016 and Online)||isread:false|
|size||Number||Size of item (including attachments) in bytes.||size>1000000|
Operations on multiple attributes and values
Search-Mailbox queries are performed using a slightly simplified version of Microsoft’s Keyword Query Language (KQL).
All attributes and their values listed in the table above can be combined using logical operators AND, OR and NOT (case sensitive).
Note: + / – can also be used as substitutes for AND/NOT.
Search-Mailbox -SearchQuery '(subject:"invoice for" -codetwo) AND (from:sales OR accounting)' ...
translates to: Search for items sent by people with “sales” or “accounting” in names or addresses, and the phrase “invoice for” in the Subject field, excluding those with the string “codetwo” in the Subject.
Numerical values (and date intervals!) can be compared using the following operators:
|Operator||Attribute value ...|
|:||... contains specified value (accepts numerical and text values).|
|=||... is equal to specified value (accepts numerical and text values).|
|>||... is larger than specified value.|
|<||... is smaller than specified value.|
|>=||... is larger than or equal to specified value.|
|<=||... is smaller than or equal to specified value.|
|<>||... is not equal to specified value.|
|..||... falls in the range of specified values (does not accept date intervals).|
Note: On Exchange 2010 you may have to precede comparison operators with a colon (:).
As I mentioned, date intervals (today, yesterday, this week, this month, last month, this year, last year) are interpreted as numerical values, but cannot be used with the
Dates have to be provided in the
MM/dd/yyyy format (although this could be region-specific).
Dates provided as
MM/dd are interpreted as
Search-Mailbox -SearchQuery 'received="last month" AND received>10/10/2016' ...
translates to: items received between the 10/10/2016 and 10/31/2016 (since last month was October).
Search-Mailbox -SearchQuery 'size:1000..900000' ...
translates to: items with size falling between 1000 and 900000 bytes.
If you have questions or comments about any of the above information, post them in the comments section. I will try to respond as soon as possible.