Beruflich Dokumente
Kultur Dokumente
Home
Exchange Server PowerShell
Open the Exchange Management Shell
Connect to Exchange servers using remote PowerShell
Control remote PowerShell access to Exchange servers
Find the permissions required to run any Exchange cmdlet
Exchange cmdlet syntax
Use Update-ExchangeHelp to update Exchange PowerShell help topics on Exchange
servers
Recipient filters in Exchange PowerShell commands
Filterable properties for the Filter parameter
Filterable properties for the RecipientFilter parameter
Exchange Online PowerShell
Connect to Exchange Online PowerShell
Connect to Exchange Online PowerShell using multi-factor authentication
Find the permissions required to run any Exchange cmdlet
Enable or disable access to Exchange Online PowerShell
Recipient filters in Exchange Management Shell commands
Filterable properties for the Filter parameter
Filterable properties for the RecipientFilter parameter
Exchange Online PowerShell V2
Property sets in cmdlets
Office 365 Security & Compliance Center PowerShell
Connect to Office 365 Security & Compliance Center PowerShell
Connect to Office 365 Security & Compliance Center PowerShell using multi-
factor authentication
Exchange Online Protection PowerShell
Connect to Exchange Online Protection PowerShell
Exchange PowerShell enables you to manage your Exchange Server and Office 365 organizations from the command line. For
more information, select your environment:
The Exchange Management Shell is built on Windows PowerShell technology and provides a powerful command-
line interface that enables the automation of Exchange administration tasks. You can use the Exchange
Management Shell to manage every aspect of Exchange. For example, you can create email accounts, create Send
connectors and Receive connectors, configure mailbox database properties, and manage distribution groups. You
can use the Exchange Management Shell to perform every task that's available in the Exchange graphical
management tools, plus things that you can't do there (for example, bulk operations). In fact, when you do
something in the Exchange admin center (EAC ), the Exchange Control Panel (ECP ), or the Exchange Management
Console (EMC ), it's the Exchange Management Shell that does the work behind the scenes.
The Exchange Management Shell also provides a robust and flexible scripting platform. Visual Basic scripts that
required many lines of code can be replaced by Exchange Management Shell commands that use as little as one
line of code. The Exchange Management Shell provides this flexibility because it uses an object model that's based
on the Microsoft .NET Framework. This object model enables Exchange cmdlets to apply the output from one
command to subsequent commands.
To start using the Exchange Management Shell immediately, see the Exchange Management Shell documentation
section later in this topic.
TOPIC DESCRIPTION
Open the Exchange Management Shell Find and open the Exchange Management Shell on an
Exchange server or a computer that has the Exchange
management tools installed.
Connect to Exchange servers using remote PowerShell Use Windows PowerShell on a local computer to connect to
an Exchange server.
Control remote PowerShell access to Exchange servers Learn how to block or allow users' remote PowerShell access
to Exchange servers.
Find the permissions required to run any Exchange cmdlet Find the permissions you need to run a specific cmdlet, or one
or more parameters on the cmdlet.
Exchange cmdlet syntax Learn about the structure and syntax of cmdlets in Exchange
PowerShell.
Recipient filters in Exchange Management Shell commands Learn about recipient filters in the Exchange Management
Shell.
TOPIC DESCRIPTION
Use Update-ExchangeHelp to update Exchange PowerShell Learn how to use Update-ExchangeHelp to update help for
help topics on Exchange servers Exchange cmdlet reference topics on Exchange servers.
Open the Exchange Management Shell
10/30/2019 • 3 minutes to read • Edit Online
When you open the Exchange Management Shell you can perform administrative tasks on Exchange Server from
the command line. You can open the Exchange Management Shell from the following locations:
On the Exchange server directly or in a Remote Desktop Connection session.
On a local computer after you install the Exchange management tools. For more information, see Install the
Exchange management tools.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
If you don't have the Exchange management tools installed on your local computer, you can use Windows
PowerShell to create a remote PowerShell session to an Exchange server. It's a simple three-step process, where
you enter your credentials, provide the required connection settings, and then import the Exchange cmdlets into
your local Windows PowerShell session so that you can use them.
NOTE
We recommend that you use the Exchange Management Shell on any computer that you use to extensively administer
Exchange servers. You'll get the Exchange Management Shell by installing the Exchange management tools. For more
information, see Install the Exchange Server Management Tools and Open the Exchange Management Shell. For more
information about the Exchange Management Shell, see Exchange Server PowerShell (Exchange Management Shell).
To require all scripts that you download from the internet are signed by a trusted publisher, run the
following command in an elevated Windows PowerShell window (a Windows PowerShell window you
open by selecting Run as administrator):
Set-ExecutionPolicy RemoteSigned
You need to configure this setting only once on your computer, not every time you connect.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Server.
$UserCredential = Get-Credential
In the Windows PowerShell Credential Request dialog box that opens, enter your user principal name
(UPN ) (for example, chris@contoso.com ) and password, and then click OK.
2. Replace <ServerFQDN> with the fully qualified domain name of your Exchange server (for example,
mailbox01.contoso.com ) and run the following command:
NOTE
Be sure to disconnect the remote PowerShell session when you're finished. If you close the Windows PowerShell window
without disconnecting the session, you could use up all the remote PowerShell sessions available to you, and you'll need to
wait for the sessions to expire. To disconnect the remote PowerShell session, run the following command:
Remove-PSSession $Session
Remote PowerShell in Microsoft Exchange allows you to manage your Exchange organization from a remote
computer that's on your internal network or from the Internet. You can disable or enable a user's ability to connect
to an Exchange server using remote PowerShell. For more information about remote PowerShell, see Exchange
Server PowerShell (Exchange Management Shell).
For additional management tasks related to remote PowerShell, see Connect to Exchange servers using remote
PowerShell.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Server.
This example enables remote PowerShell access for the user named Sirirat Kitjakarn.
This example removes access to remote PowerShell for all users whose Title attribute contains the value "Sales
Associate".
$DSA = Get-User -ResultSize unlimited -Filter "(RecipientType -eq 'UserMailbox') -and (Title -like '*Sales
Associate*')"
This example uses the text file C:\My Documents\NoPowerShell.txt to identify the users by their user principal
name (UPN ). The text file must contain one UPN on each line like this:
akol@contoso.com
tjohnston@contoso.com
kakers@contoso.com
After you populate the text file with the user accounts you want to update, run the following commands:
This example displays the remote PowerShell access status of the user named Sarah Jones.
To display the remote PowerShell access status for all users, run the following command:
To display only those users who don't have access to remote PowerShell, run the following command:
To display only those users who have access to remote PowerShell, run the following command:
You can use PowerShell to find the permissions required to run any Exchange or Exchange Online cmdlet. This
procedure shows the role-based access control (RBAC ) management roles and role groups that give you access to
a specified cmdlet—even if your organization has custom roles, custom role groups, or custom role assignments.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server or Exchange Online.
Troubleshooting
What if there are no results?
Verify that you entered the cmdlet and parameter names correctly.
You might have entered too many parameters, and all of the parameters on the cmdlet aren't defined in a
single role. Try specifying only the cmdlet name in Step 2, and run Step 3 to verify that the cmdlet is available
in your environment. Then, add parameters one at a time to Step 2 before running Step 3.
These possible causes have the same solution:
You might have entered a cmdlet or parameters that are defined in a role that isn't assigned to anyone
by default.
You might have entered a cmdlet or parameter that isn't available in your environment. For example,
when you enter an Exchange Online cmdlet or parameters in an on-premises Exchange 2016
environment.
Run the following command to find the role that contains the cmdlet or parameters. Be sure to replace
<Cmdlet> and optionally, <Parameter1>,<Parameter2>,... with the actual cmdlet and parameter names you
are interested in. Note that you can use wildcard characters (*) in the cmdlet and parameter names (for
example, *-Mailbox* ).
If the command returns an error saying the object couldn't be found, the cmdlet or parameters aren't
available in your environment.
If the command returns one or more entries for Name, Role, and Parameters, the cmdlet (or
parameters on the cmdlet) is available in your environment, but the required role isn't assigned to
anyone. To see all roles that aren't assigned to anyone, run the following command:
Related procedures
Management role scopes define where cmdlets can operate (in particular, write scopes).
To include scope information in Step 2, substitute the following command:
To see all roles assigned to a specific user, run the following command:
For example:
To see all users who are assigned a specific role, run the following command:
For example:
To see the members of a specific role group, run the following command:
For example:
Exchange cmdlet reference topics use a standardized method that describes key aspects about the cmdlet. For
example:
Parameters that are available on the cmdlet.
Values that each parameter accepts.
Parameters that can be used together, and parameters that need to be used separately.
This topic explains these conventions, and also the syntax that's required to run commands in Exchange
PowerShell.
SYMBOL DESCRIPTION
This cmdlet has two separate parameter sets. Based on the entries, you can use these parameters together in the
same command:
DsnCode
Internal
Language
Text
Confirm
DomainController
WhatIf
And you can use these parameters together in the same command:
Language
QuotaMessageType
Text
Confirm
DomainController
WhatIf
But you can't use these parameters together in the same command:
DsnCode and QuotaMessageType.
Internal and QuotaMessageType.
The <COMMON PARAMETERS> entry indicates the cmdlet supports the basic Windows PowerShell parameters that are
available on virtually any cmdlet (for example, Debug). You can use common parameters with parameters from
any parameter set. For more information, see about_CommonParameters.
If you don't enclose the value Contoso Receive Connector in quotes, Exchange PowerShell tries to treat each word
as a new argument, and the command will fail. In this example, you'll receive an error that looks like this:
A positional parameter cannot be found that accepts argument 'Receive'
If the value contains variables, you need choose carefully between single quotes and double quotes. For example,
suppose you have a variable named $Server that has the value Mailbox01 .
Double quotation marks: Variables are substituted with their values. The input "$Server Example"
results in the output Mailbox01 Example .
Single quotation marks: Variables are treated literally. The input '$Server Example' results in the output
$Server Example .
OPERATOR DESCRIPTION
OPERATOR DESCRIPTION
" Double quotation marks are used to enclose text strings that
contains spaces.
Exchange cmdlet reference topics are created and updated all the time, but it's been difficult to get those updates
into Exchange code in a timely manner so they're available in the Exchange Management Shell. Now, you can use
the Update-ExchangeHelp cmdlet in the Exchange Management Shell to get the most up-to-date cmdlet
reference topics for the command line in Exchange 2013 or later.
The Update-ExchangeHelp cmdlet automatically connects to a predefined website, compares the version of the
local Exchange server and the installed languages to what's available in the update packages, and then downloads
and installed the updated Exchange Management Shell help. Typically, the cmdlet connects to the internet, but you
can configure it to connect to an intranet source inside your organization.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
Update-ExchangeHelp -Verbose
Notes:
The Verbose switch is important because it provides useful information. For example, it tells you if your
Exchange server already has the latest version of help installed, or if you've run the command in the last 24
hours.
If you want to check for updates again within 24 hours, use the Force switch.
Configure Update-ExchangeHelp to get updates from an internal web
server
In some organizations, internal servers don't have access to the Internet. If your internal Exchange servers don't
have Internet access, you can configure Update-ExchangeHelp to point to an internal web server to get updates.
The steps are as follows:
1. Download and inspect the ExchangeHelpInfo.xml manifest file.
2. Download the update packages, publish the update packages on an internal web server, and customize the
ExchangeHelpInfo.xml manifest file.
3. Publish the customized ExchangeHelpInfo.xml manifest file on an internal web server.
4. Modify the registry of the Exchange servers to point to the customized ExchangeHelpInfo.xml manifest file.
5. Use and maintenance of Update-ExchangeHelp.
Step 1. Download and inspect the ExchangeHelpInfo.xml manifest file
On a computer that has Internet access, open https://go.microsoft.com/fwlink/p/?LinkId=287244, save the
ExchangeHelpInfo.xml manifest file in a location that's easy to remember, and open the file in Notepad.
Each available update package is defined in a <HelpVersion> section, and each <HelpVersion> section contains
the following keys.
<Version>: This key identifies the version Exchange that the update package applies to. 15.01.xxxx.xxx is
Exchange 2016. 15.00.xxxx.xxx is Exchange 2013. Typically, this key specifies a range of versions.
<CulturesUpdated>: This key identifies the language that the update package applies to. This key might
specify only one language or multiple languages.
<Revision>: This key identifies the order that the updated packages were released for the major version of
Exchange. In other words, the first update package released for Exchange 2016 is 001 , the second is 002 ,
etc. And, there's no relationship between the update packages and the order they were released in. For
example, 001 might be an English only update, 002 might be an update for all other supported languages,
and 003 might be a German-only update.
<CabinetUrl>: This key identifies the name and location of the update package for the <HelpVersion>
section.
The update package that's defined in a <HelpVersion> section applies to an Exchange server based on the
combination of <Version> and <CulturesUpdated> values.
You might find that multiple <HelpVersion> sections apply to your Exchange servers for a given version of
Exchange. For example, there might be multiple updates for the same language, or separate updates for different
languages that both apply to your Exchange servers because you have multiple languages installed. Either way,
you need only the most recent update for your Exchange server version and language based on the <Revision>
key.
For example, suppose your Exchange servers are running Exchange 2016 version 15.01.0225.040 with English and
Spanish installed, and the ExchangeHelpInfo.xml manifest file looks like this:
<?xml version="1.0" encoding="utf-8"?>
<ExchangeHelpInfo>
<HelpVersions>
<HelpVersion>
<Version>15.01.0225.030-15.01.0225.050</Version>
<Revision>001</Revision>
<CulturesUpdated>en</CulturesUpdated>
<CabinetUrl>https://download.microsoft.com/download/8/7/0/870FC9AB-6D22-4478-BFBF-
66CE775BCD18/ExchangePS_Update_En.cab</CabinetUrl>
</HelpVersion>
<HelpVersion>
<Version>15.01.0225.030-15.01.0225.050</Version>
<Revision>002</Revision>
<CulturesUpdated>de, es, fr, it, ja, ko, pt, pu, ru, zh-HanS, zh-HanT</CulturesUpdated>
<CabinetUrl>https://download.microsoft.com/download/8/7/0/870FC9AB-6D22-4478-BFBF-
66CE775BCD18/ExchangePS_Update_Loc.cab</CabinetUrl>
</HelpVersion>
<HelpVersion>
<Version>15.01.0225.030-15.01.0225.050</Version>
<Revision>003</Revision>
<CulturesUpdated>en</CulturesUpdated>
<CabinetUrl>https://download.microsoft.com/download/8/7/0/870FC9AB-6D22-4478-BFBF-
66CE775BCD18/ExchangePS_Update_En2.cab</CabinetUrl>
</HelpVersion>
</HelpVersions>
</ExchangeHelpInfo>
In this example, all the updates apply to you based on the version of Exchange. However, you need only revision
003 for English, and revision 002 for Spanish. You don't need revision 001 for English because revision 003 is
newer.
Step 2. Download the update packages, publish the update packages on an internal web server, and customize
the ExchangeHelpInfo.xml manifest file
The easiest and least time-consuming approach might be to download every available update package that's
defined in the ExchangeHelpInfo.xml manifest file. The benefits to this approach are:
No analysis required: It's difficult to make a mistake and accidentally miss an update that applies to you,
because you're downloading every available update package. The Update-ExchangeHelp cmdlet ignores
the update packages that don't apply to the Exchange server, so it doesn't hurt to download unneeded
update packages.
Easier maintenance: Whenever a new update package is released, you don't need to spend time
determining if the update package applies to you. You just download and customize the new
ExchangeHelpInfo.xml manifest file, and download the new cabinet (.cab) file that's defined in it.
To download all of the update packages, follow these steps:
1. Download all of the .cab files that are defined in the ExchangeHelpInfo.xml manifest file by using the
<CabinetUrl> values. Save the files in a location that's easy to remember.
