[Update]: This blog post was updated on March 31. 2020
Applies to: Exchange Online, Exchange 2019, Exchange 2016, Exchange 2013. Some information may also apply to Exchange 2010.
The -SearchQuery parameter available in the Search-Mailbox allows you to filter items stored in Exchange mailboxes using a set of item attributes and properties. The -ContentMatchQuery parameter in the New-ComplianceSearch command allow you to filter items stored in Exchange mailboxes, SharePoint and public folders.
Since it’s quite hard to find any documentation regarding attributes that can be used with the -SearchQuery and -ContentMatchQuery parameters, I decided to create my own list.
Note: In Exchange Online, the Search-Mailbox cmdlet is being retired on April 1, 2020 in favor of *ComplianceSearch cmdlets. Learn how to use the new version of Search-Mailbox to search and delete mailbox content in Exchange Online, Exchange 2016 and Exchange 2019
Unfortunately, not all properties indexed by Exchange search are available (but there are a few extra ones that may come in handy).
Queryable attributes and values
|subject||String||Exact phrases or keywords in subjects of items.||subject:"invoice for"|
|body||String||Any item property that contains the specified string value.||body:microsoft|
|attachment||String||Exact phrases or keywords in attachment filenames.||attachment:specialoffer.zip|
|to||String||SMTP address, display name, or alias of user in TO field.||to:"George Kaplan"|
|from||String||As above for the FROM field.||from:[email protected]|
|cc||String||As above for the CC field.||cc:kowalski +codetwo.com|
|bcc||String||As above for the BCC field.||bcc:harry lime|
|participants||String||As above for all people fields.||participants:administrator|
|category||String||Names or parts of names of default Outlook categories.||category:category -green|
|importance||String||Available values: normal, high, low. Default is "normal".||importance: high OR low|
|kind||Item type||Available values:|
|kind:email OR contacts|
|sent||Date||Specific date or time range in which the item was sent.|
Format: MM/dd/yyyy or date interval (today, yesterday, this week, this month, last month, this year, last year)
|received||Date||As above for when the item was received.||received>=1/1/2015|
|hasattachment||Boolean||True if item has at least 1 attachment. (only Exchange 2016 and Online)||hassattachment:true|
|isflagged||Boolean||True if item is flagged. (only Exchange 2016 and Online)||isflagged:true|
|isread||Boolean||True if item is read. (only Exchange 2016 and Online)||isread:false|
|size||Number||Size of item (including attachments) in bytes.||size>1000000|
Operations on multiple attributes and values
Search-Mailbox queries are performed using a slightly simplified version of Microsoft’s Keyword Query Language (KQL).
All attributes and their values listed in the table above can be combined using logical operators AND, OR and NOT (case sensitive).
Note: + / – can also be used as substitutes for AND/NOT.
Search-Mailbox -SearchQuery '(subject:"invoice for" -codetwo) AND (from:sales OR accounting)' ...
translates to: Search for items sent by people with “sales” or “accounting” in names or addresses, and the phrase “invoice for” in the Subject field, excluding those with the string “codetwo” in the Subject.
Numerical values (and date intervals!) can be compared using the following operators:
|Operator||Attribute value ...|
|:||... contains specified value (accepts numerical and text values).|
|=||... is equal to specified value (accepts numerical and text values).|
|>||... is larger than specified value.|
|<||... is smaller than specified value.|
|>=||... is larger than or equal to specified value.|
|<=||... is smaller than or equal to specified value.|
|<>||... is not equal to specified value.|
|..||... falls in the range of specified values (does not accept date intervals).|
Note: On Exchange 2010 you may have to precede comparison operators with a colon (:).
As I mentioned, date intervals (today, yesterday, this week, this month, last month, this year, last year) are interpreted as numerical values, but cannot be used with the
Dates have to be provided in the
MM/dd/yyyy format (although this could be region-specific).
Dates provided as
MM/dd are interpreted as
Search-Mailbox -SearchQuery 'received="last month" AND received>10/10/2016' ...
translates to: items received between the 10/10/2016 and 10/31/2016 (since last month was October).
Search-Mailbox -SearchQuery 'size:1000..900000' ...
translates to: items with size falling between 1000 and 900000 bytes.
If you have questions or comments about any of the above information, post them in the comments section. I will try to respond as soon as possible.