2. Publish the .cab files on an internal web server (for example
https://intranet.contoso.com/downloads/exchange ).
3. Modify the URL values of the <CabinetUrl> keys to point to the internal web server where you published
the .cab files.
For example, change the value
https://download.microsoft.com/download/8/7/0/870FC9AB-6D22-4478-BFBF-
66CE775BCD18/ExchangePS_Update_En.cab
to https://intranet.contoso.com/downloads/exchange/ExchangePS_Update_En.cab .
4. Save the customized ExchangeHelpInfo.xml manifest file.
The drawback to this approach is you download more .cab files than you actually need, and the unneeded .cab files
consume space on your internal web server.
If you want to identify only the update packages that apply to you, follow these steps.
1. Find the version details for your Exchange servers.
To find the version details on a single Exchange server, run the following command:
To find the version details for all Exchange servers in your organization, run the following command:
3. Modify the URL values of the <CabinetUrl> keys to point to the internal web server where you published
the .cab files.
For example, change the value
https://download.microsoft.com/download/8/7/0/870FC9AB-6D22-4478-BFBF-
66CE775BCD18/ExchangePS_Update_En.cab
to https://intranet.contoso.com/downloads/exchange/ExchangePS_Update_En.cab .
4. Optionally, you can delete the <HelpInfo> sections that don't apply to you.
5. Save the customized ExchangeHelpInfo.xml manifest file.
Step 3. Publish the customized ExchangeHelpInfo.xml manifest file on an internal web server
Publish the customized ExchangeHelpInfo.xml manifest file from Step 2 on an internal web server that's accessible
to your internal Exchange servers. For example,
https://intranet.contoso.com/downloads/exchange/ExchangeHelpInfo.xml . You'll use the URL value of this location in
Step 4.
Note that there's no relationship between the ExchangeHelpInfo.xml manifest file and .cab file locations. You can
have them available at the same URL or on different servers.
Step 4. Modify the registry of your Exchange servers to point to the customized ExchangeHelpInfo.xml
manifest file
You need the download location of the customized ExchangeHelpInfo.xml manifest file that you configured in Step
3. This example uses the value https://intranet.contoso.com/downloads/exchange/ExchangeHelpInfo.xml .
1. Copy and paste the following text into Notepad, customize the URL for your environment, and save the file
as UpdateExchangeHelp.reg in a location that's easy to remember.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v15\UpdateExchangeHelp]
"ManifestUrl"="https://intranet.contoso.com/downloads/exchange/ExchangeHelpInfo.xml"
You can use several Exchange Management Shell and Exchange Online PowerShell commands to filter a set of
recipients. You can create the following types of filters in an Exchange command:
Precanned filters
Custom filters using the RecipientFilter parameter
Custom filters using the Filter parameter
Custom filters using the ContentFilter parameter
Older versions of Exchange used LDAP filtering syntax to create custom address lists, global address lists (GALs),
email address policies, and distribution groups. In Exchange Server 2007 and later versions, OPATH filtering syntax
replaced LDAP filtering syntax.
Precanned filters
A precanned filter is a commonly used Exchange filter that you can use to meet a variety of recipient-filtering
criteria for creating dynamic distribution groups, email address policies, address lists, or GALs. With precanned
filters, you can use either the Exchange PowerShell or the Exchange admin center (EAC ). Using precanned filters,
you can do the following:
Determine the scope of recipients.
Add conditional filtering based on properties such as company, department, and state or region.
Add custom attributes for recipients. For more information, see Custom Attributes.
The following parameters are considered precanned filters:
IncludedRecipients
ConditionalCompany
ConditionalDepartment
ConditionalStateOrProvince
ConditionalCustomAttribute1 to ConditionalCustomAttribute15.
Precanned filters are available for the following cmdlets:
New -DynamicDistributionGroup
Set-DynamicDistributionGroup
New -EmailAddressPolicy
Set-EmailAddressPolicy
New -AddressList
Set-AddressList
New -GlobalAddressList
Set-GlobalAddressList
Precanned filter example
This example describes using precanned filters in the Exchange Management Shell to create a dynamic distribution
group. The syntax in this example is similar but not identical to the syntax you would use to create an email address
policy, address list, or GAL. When creating a precanned filter, you should ask the following questions:
From which organizational unit (OU ) do you want to include recipients? (This question corresponds to the
RecipientContainer parameter.)
NOTE
Selecting the OU for this purpose applies only when creating dynamic distribution groups, and not when creating email
address policies, address lists, or GALs.
What type of recipients do you want to include? (This question corresponds to the IncludedRecipients
parameter.)
What additional conditions do you want to include in the filter? (This question corresponds to the
ConditionalCompany, ConditionalDepartment, ConditionalStateOrProvince, and
ConditionalCustomAttribute parameters.)
This example creates the dynamic distribution group Contoso Finance for user mailboxes in the OU
Contoso.com/Users and specifies the condition to include only recipients who have the Department attribute
defined as Finance and the Company attribute defined as Contoso.
This example displays the properties of this new dynamic distribution group.
For more information about the filterable properties that you can use with the ContentFilter parameter, see
Filterable properties for the ContentFilter parameter.
Integer values: You don't need to enclose integers (for example, 500 ). You can often enclose
integers in single quotation marks or double quotation marks, but that limits the characters you can
use to enclose the whole OPath filter.
System values: Don't enclose system values (for example, $true , $false , or $null ). To enclose the
whole OPath filter in double quotation marks, you need to escape the dollar sign in system value (for
example, `$true ).
You need to enclose the whole OPath filter in double quotation marks " or " single quotation marks ' '.
Although any OPath filter object is technically a string and not a script block, you can still use braces { }, but
only if the filter doesn't contain variables that require expansion. The characters that you can use to enclose
the whole OPath filter depend on types of values that you're searching for and the characters you used (or
didn't use) to enclose those values:
Text values: Depends on how you enclosed the text to search for:
Text enclosed in single quotation marks: Enclose the whole OPath filter in double
quotation marks or braces.
Text enclosed in double quotation marks: Enclose the whole OPath filter in braces.
Variables: Enclose the whole OPath filter in double quotation marks (for example,
"Name -eq '$User'" ).
Integer values: Depends on how you enclosed (or didn't enclose) the integer to search for:
Integer not enclosed: Enclose the whole OPath filter in double quotation marks, single
quotation marks, or braces (for example "CountryCode -eq 840" ).
Integer enclosed in single quotation marks: Enclose the whole OPath filter in double
quotation marks or braces "CountryCode -eq '840'" .
Integer enclosed in double quotation marks: Enclose the whole OPath filter in braces (for
example {CountryCode -eq "840"} ).
System values: Enclose the whole OPath filter in single quotation marks or braces (for example
'HiddenFromAddressListsEnabled -eq $true' ). If you escape the dollar sign system value, you can also
enclose the whole OPath filter in double quotation marks (for example,
"HiddenFromAddressListsEnabled -eq `$true" ).
The compatibility of search criteria and the valid characters that you can use to enclose the whole OPath
filter are summarized in the following table:
'Text'
"Text"
'$Variable'
500
'500'
"500"
$true
`$true
Include the hyphen before all operators. The most common operators include:
-and
-or
-not
-eq (equals)
-ne (not equal)
-lt (less than)
-gt (greater than)
-like (string comparison)
-notlike (string comparison)
Many filterable properties accept wildcard characters. If you use a wildcard character, use the -like operator
instead of the -eq operator. The -like operator is used to find pattern matches in rich types (for example,
strings) whereas the -eq operator is used to find an exact match.
For more information about operators you can use, see:
about_Logical_Operators
about_Comparison_Operators
TOPIC DESCRIPTION
Filterable properties for the RecipientFilter parameter Learn more about the filterable properties that are available
for the RecipientFilter parameter.
Filterable properties for the Filter parameter Learn more about the filterable properties that are available
for the Filter parameter.
Filterable properties for the Filter parameter
10/30/2019 • 46 minutes to read • Edit Online
You use the Filter parameter to create OPATH filters based on the properties of user and group objects in Exchange Server and Exchange Online. The Filter parameter is
available on these recipient cmdlets:
Get-CASMailbox
Get-Contact
Get-DistributionGroup
Get-DynamicDistributionGroup
Get-Group
Get-LinkedUser
Get-Mailbox
Get-MailContact
Get-MailPublicFolder
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-SecurityPrincipal
Get-UMMailbox
Get-User
Get-UnifiedGroup
For more information, see Recipient filters in Exchange PowerShell commands.
NOTE
The Filter parameter is also available on other cmdlets (for example, Get-MailboxStatistics, Get-Queue, and Get-Message). However, the property values that are accepted by the Filter
parameter on these cmdlets aren't similar to the user and group properties that are described in this topic.
Filterable properties
The properties that have been confirmed to work with the Filter parameter in user and group cmdlets are described in the following table.
Notes:
The list might include:
Properties that are only used in one type of environment: Microsoft Office 365, on-premises Exchange, or hybrid. The property might exist on recipient objects
in all environments, but the value is only meaningful (a value other than blank or None ) in one type of environment.
Properties that are present, but correspond to features that are no longer used in Exchange 2016 or later.
Not all recipient properties have a corresponding Active Directory property. The LDAP display name value in the table is "n/a" for these properties, which indicates that
the property is calculated (likely by Exchange).
Enclose the whole OPath filter in double quotation marks " ". If the filter contains system values (for example, $true , $false , or $null ), use single quotation marks ' '
instead. Although this parameter is a string (not a system block), you can also use braces { }, but only if the filter doesn't contain variables. For more information, see
Additional OPATH syntax information.
Text string properties that accept wildcard characters require the -like operator (for example, "Property -like '*abc'" ).
To look for blank or non-blank property values, use the value $null (for example, 'Property -eq $null' or 'Property -ne $null' ).
AcceptMessagesOnlyFrom authOrig Get-DistributionGroup String or $null This filter requires the distinguished
Get-DynamicDistributionGroup name of the individual recipient (a
Get-Mailbox mailbox, mail user, or mail contact).
Get-MailContact For example,
Get-MailPublicFolder Get-DistributionGroup -Filter
Get-MailUser "AcceptMessagesOnlyFrom -eq
'CN=Yuudai
Get-RemoteMailbox Uchida,CN=Users,DC=contoso,DC=com'"
Get-UnifiedGroup or
Get-DistributionGroup -Filter
"AcceptMessagesOnlyFrom -eq
'contoso.com/Users/Angela
Gruber'"
.
To find the distinguished name of
the individual recipient, replace
<RecipientIdentity> with the
name, alias, or email address of the
recipient, and run this command:
Get-Recipient -Identity "
<RecipientIdentity>" |
Format-List
Name,DistinguishedName
.
Although this is a multivalued
property, the filter will return a
match if the property contains the
specified value.
AcceptMessagesOnlyFromDLMemb dLMemSubmitPerms Get-DistributionGroup String or $null This filter requires the distinguished
ers Get-DynamicDistributionGroup name or canonical distinguished
Get-Mailbox name of the group (a distribution
Get-MailContact group, mail-enabled security group,
Get-MailPublicFolder or dynamic distribution group). For
Get-MailUser example,
Get-RemoteMailbox Get-Mailbox -Filter
Get-UnifiedGroup "AcceptMessagesOnlyFromDLMembers -eq
'CN=Marketing
Department,CN=Users,DC=contoso,DC=com'"
. or
Get-Mailbox -Filter
"AcceptMessagesOnlyFromDLMembers
-eq 'contoso.com/Users/Marketing
Department'"
.
To find the distinguished name of
the group, replace
<GroupIdentity> with the name,
alias, or email address of the group,
and run one of these commands:
Get-DistributionGroup -
Identity "<GroupIdentity>" |
Format-List
Name,DistinguishedName
or
Get-DynamicDistributionGroup
-Identity "<GroupIdentity>" |
Format-List
Name,DistinguishedName
.
Although this is a multivalued
property, the filter will return a
match if the property contains the
specified value.
ActiveSyncAllowedDeviceIDs msExchMobileAllowedDeviceIds Get-CASMailbox String (wildcards accepted) or A device ID is a text string that
$null uniquely identifies the device. Use
the Get-MobileDevice cmdlet to
see the devices that have
ActiveSync partnerships with a
mailbox. To see the device IDs on a
mailbox, replace <MailboxIdentity>
with the name, alias, or email
address of the mailbox, and run
this command:
Get-MobileDevice -Mailbox
<MailboxIdentity> | Format-
List
.
After you have the device ID value,
you can use it in the filter. For
example,
Get-CasMailbox -Filter "
(ActiveSyncAllowedDeviceIDs -
like '*text1') -or
(ActiveSyncAllowedDeviceIDs -
eq 'text2'"
.
PROPERTY NAME LDAP DISPLAY NAME AVAILABLE ON CMDLETS VALUE COMMENTS
ActiveSyncBlockedDeviceIDs msExchMobileBlockedDeviceIds Get-CASMailbox String (wildcards accepted) or A device ID is a text string that
$null uniquely identifies the device. Use
the Get-MobileDevice cmdlet to
see the devices that have
ActiveSync partnerships with a
mailbox. To see the device IDs on a
mailbox, replace <MailboxIdentity>
with the name, alias, or email
address of the mailbox, and run
this command:
Get-MobileDevice -Mailbox
<MailboxIdentity> | Format-
List
.
After you have the device ID value,
you can use it in a filter. For
example,
Get-CasMailbox -Filter "
(ActiveSyncBlockedDeviceIDs -
like '*text1') -or
(ActiveSyncBlockedDeviceIDs -
eq 'text2'"
.
ActiveSyncMailboxPolicy msExchMobileMailboxPolicyLink Get-CASMailbox String or $null This filter requires the distinguished
Get-Recipient name of the ActiveSync mailbox
policy. For example,
Get-CASMailbox -Filter "ActiveSyncMailboxPolicy -eq
'CN=Default,CN=Mobile Mailbox Policies,CN=Contoso
Corporation,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com'"
.
You can find the distinguished
names of ActiveSync mailbox
policies by running this command:
Get-MobileDeviceMailboxPolicy
| Format-List
Name,DistinguishedName
.
Note: For the default assignment
of the default ActiveSync mailbox
policy (named Default) to a
mailbox, the value of the
ActiveSyncMailboxPolicy
property is blank ( $null ).
AddressBookPolicy msExchAddressBookPolicyLink Get-Mailbox String or $null This filter requires the distinguished
Get-Recipient name of the address book policy.
For example,
Get-Mailbox -Filter "AddressBookPolicy -eq 'CN=Contoso
ABP,CN=AddressBook Mailbox Policies,CN=Contoso
Corporation,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com'"
.
You can find the distinguished
names of address book policies by
running this command:
Get-AddressBookPolicy |
Format-List
Name,DistinguishedName
.
AddressListMembership showInAddressBook Get-DistributionGroup String or $null This filter requires the distinguished
Get-DynamicDistributionGroup name of the address list. For
Get-Mailbox example,
Get-MailContact Get-MailContact -Filter "AddressListMembership -eq
Get-MailPublicFolder 'CN=All Contacts,CN=All Address Lists,CN=Address Lists
Container,CN=Contoso Corporation,CN=Microsoft
Get-MailUser Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com'"
Get-Recipient .
Get-RemoteMailbox You can find the distinguished
Get-UnifiedGroup names of address lists by running
this command:
Get-AddressList | Format-List
Name,DistinguishedName
.
ArbitrationMailbox msExchArbitrationMailbox Get-DistributionGroup String or $null This filter requires the distinguished
Get-DynamicDistributionGroup name of the arbitration mailbox.
Get-Mailbox For example,
Get-MailContact Get-DistributionGroup -Filter
Get-MailPublicFolder "ArbitrationMailbox -eq
'CN=SystemMailbox"1f05a927-2e8f-4cbb-9039-
Get-MailUser 2cfb8b95e486",CN=Users,DC=contoso,DC=com'"
Get-RemoteMailbox .
You can find the distinguished
names of arbitration mailboxes by
running this command:
Get-Mailbox -Arbitration |
Format-List
Name,DistinguishedName
.
ArchiveDatabase msExchArchiveDatabaseLink Get-Mailbox String or $null This filter requires the distinguished
Get-MailUser name of the archive mailbox
Get-Recipient database. For example,
Get-RemoteMailbox Get-Mailbox -Filter "ArchiveMailbox -eq 'CN=MBX
DB02,CN=Databases,CN=Exchange Administrative Group
(FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Contoso
Corporation,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com'"
.
You can find the distinguished
names of mailbox databases by
running this command:
Get-MailboxDatabase | Format-
List Name,DistinguishedName
.
ArchiveDomain msExchArchiveAddress Get-Mailbox String (wildcards accepted) or This property is used in on-
$null premises Exchange environments
to identify the Office 365
organization that holds the archive
mailbox. For example,
Get-Mailbox -Filter
"ArchiveDomain -like
'*contoso.onmicrosoft.com'"
.
ArchiveGuid msExchArchiveGUID Get-Mailbox String or $null This filter requires the GUID of the
Get-MailUser archive mailbox. For example,
Get-Recipient Get-Mailbox -Filter
Get-RemoteMailbox "ArchiveMailbox -eq
'6476f55e-e5eb-4462-a095-
f2cb585d648d'"
.
You can find the GUID of archive
mailboxes by running this
command:
Get-Mailbox -Archive |
Format-Table -Auto
Name,ArchiveGUID
.
PROPERTY NAME LDAP DISPLAY NAME AVAILABLE ON CMDLETS VALUE COMMENTS
ArchiveName msExchArchiveName Get-Mailbox String (wildcards accepted) or This filter requires the name of the
Get-MailUser $null archive mailbox. For example,
Get-RemoteMailbox Get-Mailbox -Filter
"ArchiveName -like 'In-Place
Archive*'"
.
You can find the names of archive
mailboxes by running this
command:
Get-Mailbox -Archive |
Format-Table -Auto
Name,ArchiveName
.
ArchiveQuota msExchArchiveQuota Get-Mailbox A byte quantified size value (for You can only use the Filter
Get-MailUser example, 300MB or 1.5GB ), or parameter to look for the value
Get-RemoteMailbox Unlimited . Unqualified values are Unlimited for this property. For
treated as bytes. example,
Get-Mailbox -Filter
"ArchiveQuota -eq
'Unlimited'"
or
Get-Mailbox -Filter
"ArchiveQuota -ne
'Unlimited'"
.
You can't use the Filter parameter
to look for size values of this
property. Instead, use this syntax:
Get-Mailbox | where
"$_.ArchiveQuota -<Operator>
'<Size>'"
. For example,
Get-Mailbox | where
"$_.ArchiveQuota -gt '85GB'"
.
ArchiveWarningQuota msExchArchiveWarnQuota Get-Mailbox A byte quantified size value (for You can only use the Filter
Get-MailUser example, 300MB or 1.5GB ), or parameter to look for the value
Get-RemoteMailbox Unlimited . Unqualified values are Unlimited for this property. For
treated as bytes. example,
Get-Mailbox -Filter
"ArchiveWarningQuota -eq
'Unlimited'"
or
Get-Mailbox -Filter
"ArchiveWarningQuota -ne
'Unlimited'"
.
You can't use the Filter parameter
to look for size values of this
property. Instead, use this syntax:
Get-Mailbox | where
"$_.ArchiveWarningQuota -
<Operator> '<Size>'"
. For example,
Get-Mailbox | where
"$_.ArchiveWarningQuota -gt
'85GB'"
.
AuditLogAgeLimit msExchMailboxAuditLogAgeLimit Get-Mailbox A time span value: dd.hh:mm:ss You can't use the Filter parameter
Get-UnifiedGroup where dd = days, hh = hours, mm to look for time span values for this
= minutes, and ss = seconds. property. Instead, use this syntax:
Get-Mailbox | where
"$_.AuditLogAgeLimit -
<Operator> '<TimeSpan>'"
. For example,
Get-Mailbox | where
"$_.AuditLogAgeLimit -gt
'60.00:00:00'"
.
PROPERTY NAME LDAP DISPLAY NAME AVAILABLE ON CMDLETS VALUE COMMENTS
BlockedSendersHash msExchBlockedSendersHash Get-Recipient Blank ( $null ) or a hashed value. Realistically, you can only use this
value to filter on blank or non-
blank values. For example,
Get-Recipient -Filter
'BlockedSendersHash -ne
$null'.
c c Get-Contact String (wildcards accepted) or This filter requires the ISO 3166-1
Get-LinkedUser $null two-letter country code for the
Get-Recipient user (for example, S for the
Get-SecurityPrincipal United States). This property is
Get-User used together with the co and
countryCode properties to define
the user's country in Active
Directory.
For example,
Get-User -Filter "c -eq 'US'" .
CalendarLoggingQuota msExchCalendarLoggingQuota Get-Mailbox A byte quantified size value (for You can only use the Filter
example, 300MB or 1.5GB ), or parameter to look for the value
Unlimited . Unqualified values are Unlimited for this property. For
treated as bytes. example,
Get-Mailbox -Filter
"CalendarLoggingQuota -eq
'Unlimited'"
or
Get-Mailbox -Filter
"CalendarLoggingQuota -ne
'Unlimited'"
.
You can't use the Filter parameter
to look for size values of this
property. Instead, use this syntax:
Get-Mailbox | where
"$_.CalendarLoggingQuota -
<Operator> '<Size>'"
. For example,
Get-Mailbox | where
"$_.CalendarLoggingQuota -gt
'10GB'"
.
CountryCode countryCode Get-Contact Integer This filter requires the ISO 3166-1
Get-LinkedUser three-digit country code for the
Get-Recipient user (for example, 840 for the
Get-SecurityPrincipal United States). This property is
Get-User used together with the c and co
properties to define the user's
country in Active Directory.
For example,
Get-User -Filter "countryCode
-eq 796"
.
PROPERTY NAME LDAP DISPLAY NAME AVAILABLE ON CMDLETS VALUE COMMENTS
DefaultPublicFolderMailbox msExchPublicFolderMailbox Get-Mailbox String or $null This filter requires the distinguished
name or canonical distinguished
name of the public folder mailbox.
For example,
Get-Mailbox -Filter
"DefaultPublicFolderMailbox -eq 'CN=PF
Mailbox01,CN=Users,DC=contoso,DC=com'"
or
Get-Mailbox -Filter
"DefaultPublicFolderMailbox -
eq 'contoso.com/Users/PF
Mailbox01'"
.
To find the distinguished names of
public folder mailboxes, run this
command:
Get-Mailbox -PublicFolder |
Format-List
Name,DistinguishedName
.
DirectReports directReports Get-Contact String or $null This filter requires the distinguished
Get-LinkedUser name or canonical distinguished
Get-User name of the direct report. For
example,
Get-User -Filter "DirectReports -eq
'CN=Angela
Gruber,CN=Users,DC=contoso,DC=com'"
or
Get-User -Filter
"DirectReports -eq
'contoso.com/Users/Angela
Gruber'"
.
To find the distinguished name of a
direct report, replace
<RecipientIdentity> with the
name, alias, or email address of the
recipient, and run this command:
Get-Recipient -Identity "
<RecipientIdentity>" |
Format-List
Name,DistinguishedName
.
Although this is a multivalued
property, the filter will return a
match if the property contains the
specified value.
DisabledArchiveDatabase msExchDisabledArchiveDatabaseLi Get-Mailbox String or $null This filter requires the distinguished
nk Get-MailUser name of the disabled archive
Get-RemoteMailbox mailbox database. For example,
Get-Mailbox -Filter "DisabledArchiveDatabase -eq 'CN=MBX
DB02,CN=Databases,CN=Exchange Administrative Group
(FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Contoso
Corporation,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com'"
.
You can find the distinguished
names of mailbox databases by
running this command:
Get-MailboxDatabase | Format-
List Name,DistinguishedName
.
DisabledArchiveGuid msExchDisabledArchiveDatabaseG Get-Mailbox String or $null This filter requires the GUID of the
UID Get-MailUser disabled archive mailbox. For
Get-RemoteMailbox example,
Get-Mailbox -Filter
"DisabledArchiveGuid -eq
'6476f55e-e5eb-4462-a095-
f2cb585d648d'"
.
You can find the GUID of archive
mailboxes by running this
command:
Get-Mailbox -Archive |
Format-Table -Auto
Name,ArchiveGUID
.
ForwardingAddress altRecipient Get-Mailbox String or $null This filter requires the distinguished
Get-MailPublicFolder name or canonical distinguished
Get-MailUser name of the forwarding recipient.
Get-RemoteMailbox For example,
Get-Mailbox -Filter
"ForwardingAddress -eq 'CN=Angela
Gruber,CN=Users,DC=contoso,DC=com'"
or
Get-Mailbox -Filter
"ForwardingAddress -eq
'contoso.com/Users/Angela
Gruber'"
.
To find the distinguished name of a
forwarding recipient, replace
<RecipientIdentity> with the
name, alias, or email address of the
recipient, and run this command:
Get-Recipient -Identity "
<RecipientIdentity>" |
Format-List
Name,DistinguishedName
.
GrantSendOnBehalfTo publicDelegates Get-DistributionGroup String or $null This filter requires the distinguished
Get-DynamicDistributionGroup name or canonical distinguished
Get-Mailbox name of the mail-enabled security
Get-MailContact principal (mailbox, mail user, or
Get-MailPublicFolder mail-enabled security group). For
Get-MailUser example,
Get-RemoteMailbox Get-Mailbox -Filter
Get-UnifiedGroup "GrantSendOnBehalfTo -eq 'CN=Angela
Gruber,CN=Users,DC=contoso,DC=com'"
or
Get-Mailbox -Filter
"GrantSendOnBehalfTo -eq
'contoso.com/Users/Angela
Gruber'"
.
To find the distinguished name of a
mail-enabled security principal,
replace <RecipientIdentity> with
the name, alias, or email address of
the recipient, and run this
command:
Get-Recipient -Identity "
<RecipientIdentity>" |
Format-List
Name,DistinguishedName
.
Although this is a multivalued
property, the filter will return a
match if the property contains the
specified value.
IssueWarningQuota mDBStorageQuota Get-Mailbox A byte quantified size value (for You can only use the Filter
Get-MailUser example, 300MB or 1.5GB ), or parameter to look for the value
Get-RemoteMailbox Unlimited . Unqualified values are Unlimited for this property. For
treated as bytes. example,
Get-Mailbox -Filter
"IssueWarningQuota -eq
'Unlimited'"
or
Get-Mailbox -Filter
"IssueWarningQuota -ne
'Unlimited'"
.
You can't use the Filter parameter
to look for size values of this
property. Instead, use this syntax:
Get-Mailbox | where
"$_.IssueWarningQuota -
<Operator> '<Size>'
". For example,
Get-Mailbox | where
"$_.IssueWarningQuota -lt
'50GB'"
.
PROPERTY NAME LDAP DISPLAY NAME AVAILABLE ON CMDLETS VALUE COMMENTS
LanguagesRaw msExchUserCulture Get-Mailbox String (wildcards accepted) or This property is named Languages
$null in the properties of a mailbox, and
it contains the language preference
for the mailbox in the format
<ISO 639 two-letter culture
code>-<ISO 3166 two-letter
subculture code>
. For example, United States English
is en-US . For more information,
see CultureInfo Class.
You can specify multiple values
separated by commas, but the
order matters. For example,
Get-Mailbox -Filter
"LanguagesRaw -eq 'en-US,es-
MX'"
returns different results than
Get-Mailbox -Filter
"LanguagesRaw -eq 'es-MX,en-
US'"
.
For single values, this multivalued
property will return a match if the
property contains the specified
value.
LitigationHoldOwner msExchLitigationHoldOwner Get-Mailbox String (wildcards accepted) or This property uses the user
Get-MailUser $null principal name of the litigation hold
Get-RemoteMailbox owner. For example,
Get-Mailbox -Filter
"LitigationHoldOwner -eq
'agruber@contoso.com'"
.
MailboxMoveBatchName msExchMailboxMoveBatchName Get-Mailbox String (wildcards accepted) or This property includes the name of
Get-MailUser $null the migration batch. For example,
Get-Recipient Get-Mailbox -Filter
Get-RemoteMailbox "MailboxMoveBatchName -like
'*LocalMove 01*'"
.
You can find the names of
migration batches by running the
Get-MigrationBatch command.
Note that migration batches that
you create in the Exchange admin
center use the naming convention
MigrationService:
<MigrationBatchName>
.
MailboxMoveFlags msExchMailboxMoveFlags Get-Mailbox For valid values, see the description For example,
Get-MailUser of the Flags parameter inGet- Get-Mailbox -Filter
Get-Recipient MoveRequest. "MailboxMoveFlags -ne 'None'"
Get-RemoteMailbox .
You can specify multiple values
separated by commas, and the
order doesn't matter. For example,
Get-Recipient -Filter
"MailboxMoveFlags -eq
'IntraOrg,Pull'"
returns the same results as
Get-Recipient -Filter
"MailboxMoveFlags -eq
'Pull,IntraOrg'"
.
This multivalued property will only
return a match if the property
equals the specified value.
MailboxMoveSourceMDB msExchMailboxMoveSourceMDBLin Get-Mailbox String or $null This filter requires the distinguished
k Get-MailUser name of the source mailbox
Get-Recipient database. For example,
Get-RemoteMailbox Get-Mailbox -Filter "MailboxMoveSourceMDB -eq 'CN=MBX
DB02,CN=Databases,CN=Exchange Administrative Group
(FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Contoso
Corporation,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com'"
.
You can find the distinguished
names of mailbox databases by
running this command:
Get-MailboxDatabase | Format-
List Name,DistinguishedName
.
MailboxMoveStatus msExchMailboxMoveStatus Get-Mailbox For valid values, see the description For example,
Get-MailUser of the MoveStatus parameter Get-Mailbox -Filter
Get-Recipient inGet-MoveRequest. "MailboxMoveStatus -eq
'Completed'"
Get-RemoteMailbox
.
MailboxMoveTargetMDB msExchMailboxMoveTargetMDBLin Get-Mailbox String or $null This filter requires the distinguished
k Get-MailUser name of the target mailbox
Get-Recipient database. For example,
Get-RemoteMailbox Get-Mailbox -Filter "MailboxMoveTargetMDB -eq 'CN=MBX
DB02,CN=Databases,CN=Exchange Administrative Group
(FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Contoso
Corporation,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com'"
.
You can find the distinguished
names of mailbox databases by
running this command:
Get-MailboxDatabase | Format-
List Name,DistinguishedName
.
MailTipTranslations msExchSenderHintTranslations Get-DistributionGroup String (wildcards accepted) or When you use this property in a
Get-DynamicDistributionGroup $null filter, you need to account for the
Get-Mailbox leading and trailing HTML tags. For
Get-MailContact example,
Get-MailPublicFolder Get-DistributionGroup -Filter
Get-MailUser "MailTipTranslations -like
'*is not monitored.*'"
Get-RemoteMailbox
Get-UnifiedGroup .
ManagedBy managedBy Get-DistributionGroup String or $null This filter requires the distinguished
Get-DynamicDistributionGroup name or canonical distinguished
Get-Group name of the group owner (a mail-
Get-Recipient enabled security principal, which is
Get-UnifiedGroup a mailbox, mail user, or mail-
enabled security group). For
example,
Get-Mailbox -Filter "ManagedBy -eq
'CN=Angela
Gruber,CN=Users,DC=contoso,DC=com'"
or
Get-Mailbox -Filter
"ManagedBy -eq
'contoso.com/Users/Angela
Gruber'"
.
To find the distinguished name of a
mail-enabled security principal,
replace <RecipientIdentity> with
the name, alias, or email address of
the recipient, and run this
command:
Get-Recipient -Identity "
<RecipientIdentity>" |
Format-List
Name,DistinguishedName
.
Although this is a multivalued
property, the filter will return a
match if the property contains the
specified value.
Manager manager Get-Contact String or $null This filter requires the distinguished
Get-LinkedUser name or canonical distinguished
Get-Recipient name of the manager (a mailbox or
Get-User mail user). For example,
Get-User -Filter "Manager -eq
'CN=Angela
Gruber,CN=Users,DC=contoso,DC=com'"
or
Get-Mailbox -Filter "Manager
-eq 'contoso.com/Users/Angela
Gruber'"
.
To find the distinguished name of a
manager, replace
<RecipientIdentity> with the
name, alias, or email address of the
recipient, and run this command:
Get-Recipient -Identity "
<RecipientIdentity>" |
Format-List
Name,DistinguishedName.
MaxReceiveSize delivContLength Get-DistributionGroup A byte quantified size value (for You can only use the Filter
Get-DynamicDistributionGroup example, 75MB ), or Unlimited . parameter to look for the value
Get-Mailbox Unqualified values are treated as Unlimited for this property. For
Get-MailContact bytes. example,
Get-MailPublicFolder Get-Mailbox -Filter
Get-MailUser "MaxReceiveSize -eq
'Unlimited'"
Get-RemoteMailbox
Get-UnifiedGroup or
Get-Mailbox -Filter
"MaxReceiveSize -ne
'Unlimited'"
.
You can't use the Filter parameter
to look for size values of this
property. Instead, use this syntax:
Get-Mailbox | where
"$_.MaxReceiveSize -
<Operator> '<Size>'"
. For example,
Get-Mailbox | where
"$_.MaxReceiveSize -gt
'50GB'"
.
MaxSendSize submissionContLength Get-DistributionGroup A byte quantified size value (for You can only use the Filter
Get-DynamicDistributionGroup example, 75MB ), or Unlimited . parameter to look for the value
Get-Mailbox Unqualified values are treated as Unlimited for this property. For
Get-MailContact bytes. example,
Get-MailPublicFolder Get-Mailbox -Filter
Get-MailUser "MaxSendSize -eq 'Unlimited'"
Get-RemoteMailbox or
Get-UnifiedGroup Get-Mailbox -Filter
"MaxSendSize -ne 'Unlimited'"
.
You can't use the Filter parameter
to look for size values of this
property. Instead, use this syntax:
Get-Mailbox | where
"$_.MaxReceiveSize -
<Operator> '<Size>'"
. For example,
Get-Mailbox | where
"$_.MaxSendSize -gt '50GB'"
.
MemberOfGroup memberOf Get-CASMailbox String or $null This filter requires the distinguished
Get-Contact name or canonical distinguished
Get-DistributionGroup name of the distribution group or
Get-DynamicDistributionGroup mail-enabled security group. For
Get-Group example,
Get-LinkedUser Get-User -Filter "MemberOfGroup -eq
Get-Mailbox 'CN=Marketing
Department,CN=Users,DC=contoso,DC=com'"
Get-MailContact
Get-MailPublicFolder or
Get-User -Filter
Get-MailUser "MemberOfGroup -eq
Get-Recipient 'contoso.com/Users/Marketing
Get-RemoteMailbox Group'"
Get-SecurityPrincipal .
Get-UMMMailbox To find the distinguished name of a
Get-User group, replace <GroupIdentity>
with the name, alias, or email
address of the group, and run this
command:
Get-DistributionGroup -
Identity "<GroupIdentity>" |
Format-List
Name,DistinguishedName
.
Although this is a multivalued
property, the filter will return a
match if the property contains the
specified value.
Members member Get-DistributionGroup String or $null This filter requires the distinguished
Get-Group name or canonical distinguished
Get-Recipient name of the group member. For
Get-SecurityPrincipal example,
Get-Group -Filter "Members -eq
'CN=Angela
Gruber,CN=Users,DC=contoso,DC=com'"
or
Get-User -Filter "Members -eq
'contoso.com/Users/Angela
Gruber'"
.
To find the distinguished name of a
group member, replace
<RecipientIdentity> with the
name, alias, or email address of the
group member, and run this
command:
Get-Recipient -Identity "
<RecipientIdentity>" |
Format-List
Name,DistinguishedName
.
Although this is a multivalued
property, the filter will return a
match if the property contains the
specified value.
OfflineAddressBook msExchUseOAB Get-Mailbox String or $null This filter requires the distinguished
name of the offline address book.
For example,
Get-Mailbox -Arbitration -Filter "OfflineAddressBook -eq
'CN=OAB 1,CN=Offline Address Lists,CN=Address Lists
Container,CN=Contoso Corporation,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com'"
You can find the distinguished
names of offline address books by
running this command:
Get-OfflineAddressBook |
Format-List
Name,DistinguishedName
.
PROPERTY NAME LDAP DISPLAY NAME AVAILABLE ON CMDLETS VALUE COMMENTS
OWAEnabled n/a Get-CASMailbox Boolean ( $true or $false ) The filter operates backwards. For
example,
Get-CASMailbox -Filter
'OWAEnabled -eq $true'
returns mailboxes where the
OWAEnabled property is False ,
and
Get-CASMailbox -Filter
'OWAEnabled -eq $false'
returns mailboxes where the
OWAEnabled property is True
OWAMailboxPolicy msExchOWAPolicy Get-CASMailbox String or $null This filter requires the distinguished
Get-Recipient name of the Outlook on the web
mailbox policy (formerly known as
an Outlook Web App mailbox
policy). For example,
Get-CASMailbox -Filter "OWAMailboxPolicy -eq
'CN=Default,CN=OWA Mailbox Policies,CN=Contoso
Corporation,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com
'".
You can find the distinguished
names of Outlook on the web
mailbox policies by running this
command:
Get-OwaMailboxPolicy |
Format-List
Name,DistinguishedName
.
PersistedCapabilities n/a Get-Mailbox String or $null Typically, the value of this property
Get-MailUser something other than $null
Get-RemoteMailbox (blank) for Office 365 accounts and
mailboxes. For more information
about the valid property values,
seeCapability enumeration.
For example,
Get-Mailbox -Filter
'PersistedCapabilities -ne
$null'
.
Although this is a multivalued
property, the filter will return a
match if the property contains the
specified value.
PreviousRecipientTypeDetails msExchPreviousRecipientTypeDetai Get-LinkedUser String or $null For valid values, see the description
ls Get-User of the RecipientTypeDetails
parameter inGet-Recipient.
For example,
Get-User -Filter
'PreviousRecipientTypeDetails
-ne $null'
.
ProhibitSendQuota mDBOverQuotaLimit Get-Mailbox A byte quantified size value (for You can only use the Filter
Get-MailUser example, 300MB or 1.5GB ), or parameter to look for the value
Get-RemoteMailbox Unlimited . Unqualified values are Unlimited for this property. For
treated as bytes. example,
Get-Mailbox -Filter
"ProhibitSendQuota -eq
'Unlimited'"
or
Get-Mailbox -Filter
"ProhibitSendQuota -ne
'Unlimited'"
.
You can't use the Filter parameter
to look for size values of this
property. Instead, use this syntax:
Get-Mailbox | where
"$_.ProhibitSendQuota -
<Operator> '<Size>'"
. For example,
Get-Mailbox | where
"$_.ProhibitSendQuota -lt
'70GB'"
.
PROPERTY NAME LDAP DISPLAY NAME AVAILABLE ON CMDLETS VALUE COMMENTS
ProhibitSendReceiveQuota mDBOverHardQuotaLimit Get-Mailbox A byte quantified size value (for You can only use the Filter
Get-MailUser example, 300MB or 1.5GB ), or parameter to look for the value
Get-RemoteMailbox Unlimited . Unqualified values are Unlimited for this property. For
treated as bytes. example,
Get-Mailbox -Filter
"ProhibitSendReceiveQuota -eq
'Unlimited'"
or
Get-Mailbox -Filter
"ProhibitSendReceiveQuota -ne
'Unlimited'"
.
You can't use the Filter parameter
to look for size values of this
property. Instead, use this syntax:
Get-Mailbox | where
"$_.ProhibitSendReceiveQuota
-<Operator> '<Size>'"
. For example,
Get-Mailbox | where
"$_.ProhibitSendReceiveQuota
-lt '70GB'"
.
ProtocolSettings protocolSettings Get-Mailbox String (wildcards accepted) or The default value of this property
Get-MailUser $null on mailboxes is
Get-RemoteMailbox RemotePowerShell§1 . This
property is populated with
additional values when you use
Set-CASMailbox to disable
protocols (for example, POP3 or
IMAP4).
For example,
Get-Mailbox -Filter
"ProtocolSettings -like
'*POP3*'"
.
QueryBaseDN msExchQueryBaseDN Get-Mailbox String or $null This property was used in Exchange
2007 global address list
segregation to specify a location in
Active Directory. This feature was
replaced by address book policies
in Exchange 2010 Service Pack 2,
so the value of this property
should always be blank ( $null ).
For example,
Get-Mailbox -Filter
'QueryBaseDN -ne $null'
.
PROPERTY NAME LDAP DISPLAY NAME AVAILABLE ON CMDLETS VALUE COMMENTS
RecipientContainer msExchDynamicDLBaseDN Get-DynamicDistributionGroup String or $null This filter requires the distinguished
name or canonical distinguished
name of the organizational unit or
container in Active Directory. For
example,
Get-DynamicDistributionGroup
-Filter "RecipientContainer -
eq
'CN=Users,DC=contoso,DC=com'"
or
Get-DynamicDistributionGroup
-Filter "RecipientContainer -
eq 'contoso.com/Users'"
To find the distinguished names or
canonical distinguished names of
organizational units and containers
in Active Directory, run this
command:
Get-OrganizationalUnit -
IncludeContainers | Format-
List
Name,DistinguishedName,ID
.
RecipientTypeDetails n/a Get-Contact String For valid values, see the description
Get-DistributionGroup of the RecipientTypeDetails
Get-DynamicDistributionGroup parameter in Get-Recipient.
Get-Group For example,
Get-LinkedUser Get-Recipient -Filter
Get-Mailbox "RecipientTypeDetails -eq
'SharedMailbox'"
Get-MailContact
Get-MailPublicFolder .
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-SecurityPrincipal
Get-User
Get-UnifiedGroup
RecoverableItemsQuota msExchDumpsterQuota Get-Mailbox A byte quantified size value (for You can only use the Filter
Get-MailUser example, 300MB or 1.5GB ), or parameter to look for the value
Get-RemoteMailbox Unlimited . Unqualified values are Unlimited for this property. For
treated as bytes. example,
Get-Mailbox -Filter
"RecoverableItemsQuota -eq
'Unlimited'"
or
Get-Mailbox -Filter
"RecoverableItemsQuota -ne
'Unlimited'"
.
You can't use the Filter parameter
to look for size values of this
property. Instead, use this syntax:
Get-Mailbox | where
"$_.RecoverableItemsQuota -
<Operator> '<Size>'
. For example,
Get-Mailbox | where
"$_.RecoverableItemsQuota -gt
'35GB'"
.
PROPERTY NAME LDAP DISPLAY NAME AVAILABLE ON CMDLETS VALUE COMMENTS
RecoverableItemsWarningQuota msExchDumpsterWarningQuota Get-Mailbox A byte quantified size value (for You can only use the Filter
Get-MailUser example, 300MB or 1.5GB ), or parameter to look for the value
Get-RemoteMailbox Unlimited . Unqualified values are Unlimited for this property. For
treated as bytes. example,
Get-Mailbox -Filter
"RecoverableItemsWarningQuota
-eq 'Unlimited'"
or
Get-Mailbox -Filter
"RecoverableItemsWarningQuota
-ne 'Unlimited'"
.
You can't use the Filter parameter
to look for size values of this
property. Instead, use this syntax:
Get-Mailbox | where
"$_.RecoverableItemsWarningQuota
-<Operator> '<Size>'
". For example,
Get-Mailbox | where
"$_.RecoverableItemsWarningQuota
-gt '25GB'"
.
RejectMessagesFrom unauthOrig Get-DistributionGroup String or $null This filter requires the distinguished
Get-DynamicDistributionGroup name of the individual recipient (a
Get-Mailbox mailbox, mail user, or mail contact).
Get-MailContact For example,
Get-MailPublicFolder Get-DistributionGroup -Filter
Get-MailUser "RejectMessagesFrom -eq 'CN=Yuudai
Uchida,CN=Users,DC=contoso,DC=com'"
Get-RemoteMailbox
Get-UnifiedGroup or
Get-DistributionGroup -Filter
"RejectMessagesFrom -eq
'contoso.com/Users/Angela
Gruber'"
.
To find the distinguished name of
the individual recipient, replace
<RecipientIdentity> with the
name, alias, or email address of the
recipient, and run this command:
Get-Recipient -Identity "
<RecipientIdentity>" |
Format-List
Name,DistinguishedName
.
Although this is a multivalued
property, the filter will return a
match if the property contains the
specified value.
RejectMessagesFromDLMembers dLMemRejectPerms Get-DistributionGroup String or $null This filter requires the distinguished
Get-DynamicDistributionGroup name or canonical distinguished
Get-Mailbox name of the group (a distribution
Get-MailContact group, mail-enabled security group,
Get-MailPublicFolder or dynamic distribution group). For
Get-MailUser example,
Get-RemoteMailbox Get-Mailbox -Filter
Get-UnifiedGroup "RejectMessagesFromDLMembers -eq
'CN=Marketing
Department,CN=Users,DC=contoso,DC=com'"
or
Get-Mailbox -Filter
"RejectMessagesFromDLMembers
-eq
'contoso.com/Users/Marketing
Department'"
.
To find the distinguished name of
the group, replace
<GroupIdentity> with the name,
alias, or email address of the group,
and run one of these commands:
Get-DistributionGroup -
Identity "<GroupIdentity>" |
Format-List
Name,DistinguishedName
or
Get-DynamicDistributionGroup
-Identity "<GroupIdentity>" |
Format-List
Name,DistinguishedName
.
Although this is a multivalued
property, the filter will return a
match if the property contains the
specified value.
RemoteAccountPolicy msExchSyncAccountsPolicyDN Get-Mailbox String or $null This filter requires the distinguished
name of the remote account policy.
For example,
Get-Mailbox -Filter "RemoteAccountPolicy -eq 'CN=Contoso
Remote Account Policy,CN=Remote Accounts Policies
Container,CN=Contoso Corporation,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com'"
.
RetainDeletedItemsFor garbageCollPeriod Get-Mailbox A time span value: dd.hh:mm:ss You can't use the Filter parameter
Get-MailUser where dd = days, hh = hours, mm to look for time span values for this
Get-RemoteMailbox = minutes, and ss = seconds. property. Instead, use this syntax:
Get-Mailbox | where
"$_.RetainDeletedItemsFor -
<Operator> '<TimeSpan>'"
. For example,
Get-Mailbox | where
"$_.RetainDeletedItemsFor -gt
'14.00:00:00'"
.
RetentionPolicy n/a Get-Mailbox String or $null This filter requires the distinguished
Get-Recipient name of the retention policy. For
example,
Get-Mailbox -Filter "RetentionPolicy -eq 'CN=Default MRM
Policy,CN=Retention Policies Container,CN=Contoso
Corporation,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com'"
.
To find the distinguished names of
retention policies, run this
command:
Get-RetentionPolicy | Format-
List Name,DistinguishedName
.
RoleAssignmentPolicy msExchRBACPolicyLink Get-Mailbox String (wildcards accepted) or This filter requires the distinguished
$null name of the role assignment policy
in Exchange Online. For example,
Get-Mailbox -Filter "RoleAssignmentPolicy -eq 'CN=Default
Policy,CN=Policies,CN=RBAC,CN=Configuration,CN=contoso.onm
.
To find the distinguished names of
role assignment policies in
Exchange Online, run this
command:
Get-RoleAssignmentPolicy |
Format-List
Name,DistinguishedName
.
RulesQuota msExchMDBRulesQuota Get-Mailbox A byte quantified size value (for You can't use the Filter parameter
example, 50B or 128KB ). to look for size values of this
Unqualified values are treated as property. Instead, use this syntax:
bytes. Get-Mailbox | where
"$_.RulesQuota -<Operator>
'<Size>'"
. For example,
Get-Mailbox | where
"$_.RulesQuota -lt '256KB'"
.
SafeRecipientsHash msExchSafeRecipientsHash Get-Recipient Blank ( $null ) or a hashed value. Realistically, you can only use this
value to filter on blank or non-
blank values. For example,
Get-Recipient -Filter
'SafeRecipientsHash -ne
$null'.
SafeSendersHash msExchSafeSendersHash Get-Recipient Blank ( $null ) or a hashed value. Realistically, you can only use this
value to filter on blank or non-
blank values. For example,
Get-Recipient -Filter
'SafeSendersHash -ne $null'.
SCLDeleteThresholdInt msExchMessageHygieneSCLDeleteT Get-Mailbox -2147483648 (SCL value 0), - This property is displayed as
hreshold 2147483647 (SCL value 1), - SCLDeleteThreshold in the results
2147483646 (SCL value 2), - of the command
2147483645 (SCL value 3), - Get-Mailbox -Identity
2147483644 (SCL value 4), - <MailboxIdentity> | Format-
List
2147483643 (SCL value 5), -
2147483642 (SCL value 6), - , but you need to use the property
2147483641 (SCL value 7), - name SCLDeleteThresholdInt in
2147483640 (SCL value 8), - the filter. For example,
Get-Mailbox -Filter
2147483639 (SCL value 9) or "SCLDeleteThresholdInt -ge -
$null 2147483640"
.
PROPERTY NAME LDAP DISPLAY NAME AVAILABLE ON CMDLETS VALUE COMMENTS
SCLJunkThresholdInt msExchMessageHygieneSCLJunkTh Get-Mailbox -2147483648 (SCL value 0), - This property is displayed as
reshold 2147483647 (SCL value 1), - SCLJunkThreshold in the results
2147483646 (SCL value 2), - of the command
2147483645 (SCL value 3), - Get-Mailbox -Identity
2147483644 (SCL value 4), - <MailboxIdentity> | Format-
List
2147483643 (SCL value 5), -
2147483642 (SCL value 6), - , but you need to use the property
2147483641 (SCL value 7), - name SCLJunkThresholdInt in the
2147483640 (SCL value 8), - filter. For example,
Get-Mailbox -Filter
2147483639 (SCL value 9) or "SCLJunkThresholdInt -ge -
$null 2147483645"
.
SCLQuarantineThresholdInt msExchMessageHygieneSCLQuaran Get-Mailbox -2147483648 (SCL value 0), - This property is displayed as
tineThreshold 2147483647 (SCL value 1), - SCLQuarantineThreshold in the
2147483646 (SCL value 2), - results of the command
2147483645 (SCL value 3), - Get-Mailbox -Identity
2147483644 (SCL value 4), - <MailboxIdentity> | Format-
List
2147483643 (SCL value 5), -
2147483642 (SCL value 6), - , but you need to use the property
2147483641 (SCL value 7), - name
2147483640 (SCL value 8), - SCLQuarantineThresholdInt in
2147483639 (SCL value 9) or the filter. For example,
Get-Mailbox -Filter
$null "SCLQuarantineThresholdInt -
ge -2147483643"
.
SCLRejectThresholdInt msExchMessageHygieneSCLRejectT Get-Mailbox -2147483648 (SCL value 0), - This property is displayed as
hreshold 2147483647 (SCL value 1), - SCLRejectThreshold in the results
2147483646 (SCL value 2), - of the command
2147483645 (SCL value 3), - Get-Mailbox -Identity
2147483644 (SCL value 4), - <MailboxIdentity> | Format-
List
2147483643 (SCL value 5), -
2147483642 (SCL value 6), - , but you need to use the property
2147483641 (SCL value 7), - name SCLRejectThresholdInt in
2147483640 (SCL value 8), - the filter. For example,
Get-Mailbox -Filter
2147483639 (SCL value 9) or "SCLRejectThresholdInt -ge -
$null 2147483641"
.
SharingPolicy msExchSharingPolicyLink Get-Mailbox String or $null This filter requires the distinguished
Get-Recipient name of the sharing policy. For
example,
Get-Mailbox -Filter "SharingPolicy -eq 'CN=Custom Sharing
Policy,CN=Federation,CN=Contoso Corporation,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com'"
.
To find the distinguished names of
sharing policies, run this command:
Get-SharingPolicy | Format-
List Name,DistinguishedName
.
Note: For the default assignment
of the default sharing policy
(named Default Sharing Policy) to a
mailbox, the value of the
SharingPolicy property is blank (
$null ).
ThrottlingPolicy msExchThrottlingPolicyDN Get-Mailbox String or $null This filter requires the distinguished
name of the throttling policy. For
example,
Get-Mailbox -Filter "ThrottlingPolicy -eq 'CN=Custom
Throttling Policy,CN=Global Settings,CN=Contoso
Corporation,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com'"
.
To find the distinguished names of
throttling policies, run this
command:
Get-ThrottlingPolicy |
Format-List
Name,DistinguishedName
.
UMMailboxPolicy msExchUMTemplateLink Get-Recipient String or $null This filter requires the distinguished
Get-UMMailbox name of the UM mailbox policy. For
example,
Get-Recipient -Filter "UMMailboxPolicy -eq 'CN=Contoso
Default Policy,CN=UM Mailbox Policies,CN=Contoso
Corporation,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com'"
.
To find the distinguished names of
UM mailbox policies, run this
command:
Get-UMMailboxPolicy | Format-
List Name,DistinguishedName
.
UMRecipientDialPlanId msExchUMRecipientDialPlanLink Get-Recipient String or $null This filter requires the distinguished
name of the UM dial plan. For
example,
Get-Recipient -Filter "UMMailboxPolicy -eq 'CN=Contoso
Dial Plan,CN=UM DialPlan Container,CN=Contoso
Corporation,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com'"
.
To find the distinguished names of
UM dial plans, run this command:
Get-UMDialPlan | Format-List
Name,DistinguishedName
.
UsageLocation msExchUsageLocation Get-Mailbox String or $null This filter requires the ISO 3166-1
Get-MailUser country name (for example,
Get-Recipient United States ), or two-letter
country code (for example US ) for
the user in Office 365. For more
information, see Country Codes -
ISO 3166.
For example,
Get-Recipient -Filter
'UsageLocation -ne $null'
.
WhenSoftDeleted msExchWhenSoftDeletedTime Get-LinkedUser A date/time value This filter requires the SoftDeleted
Get-Mailbox switch in the command for
Get-MailUser mailboxes.
Get-RemoteMailbox For example,
Get-User Get-Mailbox -SoftDeleted -
Get-UnifiedGroup Filter "WhenSoftDeleted -gt
'8/1/2017 2:00:00 PM'"
.
PROPERTY NAME LDAP DISPLAY NAME AVAILABLE ON CMDLETS VALUE COMMENTS
You use the RecipientFilter parameter to create OPATH filters based on the properties of recipient objects in Exchange Server 2016 or later,
and Exchange Online. The RecipientFilter parameter is available in the following cmdlets:
New-AddressList and Set-AddressList
New-DynamicDistributionGroup and Set-DynamicDistributionGroup
New-EmailAddressPolicy and Set-EmailAddressPolicy
New-GlobalAddressList and Set-GlobalAddressList
Properties that are present, but correspond to features that are no longer used in Exchange.
You can't use properties from other Active Directory schema extensions with the RecipientFilter parameter.
Not all recipient properties have a corresponding Active Directory property. The LDAP display name value in the table is "n/a" for
these properties, which indicates that the property is calculated (likely by Exchange).
Enclose the whole OPath filter in double quotation marks " ". If the filter contains system values (for example, $true , $false , or
$null ), use single quotation marks ' ' instead. Although this parameter is a string (not a system block), you can also use braces { },
but only if the filter doesn't contain variables. For more information, see Additional OPATH syntax information.
You typically use the object's name for properties that require a valid object value (for example, a mailbox, a distribution group, or an
email address policy, but the property might also accept the object's distinguished name (DN ) or globally unique identifier (GUID ).
To find the object's DN or GUID, use the Get- cmdlet that corresponds to the object's type (for example,
Get-EmailAddressPolicy | Format-List Name,DistinguishedName,GUID ).
Text string properties that accept wildcard characters require the -like operator (for example, "Property -like '*abc'" ).
The Value column in the table describes the acceptable values for the filter, not necessarily for the property itself. For example, a
property might obviously contain a date or numeric value, but when you use that property in a filter, it might be treated like a text
string (no value check, and wildcards are supported).
To look for blank or non-blank property values, use the value $null (for example, 'Property -eq $null' or 'Property -ne $null' ).
AuditLogAgeLimit msExchMailboxAuditLogAgeLimit Dynamic distribution groups: String The value of this property is a time
(wildcards accepted). span: dd.hh:mm:ss where dd =
Others: Blank or non-blank. days, hh = hours, mm = minutes,
and ss = seconds.
Database homeMDB String (wildcards accepted). The identity of the user's mailbox
database.
ExternalEmailAddress targetAddress String (wildcards accepted). This property contains the external
email address for mail contacts and
mail users.
HiddenFromAddressListsEnabled msExchHideFromAddressLists Boolean ( $true or $false ) This property specifies whether the
recipient is visible in the global
address list or other address lists.
IsMailboxEnabled n/a Boolean ( $true or $false ) This property specifies whether the
user is mailbox-enabled.
ManagedBy managedBy String (wildcards accepted in This property identifies the security
dynamic distribution groups). principal that's the manager of the
group.
Name name String (wildcards accepted). The unique name value of the
recipient.
ObjectCategory objectCategory Dynamic distribution groups: String Valid values use the format
(wildcards accepted). CN=
Others: Valid Active Directory <Type>,CN=Schema,CN=Configuration,DC=
<domain>
ObjectCategory values.
, where <Type> is typically Person
or Group for recipients. For
example,
CN=Person,CN=Schema,CN=Configuration,DC=contoso
.
ObjectClass objectClass Dynamic distribution groups: String Common values for recipients are:
(wildcards accepted). contact , organizationalPerson
Others: Valid Active Directory , person , top , group ,
ObjectCategory values. msExchDynamicDistributionList ,
and user .
OfflineAddressBook msExchUseOAB String (wildcards accepted in This property contains the offline
dynamic distribution groups). address book (OAB) that's
associated with this recipient.
UserPrincipalName userPrincipalName String (wildcards accepted). This property contains the user
principal name (UPN) for this
recipient (for example,
kim@contoso.com ).
VoiceMailSettings msExchUCVoiceMailSettings String (wildcards accepted). Valid values for this property are:
ExchangeHostedVoiceMail=0 ,
ExchangeHostedVoiceMail=1 ,
CsHostedVoiceMail=0 , or
CsHostedVoiceMail=1 .
Exchange Online PowerShell is the administrative interface that enables you to manage your Microsoft Exchange
Online organization from the command line. For example, you can use Exchange Online PowerShell to configure
mail flow rules (also known as transport rules) and connectors. The following topics provide information about
using Exchange Online PowerShell:
To create a remote PowerShell session to your Exchange Online organization, see Connect to Exchange
Online PowerShell.
To prevent or allow connections to connect to your Exchange Online organization using remote PowerShell,
see Enable or disable access to Exchange Online PowerShell.
The following introductory video shows you how to connect to and use Exchange Online PowerShell.
Note: This video applies to Exchange Online and standalone Exchange Online Protection (EOP )
organizations. When you connect to your organization, be sure to specify the correct URL (ConnectionUri
value). The required URL is different for Exchange Online and EOP organizations.
Use Remote PowerShell in EOP
To find the permissions you need to run a specific cmdlet, or one or more parameters on the cmdlet, see
Find the permissions required to run any Exchange cmdlet.
To learn about recipient filters in Exchange Online PowerShell, see Recipient filters in Exchange
Management Shell and Exchange Online PowerShell commands.
Connect to Exchange Online PowerShell
9/23/2019 • 4 minutes to read • Edit Online
Exchange Online PowerShell allows you to manage your Exchange Online settings from the command line. You
use Windows PowerShell on your local computer to create a remote PowerShell session to Exchange Online. It's a
simple three-step process where you enter your Office 365 credentials, provide the required connection settings,
and then import the Exchange Online cmdlets into your local Windows PowerShell session so that you can use
them.
IMPORTANT
If you want to use multi-factor authentication (MFA) to connect to Exchange Online PowerShell, you need to download and
use the Exchange Online Remote PowerShell Module. For more information, see Connect to Exchange Online PowerShell
using multi-factor authentication.
If you're a standalone Exchange Online Protection (EOP) customer (for example, you're using EOP to protect your on-
premises email environment), use the connection instructions in Connect to Exchange Online Protection PowerShell. If your
standalone EOP subscription is Exchange Enterprise CAL with Services (includes data loss prevention (DLP) and reporting
using web services), the connection instructions in this topic will work for you.
To require all PowerShell scripts that you download from the internet are signed by a trusted publisher, run
the following command in an elevated Windows PowerShell window (a Windows PowerShell window you
open by selecting Run as administrator):
Set-ExecutionPolicy RemoteSigned
You need to configure this setting only once on your computer, not every time you connect.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Online, or Exchange Online Protection.
$UserCredential = Get-Credential
In the Windows PowerShell Credential Request dialog box, type your work or school account and
password, and then click OK.
2. Run the following command:
Notes:
For Office 365 operated by 21Vianet, use the ConnectionUri value:
https://partner.outlook.cn/PowerShell
For Office 365 Government Community Cloud High (GCC High), use the ConnectionUri value:
https://outlook.office365.us/powershell-liveid/
NOTE
Be sure to disconnect the remote PowerShell session when you're finished. If you close the Windows PowerShell window
without disconnecting the session, you could use up all the remote PowerShell sessions available to you, and you'll need to
wait for the sessions to expire. To disconnect the remote PowerShell session, run the following command.
Remove-PSSession $Session
See also
The cmdlets that you use in this topic are Windows PowerShell cmdlets. For more information about these
cmdlets, see the following topics.
Get-Credential
New -PSSession
Import-PSSession
Remove-PSSession
Set-ExecutionPolicy
For more information about managing Office 365, see Manage Office 365.
Connect to Exchange Online PowerShell using multi-
factor authentication
11/7/2019 • 4 minutes to read • Edit Online
If you want to use multi-factor authentication (MFA) to connect to Exchange Online PowerShell, you can't use the
instructions at Connect to Exchange Online PowerShell to use remote PowerShell to connect to Exchange Online.
MFA requires you to install the Exchange Online Remote PowerShell Module, and use the Connect-
ExoPSSession cmdlet to connect.
NOTE
The Exchange Online Remote PowerShell Module is not supported in PowerShell Core (macOS, Linux, or Windows Nano
Server). As a workaround, you can install the module on a computer that's running a supported version of Windows (physical
or virtual), and use remote desktop software to connect.
Windows Remote Management (WinRM ) on your computer needs to allow basic authentication (it's
enabled by default). To verify that basic authentication is enabled, run this command in a Command
Prompt:
If you don't see the value Basic = true , you need to run this command to enable basic authentication for
WinRM:
If basic authentication is disabled, you'll get this error when you try to connect:
The WinRM client cannot process the request. Basic authentication is currently disabled in the client
configuration. Change the client configuration and try the request again.
When you use the Exchange Online Remote PowerShell Module, your session will end after one hour, which
can be problematic for long-running scripts or processes. To avoid this issue, use Trusted IPs to bypass MFA
for connections from your intranet. Trusted IPs allow you to connect to Exchange Online PowerShell from
your intranet using the old instructions at Connect to Exchange Online PowerShell. Also, if you have servers
in a datacenter, be sure to add their public IP addresses to Trusted IPs as described here.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Online or Exchange Online Protection.
This example connects to Exchange Online in Office 365 using the account chris@contoso.com.
This example connects to Exchange Online in Office 365 Germany using the account lukas@fabrikam.com.
3. In the sign-in window that opens, enter your password, and then click Sign in.
A verification code is generated and delivered based on the verification response option that's configured
for your account (for example, a text message or the Azure Authenticator app on your mobile phone).
4. In the verification window that opens, enter the verification code, and then click Sign in.
NOTE
Be sure to disconnect the remote PowerShell session when you're finished. If you close the Exchange Online Remote
PowerShell Module window without disconnecting the session, you could use up all the remote PowerShell sessions available
to you, and you'll need to wait for the sessions to expire. To disconnect all currently open PowerShell sessions in the current
window, run the following command:
Get-PSSession | Remove-PSSession
How do you know this worked?
After Step 4, the Exchange Online cmdlets are imported into your Exchange Online Remote PowerShell Module
session and tracked by a progress bar. If you don't receive any errors, you connected successfully. A quick test is to
run an Exchange Online cmdlet, for example, Get-Mailbox, and see the results.
If you receive errors, check the following requirements:
To help prevent denial-of-service (DoS ) attacks, you're limited to three open remote PowerShell connections
to your Exchange Online organization.
The account you use to connect to Exchange Online must be enabled for remote PowerShell. For more
information, see Enable or disable access to Exchange Online PowerShell.
TCP port 80 traffic needs to be open between your local computer and Office 365. It's probably open, but
it's something to consider if your organization has a restrictive Internet access policy.
Find the permissions required to run any Exchange
cmdlet
10/30/2019 • 4 minutes to read • Edit Online
You can use PowerShell to find the permissions required to run any Exchange or Exchange Online cmdlet. This
procedure shows the role-based access control (RBAC ) management roles and role groups that give you access to
a specified cmdlet—even if your organization has custom roles, custom role groups, or custom role assignments.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server or Exchange Online.
Troubleshooting
What if there are no results?
Verify that you entered the cmdlet and parameter names correctly.
You might have entered too many parameters, and all of the parameters on the cmdlet aren't defined in a
single role. Try specifying only the cmdlet name in Step 2, and run Step 3 to verify that the cmdlet is
available in your environment. Then, add parameters one at a time to Step 2 before running Step 3.
These possible causes have the same solution:
You might have entered a cmdlet or parameters that are defined in a role that isn't assigned to
anyone by default.
You might have entered a cmdlet or parameter that isn't available in your environment. For example,
when you enter an Exchange Online cmdlet or parameters in an on-premises Exchange 2016
environment.
Run the following command to find the role that contains the cmdlet or parameters. Be sure to replace
<Cmdlet> and optionally, <Parameter1>,<Parameter2>,... with the actual cmdlet and parameter names you
are interested in. Note that you can use wildcard characters (*) in the cmdlet and parameter names (for
example, *-Mailbox* ).
If the command returns an error saying the object couldn't be found, the cmdlet or parameters aren't
available in your environment.
If the command returns one or more entries for Name, Role, and Parameters, the cmdlet (or
parameters on the cmdlet) is available in your environment, but the required role isn't assigned to
anyone. To see all roles that aren't assigned to anyone, run the following command:
Related procedures
Management role scopes define where cmdlets can operate (in particular, write scopes).
To include scope information in Step 2, substitute the following command:
To see all roles assigned to a specific user, run the following command:
For example:
To see all users who are assigned a specific role, run the following command:
For example:
To see the members of a specific role group, run the following command:
For example:
Exchange Online PowerShell enables you to manage your Exchange Online organization from the command line.
By default, all accounts you create in Office 365 are allowed to use Exchange Online PowerShell. Administrators
can use Exchange Online PowerShell to enable or disable a user's ability to connect to Exchange Online
PowerShell. Note that access to Exchange Online PowerShell doesn't give users extra administrative powers in
your organization. A user's capabilities in Exchange Online PowerShell are still defined by role based access
control (RBAC ) and the roles that are assigned to them.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Online, or Exchange Online Protection.
This example enables access to Exchange Online PowerShell for the user david@contoso.com.
This example removes access to Exchange Online PowerShell for all users whose Title attribute contains the value
"Sales Associate".
$DSA = Get-User -ResultSize unlimited -Filter "(RecipientType -eq 'UserMailbox') -and (Title -like '*Sales
Associate*')"
This example uses the text file C:\My Documents\NoPowerShell.txt to identify the users by their accounts. The text
file must contain one account on each line as follows:
akol@contoso.com
tjohnston@contoso.com
kakers@contoso.com
After you populate the text file with the user accounts you want to update, run the following commands:
This example displays the Exchange Online PowerShell access status of the user named Sarah Jones.
Get-User -Identity "Sarah Jones" | Format-List RemotePowerShellEnabled
To display the Exchange Online PowerShell access status for all users, run the following command:
To display only those users who don't have access to Exchange Online PowerShell, run the following command:
To display only those users who have access to Exchange Online PowerShell, run the following command:
You can use several Exchange Management Shell and Exchange Online PowerShell commands to filter a set of
recipients. You can create the following types of filters in an Exchange command:
Precanned filters
Custom filters using the RecipientFilter parameter
Custom filters using the Filter parameter
Custom filters using the ContentFilter parameter
Older versions of Exchange used LDAP filtering syntax to create custom address lists, global address lists (GALs),
email address policies, and distribution groups. In Exchange Server 2007 and later versions, OPATH filtering
syntax replaced LDAP filtering syntax.
Precanned filters
A precanned filter is a commonly used Exchange filter that you can use to meet a variety of recipient-filtering
criteria for creating dynamic distribution groups, email address policies, address lists, or GALs. With precanned
filters, you can use either the Exchange PowerShell or the Exchange admin center (EAC ). Using precanned filters,
you can do the following:
Determine the scope of recipients.
Add conditional filtering based on properties such as company, department, and state or region.
Add custom attributes for recipients. For more information, see Custom Attributes.
The following parameters are considered precanned filters:
IncludedRecipients
ConditionalCompany
ConditionalDepartment
ConditionalStateOrProvince
ConditionalCustomAttribute1 to ConditionalCustomAttribute15.
Precanned filters are available for the following cmdlets:
New -DynamicDistributionGroup
Set-DynamicDistributionGroup
New -EmailAddressPolicy
Set-EmailAddressPolicy
New -AddressList
Set-AddressList
New -GlobalAddressList
Set-GlobalAddressList
Precanned filter example
This example describes using precanned filters in the Exchange Management Shell to create a dynamic
distribution group. The syntax in this example is similar but not identical to the syntax you would use to create an
email address policy, address list, or GAL. When creating a precanned filter, you should ask the following
questions:
From which organizational unit (OU ) do you want to include recipients? (This question corresponds to the
RecipientContainer parameter.)
NOTE
Selecting the OU for this purpose applies only when creating dynamic distribution groups, and not when creating email
address policies, address lists, or GALs.
What type of recipients do you want to include? (This question corresponds to the IncludedRecipients
parameter.)
What additional conditions do you want to include in the filter? (This question corresponds to the
ConditionalCompany, ConditionalDepartment, ConditionalStateOrProvince, and
ConditionalCustomAttribute parameters.)
This example creates the dynamic distribution group Contoso Finance for user mailboxes in the OU
Contoso.com/Users and specifies the condition to include only recipients who have the Department attribute
defined as Finance and the Company attribute defined as Contoso.
This example displays the properties of this new dynamic distribution group.
For more information about the filterable properties that you can use with the ContentFilter parameter, see
Filterable properties for the ContentFilter parameter.
Integer values: You don't need to enclose integers (for example, 500 ). You can often enclose
integers in single quotation marks or double quotation marks, but that limits the characters you can
use to enclose the whole OPath filter.
System values: Don't enclose system values (for example, $true , $false , or $null ). To enclose
the whole OPath filter in double quotation marks, you need to escape the dollar sign in system value
(for example, `$true ).
You need to enclose the whole OPath filter in double quotation marks " or " single quotation marks ' '.
Although any OPath filter object is technically a string and not a script block, you can still use braces { }, but
only if the filter doesn't contain variables that require expansion. The characters that you can use to enclose
the whole OPath filter depend on types of values that you're searching for and the characters you used (or
didn't use) to enclose those values:
Text values: Depends on how you enclosed the text to search for:
Text enclosed in single quotation marks: Enclose the whole OPath filter in double
quotation marks or braces.
Text enclosed in double quotation marks: Enclose the whole OPath filter in braces.
Variables: Enclose the whole OPath filter in double quotation marks (for example,
"Name -eq '$User'" ).
Integer values: Depends on how you enclosed (or didn't enclose) the integer to search for:
Integer not enclosed: Enclose the whole OPath filter in double quotation marks, single
quotation marks, or braces (for example "CountryCode -eq 840" ).
Integer enclosed in single quotation marks: Enclose the whole OPath filter in double
quotation marks or braces "CountryCode -eq '840'" .
Integer enclosed in double quotation marks: Enclose the whole OPath filter in braces (for
example {CountryCode -eq "840"} ).
System values: Enclose the whole OPath filter in single quotation marks or braces (for example
'HiddenFromAddressListsEnabled -eq $true' ). If you escape the dollar sign system value, you can also
enclose the whole OPath filter in double quotation marks (for example,
"HiddenFromAddressListsEnabled -eq `$true" ).
The compatibility of search criteria and the valid characters that you can use to enclose the whole OPath
filter are summarized in the following table:
'Text'
"Text"
'$Variable'
500
'500'
"500"
$true
`$true
Include the hyphen before all operators. The most common operators include:
-and
-or
-not
-eq (equals)
-ne (not equal)
-lt (less than)
-gt (greater than)
-like (string comparison)
-notlike (string comparison)
Many filterable properties accept wildcard characters. If you use a wildcard character, use the -like operator
instead of the -eq operator. The -like operator is used to find pattern matches in rich types (for example,
strings) whereas the -eq operator is used to find an exact match.
For more information about operators you can use, see:
about_Logical_Operators
about_Comparison_Operators
TOPIC DESCRIPTION
Filterable properties for the RecipientFilter parameter Learn more about the filterable properties that are available
for the RecipientFilter parameter.
Filterable properties for the Filter parameter Learn more about the filterable properties that are available
for the Filter parameter.
Filterable properties for the Filter parameter
10/30/2019 • 46 minutes to read • Edit Online
You use the Filter parameter to create OPATH filters based on the properties of user and group objects in Exchange Server and Exchange Online. The Filter parameter is
available on these recipient cmdlets:
Get-CASMailbox
Get-Contact
Get-DistributionGroup
Get-DynamicDistributionGroup
Get-Group
Get-LinkedUser
Get-Mailbox
Get-MailContact
Get-MailPublicFolder
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-SecurityPrincipal
Get-UMMailbox
Get-User
Get-UnifiedGroup
For more information, see Recipient filters in Exchange PowerShell commands.
NOTE
The Filter parameter is also available on other cmdlets (for example, Get-MailboxStatistics, Get-Queue, and Get-Message). However, the property values that are accepted by the Filter
parameter on these cmdlets aren't similar to the user and group properties that are described in this topic.
Filterable properties
The properties that have been confirmed to work with the Filter parameter in user and group cmdlets are described in the following table.
Notes:
The list might include:
Properties that are only used in one type of environment: Microsoft Office 365, on-premises Exchange, or hybrid. The property might exist on recipient objects
in all environments, but the value is only meaningful (a value other than blank or None ) in one type of environment.
Properties that are present, but correspond to features that are no longer used in Exchange 2016 or later.
Not all recipient properties have a corresponding Active Directory property. The LDAP display name value in the table is "n/a" for these properties, which indicates that
the property is calculated (likely by Exchange).
Enclose the whole OPath filter in double quotation marks " ". If the filter contains system values (for example, $true , $false , or $null ), use single quotation marks ' '
instead. Although this parameter is a string (not a system block), you can also use braces { }, but only if the filter doesn't contain variables. For more information, see
Additional OPATH syntax information.
Text string properties that accept wildcard characters require the -like operator (for example, "Property -like '*abc'" ).
To look for blank or non-blank property values, use the value $null (for example, 'Property -eq $null' or 'Property -ne $null' ).
AcceptMessagesOnlyFrom authOrig Get-DistributionGroup String or $null This filter requires the distinguished
Get-DynamicDistributionGroup name of the individual recipient (a
Get-Mailbox mailbox, mail user, or mail contact).
Get-MailContact For example,
Get-MailPublicFolder Get-DistributionGroup -Filter
Get-MailUser "AcceptMessagesOnlyFrom -eq
'CN=Yuudai
Get-RemoteMailbox Uchida,CN=Users,DC=contoso,DC=com'"
Get-UnifiedGroup or
Get-DistributionGroup -Filter
"AcceptMessagesOnlyFrom -eq
'contoso.com/Users/Angela
Gruber'"
.
To find the distinguished name of
the individual recipient, replace
<RecipientIdentity> with the
name, alias, or email address of the
recipient, and run this command:
Get-Recipient -Identity "
<RecipientIdentity>" |
Format-List
Name,DistinguishedName
.
Although this is a multivalued
property, the filter will return a
match if the property contains the
specified value.
AcceptMessagesOnlyFromDLMemb dLMemSubmitPerms Get-DistributionGroup String or $null This filter requires the distinguished
ers Get-DynamicDistributionGroup name or canonical distinguished
Get-Mailbox name of the group (a distribution
Get-MailContact group, mail-enabled security group,
Get-MailPublicFolder or dynamic distribution group). For
Get-MailUser example,
Get-RemoteMailbox Get-Mailbox -Filter
Get-UnifiedGroup "AcceptMessagesOnlyFromDLMembers -eq
'CN=Marketing
Department,CN=Users,DC=contoso,DC=com'"
. or
Get-Mailbox -Filter
"AcceptMessagesOnlyFromDLMembers
-eq 'contoso.com/Users/Marketing
Department'"
.
To find the distinguished name of
the group, replace
<GroupIdentity> with the name,
alias, or email address of the group,
and run one of these commands:
Get-DistributionGroup -
Identity "<GroupIdentity>" |
Format-List
Name,DistinguishedName
or
Get-DynamicDistributionGroup
-Identity "<GroupIdentity>" |
Format-List
Name,DistinguishedName
.
Although this is a multivalued
property, the filter will return a
match if the property contains the
specified value.
ActiveSyncAllowedDeviceIDs msExchMobileAllowedDeviceIds Get-CASMailbox String (wildcards accepted) or A device ID is a text string that
$null uniquely identifies the device. Use
the Get-MobileDevice cmdlet to
see the devices that have
ActiveSync partnerships with a
mailbox. To see the device IDs on a
mailbox, replace <MailboxIdentity>
with the name, alias, or email
address of the mailbox, and run
this command:
Get-MobileDevice -Mailbox
<MailboxIdentity> | Format-
List
.
After you have the device ID value,
you can use it in the filter. For
example,
Get-CasMailbox -Filter "
(ActiveSyncAllowedDeviceIDs -
like '*text1') -or
(ActiveSyncAllowedDeviceIDs -
eq 'text2'"
.
PROPERTY NAME LDAP DISPLAY NAME AVAILABLE ON CMDLETS VALUE COMMENTS
ActiveSyncBlockedDeviceIDs msExchMobileBlockedDeviceIds Get-CASMailbox String (wildcards accepted) or A device ID is a text string that
$null uniquely identifies the device. Use
the Get-MobileDevice cmdlet to
see the devices that have
ActiveSync partnerships with a
mailbox. To see the device IDs on a
mailbox, replace <MailboxIdentity>
with the name, alias, or email
address of the mailbox, and run
this command:
Get-MobileDevice -Mailbox
<MailboxIdentity> | Format-
List
.
After you have the device ID value,
you can use it in a filter. For
example,
Get-CasMailbox -Filter "
(ActiveSyncBlockedDeviceIDs -
like '*text1') -or
(ActiveSyncBlockedDeviceIDs -
eq 'text2'"
.
ActiveSyncMailboxPolicy msExchMobileMailboxPolicyLink Get-CASMailbox String or $null This filter requires the distinguished
Get-Recipient name of the ActiveSync mailbox
policy. For example,
Get-CASMailbox -Filter "ActiveSyncMailboxPolicy -eq
'CN=Default,CN=Mobile Mailbox Policies,CN=Contoso
Corporation,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com'"
.
You can find the distinguished
names of ActiveSync mailbox
policies by running this command:
Get-MobileDeviceMailboxPolicy
| Format-List
Name,DistinguishedName
.
Note: For the default assignment
of the default ActiveSync mailbox
policy (named Default) to a
mailbox, the value of the
ActiveSyncMailboxPolicy
property is blank ( $null ).
AddressBookPolicy msExchAddressBookPolicyLink Get-Mailbox String or $null This filter requires the distinguished
Get-Recipient name of the address book policy.
For example,
Get-Mailbox -Filter "AddressBookPolicy -eq 'CN=Contoso
ABP,CN=AddressBook Mailbox Policies,CN=Contoso
Corporation,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com'"
.
You can find the distinguished
names of address book policies by
running this command:
Get-AddressBookPolicy |
Format-List
Name,DistinguishedName
.
AddressListMembership showInAddressBook Get-DistributionGroup String or $null This filter requires the distinguished
Get-DynamicDistributionGroup name of the address list. For
Get-Mailbox example,
Get-MailContact Get-MailContact -Filter "AddressListMembership -eq
Get-MailPublicFolder 'CN=All Contacts,CN=All Address Lists,CN=Address Lists
Container,CN=Contoso Corporation,CN=Microsoft
Get-MailUser Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com'"
Get-Recipient .
Get-RemoteMailbox You can find the distinguished
Get-UnifiedGroup names of address lists by running
this command:
Get-AddressList | Format-List
Name,DistinguishedName
.
ArbitrationMailbox msExchArbitrationMailbox Get-DistributionGroup String or $null This filter requires the distinguished
Get-DynamicDistributionGroup name of the arbitration mailbox.
Get-Mailbox For example,
Get-MailContact Get-DistributionGroup -Filter
Get-MailPublicFolder "ArbitrationMailbox -eq
'CN=SystemMailbox"1f05a927-2e8f-4cbb-9039-
Get-MailUser 2cfb8b95e486",CN=Users,DC=contoso,DC=com'"
Get-RemoteMailbox .
You can find the distinguished
names of arbitration mailboxes by
running this command:
Get-Mailbox -Arbitration |
Format-List
Name,DistinguishedName
.
ArchiveDatabase msExchArchiveDatabaseLink Get-Mailbox String or $null This filter requires the distinguished
Get-MailUser name of the archive mailbox
Get-Recipient database. For example,
Get-RemoteMailbox Get-Mailbox -Filter "ArchiveMailbox -eq 'CN=MBX
DB02,CN=Databases,CN=Exchange Administrative Group
(FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Contoso
Corporation,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com'"
.
You can find the distinguished
names of mailbox databases by
running this command:
Get-MailboxDatabase | Format-
List Name,DistinguishedName
.
ArchiveDomain msExchArchiveAddress Get-Mailbox String (wildcards accepted) or This property is used in on-
$null premises Exchange environments
to identify the Office 365
organization that holds the archive
mailbox. For example,
Get-Mailbox -Filter
"ArchiveDomain -like
'*contoso.onmicrosoft.com'"
.
ArchiveGuid msExchArchiveGUID Get-Mailbox String or $null This filter requires the GUID of the
Get-MailUser archive mailbox. For example,
Get-Recipient Get-Mailbox -Filter
Get-RemoteMailbox "ArchiveMailbox -eq
'6476f55e-e5eb-4462-a095-
f2cb585d648d'"
.
You can find the GUID of archive
mailboxes by running this
command:
Get-Mailbox -Archive |
Format-Table -Auto
Name,ArchiveGUID
.
PROPERTY NAME LDAP DISPLAY NAME AVAILABLE ON CMDLETS VALUE COMMENTS
ArchiveName msExchArchiveName Get-Mailbox String (wildcards accepted) or This filter requires the name of the
Get-MailUser $null archive mailbox. For example,
Get-RemoteMailbox Get-Mailbox -Filter
"ArchiveName -like 'In-Place
Archive*'"
.
You can find the names of archive
mailboxes by running this
command:
Get-Mailbox -Archive |
Format-Table -Auto
Name,ArchiveName
.
ArchiveQuota msExchArchiveQuota Get-Mailbox A byte quantified size value (for You can only use the Filter
Get-MailUser example, 300MB or 1.5GB ), or parameter to look for the value
Get-RemoteMailbox Unlimited . Unqualified values are Unlimited for this property. For
treated as bytes. example,
Get-Mailbox -Filter
"ArchiveQuota -eq
'Unlimited'"
or
Get-Mailbox -Filter
"ArchiveQuota -ne
'Unlimited'"
.
You can't use the Filter parameter
to look for size values of this
property. Instead, use this syntax:
Get-Mailbox | where
"$_.ArchiveQuota -<Operator>
'<Size>'"
. For example,
Get-Mailbox | where
"$_.ArchiveQuota -gt '85GB'"
.
ArchiveWarningQuota msExchArchiveWarnQuota Get-Mailbox A byte quantified size value (for You can only use the Filter
Get-MailUser example, 300MB or 1.5GB ), or parameter to look for the value
Get-RemoteMailbox Unlimited . Unqualified values are Unlimited for this property. For
treated as bytes. example,
Get-Mailbox -Filter
"ArchiveWarningQuota -eq
'Unlimited'"
or
Get-Mailbox -Filter
"ArchiveWarningQuota -ne
'Unlimited'"
.
You can't use the Filter parameter
to look for size values of this
property. Instead, use this syntax:
Get-Mailbox | where
"$_.ArchiveWarningQuota -
<Operator> '<Size>'"
. For example,
Get-Mailbox | where
"$_.ArchiveWarningQuota -gt
'85GB'"
.
AuditLogAgeLimit msExchMailboxAuditLogAgeLimit Get-Mailbox A time span value: dd.hh:mm:ss You can't use the Filter parameter
Get-UnifiedGroup where dd = days, hh = hours, mm to look for time span values for this
= minutes, and ss = seconds. property. Instead, use this syntax:
Get-Mailbox | where
"$_.AuditLogAgeLimit -
<Operator> '<TimeSpan>'"
. For example,
Get-Mailbox | where
"$_.AuditLogAgeLimit -gt
'60.00:00:00'"
.
PROPERTY NAME LDAP DISPLAY NAME AVAILABLE ON CMDLETS VALUE COMMENTS
BlockedSendersHash msExchBlockedSendersHash Get-Recipient Blank ( $null ) or a hashed value. Realistically, you can only use this
value to filter on blank or non-
blank values. For example,
Get-Recipient -Filter
'BlockedSendersHash -ne
$null'.
c c Get-Contact String (wildcards accepted) or This filter requires the ISO 3166-1
Get-LinkedUser $null two-letter country code for the
Get-Recipient user (for example, S for the
Get-SecurityPrincipal United States). This property is
Get-User used together with the co and
countryCode properties to define
the user's country in Active
Directory.
For example,
Get-User -Filter "c -eq 'US'" .
CalendarLoggingQuota msExchCalendarLoggingQuota Get-Mailbox A byte quantified size value (for You can only use the Filter
example, 300MB or 1.5GB ), or parameter to look for the value
Unlimited . Unqualified values are Unlimited for this property. For
treated as bytes. example,
Get-Mailbox -Filter
"CalendarLoggingQuota -eq
'Unlimited'"
or
Get-Mailbox -Filter
"CalendarLoggingQuota -ne
'Unlimited'"
.
You can't use the Filter parameter
to look for size values of this
property. Instead, use this syntax:
Get-Mailbox | where
"$_.CalendarLoggingQuota -
<Operator> '<Size>'"
. For example,
Get-Mailbox | where
"$_.CalendarLoggingQuota -gt
'10GB'"
.
CountryCode countryCode Get-Contact Integer This filter requires the ISO 3166-1
Get-LinkedUser three-digit country code for the
Get-Recipient user (for example, 840 for the
Get-SecurityPrincipal United States). This property is
Get-User used together with the c and co
properties to define the user's
country in Active Directory.
For example,
Get-User -Filter "countryCode
-eq 796"
.
PROPERTY NAME LDAP DISPLAY NAME AVAILABLE ON CMDLETS VALUE COMMENTS
DefaultPublicFolderMailbox msExchPublicFolderMailbox Get-Mailbox String or $null This filter requires the distinguished
name or canonical distinguished
name of the public folder mailbox.
For example,
Get-Mailbox -Filter
"DefaultPublicFolderMailbox -eq 'CN=PF
Mailbox01,CN=Users,DC=contoso,DC=com'"
or
Get-Mailbox -Filter
"DefaultPublicFolderMailbox -
eq 'contoso.com/Users/PF
Mailbox01'"
.
To find the distinguished names of
public folder mailboxes, run this
command:
Get-Mailbox -PublicFolder |
Format-List
Name,DistinguishedName
.
DirectReports directReports Get-Contact String or $null This filter requires the distinguished
Get-LinkedUser name or canonical distinguished
Get-User name of the direct report. For
example,
Get-User -Filter "DirectReports -eq
'CN=Angela
Gruber,CN=Users,DC=contoso,DC=com'"
or
Get-User -Filter
"DirectReports -eq
'contoso.com/Users/Angela
Gruber'"
.
To find the distinguished name of a
direct report, replace
<RecipientIdentity> with the
name, alias, or email address of the
recipient, and run this command:
Get-Recipient -Identity "
<RecipientIdentity>" |
Format-List
Name,DistinguishedName
.
Although this is a multivalued
property, the filter will return a
match if the property contains the
specified value.
DisabledArchiveDatabase msExchDisabledArchiveDatabaseLi Get-Mailbox String or $null This filter requires the distinguished
nk Get-MailUser name of the disabled archive
Get-RemoteMailbox mailbox database. For example,
Get-Mailbox -Filter "DisabledArchiveDatabase -eq 'CN=MBX
DB02,CN=Databases,CN=Exchange Administrative Group
(FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Contoso
Corporation,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com'"
.
You can find the distinguished
names of mailbox databases by
running this command:
Get-MailboxDatabase | Format-
List Name,DistinguishedName
.
DisabledArchiveGuid msExchDisabledArchiveDatabaseG Get-Mailbox String or $null This filter requires the GUID of the
UID Get-MailUser disabled archive mailbox. For
Get-RemoteMailbox example,
Get-Mailbox -Filter
"DisabledArchiveGuid -eq
'6476f55e-e5eb-4462-a095-
f2cb585d648d'"
.
You can find the GUID of archive
mailboxes by running this
command:
Get-Mailbox -Archive |
Format-Table -Auto
Name,ArchiveGUID
.
ForwardingAddress altRecipient Get-Mailbox String or $null This filter requires the distinguished
Get-MailPublicFolder name or canonical distinguished
Get-MailUser name of the forwarding recipient.
Get-RemoteMailbox For example,
Get-Mailbox -Filter
"ForwardingAddress -eq 'CN=Angela
Gruber,CN=Users,DC=contoso,DC=com'"
or
Get-Mailbox -Filter
"ForwardingAddress -eq
'contoso.com/Users/Angela
Gruber'"
.
To find the distinguished name of a
forwarding recipient, replace
<RecipientIdentity> with the
name, alias, or email address of the
recipient, and run this command:
Get-Recipient -Identity "
<RecipientIdentity>" |
Format-List
Name,DistinguishedName
.
GrantSendOnBehalfTo publicDelegates Get-DistributionGroup String or $null This filter requires the distinguished
Get-DynamicDistributionGroup name or canonical distinguished
Get-Mailbox name of the mail-enabled security
Get-MailContact principal (mailbox, mail user, or
Get-MailPublicFolder mail-enabled security group). For
Get-MailUser example,
Get-RemoteMailbox Get-Mailbox -Filter
Get-UnifiedGroup "GrantSendOnBehalfTo -eq 'CN=Angela
Gruber,CN=Users,DC=contoso,DC=com'"
or
Get-Mailbox -Filter
"GrantSendOnBehalfTo -eq
'contoso.com/Users/Angela
Gruber'"
.
To find the distinguished name of a
mail-enabled security principal,
replace <RecipientIdentity> with
the name, alias, or email address of
the recipient, and run this
command:
Get-Recipient -Identity "
<RecipientIdentity>" |
Format-List
Name,DistinguishedName
.
Although this is a multivalued
property, the filter will return a
match if the property contains the
specified value.
IssueWarningQuota mDBStorageQuota Get-Mailbox A byte quantified size value (for You can only use the Filter
Get-MailUser example, 300MB or 1.5GB ), or parameter to look for the value
Get-RemoteMailbox Unlimited . Unqualified values are Unlimited for this property. For
treated as bytes. example,
Get-Mailbox -Filter
"IssueWarningQuota -eq
'Unlimited'"
or
Get-Mailbox -Filter
"IssueWarningQuota -ne
'Unlimited'"
.
You can't use the Filter parameter
to look for size values of this
property. Instead, use this syntax:
Get-Mailbox | where
"$_.IssueWarningQuota -
<Operator> '<Size>'
". For example,
Get-Mailbox | where
"$_.IssueWarningQuota -lt
'50GB'"
.
PROPERTY NAME LDAP DISPLAY NAME AVAILABLE ON CMDLETS VALUE COMMENTS
LanguagesRaw msExchUserCulture Get-Mailbox String (wildcards accepted) or This property is named Languages
$null in the properties of a mailbox, and
it contains the language preference
for the mailbox in the format
<ISO 639 two-letter culture
code>-<ISO 3166 two-letter
subculture code>
. For example, United States English
is en-US . For more information,
see CultureInfo Class.
You can specify multiple values
separated by commas, but the
order matters. For example,
Get-Mailbox -Filter
"LanguagesRaw -eq 'en-US,es-
MX'"
returns different results than
Get-Mailbox -Filter
"LanguagesRaw -eq 'es-MX,en-
US'"
.
For single values, this multivalued
property will return a match if the
property contains the specified
value.
LitigationHoldOwner msExchLitigationHoldOwner Get-Mailbox String (wildcards accepted) or This property uses the user
Get-MailUser $null principal name of the litigation hold
Get-RemoteMailbox owner. For example,
Get-Mailbox -Filter
"LitigationHoldOwner -eq
'agruber@contoso.com'"
.
MailboxMoveBatchName msExchMailboxMoveBatchName Get-Mailbox String (wildcards accepted) or This property includes the name of
Get-MailUser $null the migration batch. For example,
Get-Recipient Get-Mailbox -Filter
Get-RemoteMailbox "MailboxMoveBatchName -like
'*LocalMove 01*'"
.
You can find the names of
migration batches by running the
Get-MigrationBatch command.
Note that migration batches that
you create in the Exchange admin
center use the naming convention
MigrationService:
<MigrationBatchName>
.
MailboxMoveFlags msExchMailboxMoveFlags Get-Mailbox For valid values, see the description For example,
Get-MailUser of the Flags parameter inGet- Get-Mailbox -Filter
Get-Recipient MoveRequest. "MailboxMoveFlags -ne 'None'"
Get-RemoteMailbox .
You can specify multiple values
separated by commas, and the
order doesn't matter. For example,
Get-Recipient -Filter
"MailboxMoveFlags -eq
'IntraOrg,Pull'"
returns the same results as
Get-Recipient -Filter
"MailboxMoveFlags -eq
'Pull,IntraOrg'"
.
This multivalued property will only
return a match if the property
equals the specified value.
MailboxMoveSourceMDB msExchMailboxMoveSourceMDBLin Get-Mailbox String or $null This filter requires the distinguished
k Get-MailUser name of the source mailbox
Get-Recipient database. For example,
Get-RemoteMailbox Get-Mailbox -Filter "MailboxMoveSourceMDB -eq 'CN=MBX
DB02,CN=Databases,CN=Exchange Administrative Group
(FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Contoso
Corporation,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com'"
.
You can find the distinguished
names of mailbox databases by
running this command:
Get-MailboxDatabase | Format-
List Name,DistinguishedName
.
MailboxMoveStatus msExchMailboxMoveStatus Get-Mailbox For valid values, see the description For example,
Get-MailUser of the MoveStatus parameter Get-Mailbox -Filter
Get-Recipient inGet-MoveRequest. "MailboxMoveStatus -eq
'Completed'"
Get-RemoteMailbox
.
MailboxMoveTargetMDB msExchMailboxMoveTargetMDBLin Get-Mailbox String or $null This filter requires the distinguished
k Get-MailUser name of the target mailbox
Get-Recipient database. For example,
Get-RemoteMailbox Get-Mailbox -Filter "MailboxMoveTargetMDB -eq 'CN=MBX
DB02,CN=Databases,CN=Exchange Administrative Group
(FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Contoso
Corporation,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com'"
.
You can find the distinguished
names of mailbox databases by
running this command:
Get-MailboxDatabase | Format-
List Name,DistinguishedName
.
MailTipTranslations msExchSenderHintTranslations Get-DistributionGroup String (wildcards accepted) or When you use this property in a
Get-DynamicDistributionGroup $null filter, you need to account for the
Get-Mailbox leading and trailing HTML tags. For
Get-MailContact example,
Get-MailPublicFolder Get-DistributionGroup -Filter
Get-MailUser "MailTipTranslations -like
'*is not monitored.*'"
Get-RemoteMailbox
Get-UnifiedGroup .
ManagedBy managedBy Get-DistributionGroup String or $null This filter requires the distinguished
Get-DynamicDistributionGroup name or canonical distinguished
Get-Group name of the group owner (a mail-
Get-Recipient enabled security principal, which is
Get-UnifiedGroup a mailbox, mail user, or mail-
enabled security group). For
example,
Get-Mailbox -Filter "ManagedBy -eq
'CN=Angela
Gruber,CN=Users,DC=contoso,DC=com'"
or
Get-Mailbox -Filter
"ManagedBy -eq
'contoso.com/Users/Angela
Gruber'"
.
To find the distinguished name of a
mail-enabled security principal,
replace <RecipientIdentity> with
the name, alias, or email address of
the recipient, and run this
command:
Get-Recipient -Identity "
<RecipientIdentity>" |
Format-List
Name,DistinguishedName
.
Although this is a multivalued
property, the filter will return a
match if the property contains the
specified value.
Manager manager Get-Contact String or $null This filter requires the distinguished
Get-LinkedUser name or canonical distinguished
Get-Recipient name of the manager (a mailbox or
Get-User mail user). For example,
Get-User -Filter "Manager -eq
'CN=Angela
Gruber,CN=Users,DC=contoso,DC=com'"
or
Get-Mailbox -Filter "Manager
-eq 'contoso.com/Users/Angela
Gruber'"
.
To find the distinguished name of a
manager, replace
<RecipientIdentity> with the
name, alias, or email address of the
recipient, and run this command:
Get-Recipient -Identity "
<RecipientIdentity>" |
Format-List
Name,DistinguishedName.
MaxReceiveSize delivContLength Get-DistributionGroup A byte quantified size value (for You can only use the Filter
Get-DynamicDistributionGroup example, 75MB ), or Unlimited . parameter to look for the value
Get-Mailbox Unqualified values are treated as Unlimited for this property. For
Get-MailContact bytes. example,
Get-MailPublicFolder Get-Mailbox -Filter
Get-MailUser "MaxReceiveSize -eq
'Unlimited'"
Get-RemoteMailbox
Get-UnifiedGroup or
Get-Mailbox -Filter
"MaxReceiveSize -ne
'Unlimited'"
.
You can't use the Filter parameter
to look for size values of this
property. Instead, use this syntax:
Get-Mailbox | where
"$_.MaxReceiveSize -
<Operator> '<Size>'"
. For example,
Get-Mailbox | where
"$_.MaxReceiveSize -gt
'50GB'"
.
MaxSendSize submissionContLength Get-DistributionGroup A byte quantified size value (for You can only use the Filter
Get-DynamicDistributionGroup example, 75MB ), or Unlimited . parameter to look for the value
Get-Mailbox Unqualified values are treated as Unlimited for this property. For
Get-MailContact bytes. example,
Get-MailPublicFolder Get-Mailbox -Filter
Get-MailUser "MaxSendSize -eq 'Unlimited'"
Get-RemoteMailbox or
Get-UnifiedGroup Get-Mailbox -Filter
"MaxSendSize -ne 'Unlimited'"
.
You can't use the Filter parameter
to look for size values of this
property. Instead, use this syntax:
Get-Mailbox | where
"$_.MaxReceiveSize -
<Operator> '<Size>'"
. For example,
Get-Mailbox | where
"$_.MaxSendSize -gt '50GB'"
.
MemberOfGroup memberOf Get-CASMailbox String or $null This filter requires the distinguished
Get-Contact name or canonical distinguished
Get-DistributionGroup name of the distribution group or
Get-DynamicDistributionGroup mail-enabled security group. For
Get-Group example,
Get-LinkedUser Get-User -Filter "MemberOfGroup -eq
Get-Mailbox 'CN=Marketing
Department,CN=Users,DC=contoso,DC=com'"
Get-MailContact
Get-MailPublicFolder or
Get-User -Filter
Get-MailUser "MemberOfGroup -eq
Get-Recipient 'contoso.com/Users/Marketing
Get-RemoteMailbox Group'"
Get-SecurityPrincipal .
Get-UMMMailbox To find the distinguished name of a
Get-User group, replace <GroupIdentity>
with the name, alias, or email
address of the group, and run this
command:
Get-DistributionGroup -
Identity "<GroupIdentity>" |
Format-List
Name,DistinguishedName
.
Although this is a multivalued
property, the filter will return a
match if the property contains the
specified value.
Members member Get-DistributionGroup String or $null This filter requires the distinguished
Get-Group name or canonical distinguished
Get-Recipient name of the group member. For
Get-SecurityPrincipal example,
Get-Group -Filter "Members -eq
'CN=Angela
Gruber,CN=Users,DC=contoso,DC=com'"
or
Get-User -Filter "Members -eq
'contoso.com/Users/Angela
Gruber'"
.
To find the distinguished name of a
group member, replace
<RecipientIdentity> with the
name, alias, or email address of the
group member, and run this
command:
Get-Recipient -Identity "
<RecipientIdentity>" |
Format-List
Name,DistinguishedName
.
Although this is a multivalued
property, the filter will return a
match if the property contains the
specified value.
OfflineAddressBook msExchUseOAB Get-Mailbox String or $null This filter requires the distinguished
name of the offline address book.
For example,
Get-Mailbox -Arbitration -Filter "OfflineAddressBook -eq
'CN=OAB 1,CN=Offline Address Lists,CN=Address Lists
Container,CN=Contoso Corporation,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com'"
You can find the distinguished
names of offline address books by
running this command:
Get-OfflineAddressBook |
Format-List
Name,DistinguishedName
.
PROPERTY NAME LDAP DISPLAY NAME AVAILABLE ON CMDLETS VALUE COMMENTS
OWAEnabled n/a Get-CASMailbox Boolean ( $true or $false ) The filter operates backwards. For
example,
Get-CASMailbox -Filter
'OWAEnabled -eq $true'
returns mailboxes where the
OWAEnabled property is False ,
and
Get-CASMailbox -Filter
'OWAEnabled -eq $false'
returns mailboxes where the
OWAEnabled property is True
OWAMailboxPolicy msExchOWAPolicy Get-CASMailbox String or $null This filter requires the distinguished
Get-Recipient name of the Outlook on the web
mailbox policy (formerly known as
an Outlook Web App mailbox
policy). For example,
Get-CASMailbox -Filter "OWAMailboxPolicy -eq
'CN=Default,CN=OWA Mailbox Policies,CN=Contoso
Corporation,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com
'".
You can find the distinguished
names of Outlook on the web
mailbox policies by running this
command:
Get-OwaMailboxPolicy |
Format-List
Name,DistinguishedName
.
PersistedCapabilities n/a Get-Mailbox String or $null Typically, the value of this property
Get-MailUser something other than $null
Get-RemoteMailbox (blank) for Office 365 accounts and
mailboxes. For more information
about the valid property values,
seeCapability enumeration.
For example,
Get-Mailbox -Filter
'PersistedCapabilities -ne
$null'
.
Although this is a multivalued
property, the filter will return a
match if the property contains the
specified value.
PreviousRecipientTypeDetails msExchPreviousRecipientTypeDetai Get-LinkedUser String or $null For valid values, see the description
ls Get-User of the RecipientTypeDetails
parameter inGet-Recipient.
For example,
Get-User -Filter
'PreviousRecipientTypeDetails
-ne $null'
.
ProhibitSendQuota mDBOverQuotaLimit Get-Mailbox A byte quantified size value (for You can only use the Filter
Get-MailUser example, 300MB or 1.5GB ), or parameter to look for the value
Get-RemoteMailbox Unlimited . Unqualified values are Unlimited for this property. For
treated as bytes. example,
Get-Mailbox -Filter
"ProhibitSendQuota -eq
'Unlimited'"
or
Get-Mailbox -Filter
"ProhibitSendQuota -ne
'Unlimited'"
.
You can't use the Filter parameter
to look for size values of this
property. Instead, use this syntax:
Get-Mailbox | where
"$_.ProhibitSendQuota -
<Operator> '<Size>'"
. For example,
Get-Mailbox | where
"$_.ProhibitSendQuota -lt
'70GB'"
.
PROPERTY NAME LDAP DISPLAY NAME AVAILABLE ON CMDLETS VALUE COMMENTS
ProhibitSendReceiveQuota mDBOverHardQuotaLimit Get-Mailbox A byte quantified size value (for You can only use the Filter
Get-MailUser example, 300MB or 1.5GB ), or parameter to look for the value
Get-RemoteMailbox Unlimited . Unqualified values are Unlimited for this property. For
treated as bytes. example,
Get-Mailbox -Filter
"ProhibitSendReceiveQuota -eq
'Unlimited'"
or
Get-Mailbox -Filter
"ProhibitSendReceiveQuota -ne
'Unlimited'"
.
You can't use the Filter parameter
to look for size values of this
property. Instead, use this syntax:
Get-Mailbox | where
"$_.ProhibitSendReceiveQuota
-<Operator> '<Size>'"
. For example,
Get-Mailbox | where
"$_.ProhibitSendReceiveQuota
-lt '70GB'"
.
ProtocolSettings protocolSettings Get-Mailbox String (wildcards accepted) or The default value of this property
Get-MailUser $null on mailboxes is
Get-RemoteMailbox RemotePowerShell§1 . This
property is populated with
additional values when you use
Set-CASMailbox to disable
protocols (for example, POP3 or
IMAP4).
For example,
Get-Mailbox -Filter
"ProtocolSettings -like
'*POP3*'"
.
QueryBaseDN msExchQueryBaseDN Get-Mailbox String or $null This property was used in Exchange
2007 global address list
segregation to specify a location in
Active Directory. This feature was
replaced by address book policies
in Exchange 2010 Service Pack 2,
so the value of this property
should always be blank ( $null ).
For example,
Get-Mailbox -Filter
'QueryBaseDN -ne $null'
.
PROPERTY NAME LDAP DISPLAY NAME AVAILABLE ON CMDLETS VALUE COMMENTS
RecipientContainer msExchDynamicDLBaseDN Get-DynamicDistributionGroup String or $null This filter requires the distinguished
name or canonical distinguished
name of the organizational unit or
container in Active Directory. For
example,
Get-DynamicDistributionGroup
-Filter "RecipientContainer -
eq
'CN=Users,DC=contoso,DC=com'"
or
Get-DynamicDistributionGroup
-Filter "RecipientContainer -
eq 'contoso.com/Users'"
To find the distinguished names or
canonical distinguished names of
organizational units and containers
in Active Directory, run this
command:
Get-OrganizationalUnit -
IncludeContainers | Format-
List
Name,DistinguishedName,ID
.
RecipientTypeDetails n/a Get-Contact String For valid values, see the description
Get-DistributionGroup of the RecipientTypeDetails
Get-DynamicDistributionGroup parameter in Get-Recipient.
Get-Group For example,
Get-LinkedUser Get-Recipient -Filter
Get-Mailbox "RecipientTypeDetails -eq
'SharedMailbox'"
Get-MailContact
Get-MailPublicFolder .
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-SecurityPrincipal
Get-User
Get-UnifiedGroup
RecoverableItemsQuota msExchDumpsterQuota Get-Mailbox A byte quantified size value (for You can only use the Filter
Get-MailUser example, 300MB or 1.5GB ), or parameter to look for the value
Get-RemoteMailbox Unlimited . Unqualified values are Unlimited for this property. For
treated as bytes. example,
Get-Mailbox -Filter
"RecoverableItemsQuota -eq
'Unlimited'"
or
Get-Mailbox -Filter
"RecoverableItemsQuota -ne
'Unlimited'"
.
You can't use the Filter parameter
to look for size values of this
property. Instead, use this syntax:
Get-Mailbox | where
"$_.RecoverableItemsQuota -
<Operator> '<Size>'
. For example,
Get-Mailbox | where
"$_.RecoverableItemsQuota -gt
'35GB'"
.
PROPERTY NAME LDAP DISPLAY NAME AVAILABLE ON CMDLETS VALUE COMMENTS
RecoverableItemsWarningQuota msExchDumpsterWarningQuota Get-Mailbox A byte quantified size value (for You can only use the Filter
Get-MailUser example, 300MB or 1.5GB ), or parameter to look for the value
Get-RemoteMailbox Unlimited . Unqualified values are Unlimited for this property. For
treated as bytes. example,
Get-Mailbox -Filter
"RecoverableItemsWarningQuota
-eq 'Unlimited'"
or
Get-Mailbox -Filter
"RecoverableItemsWarningQuota
-ne 'Unlimited'"
.
You can't use the Filter parameter
to look for size values of this
property. Instead, use this syntax:
Get-Mailbox | where
"$_.RecoverableItemsWarningQuota
-<Operator> '<Size>'
". For example,
Get-Mailbox | where
"$_.RecoverableItemsWarningQuota
-gt '25GB'"
.
RejectMessagesFrom unauthOrig Get-DistributionGroup String or $null This filter requires the distinguished
Get-DynamicDistributionGroup name of the individual recipient (a
Get-Mailbox mailbox, mail user, or mail contact).
Get-MailContact For example,
Get-MailPublicFolder Get-DistributionGroup -Filter
Get-MailUser "RejectMessagesFrom -eq 'CN=Yuudai
Uchida,CN=Users,DC=contoso,DC=com'"
Get-RemoteMailbox
Get-UnifiedGroup or
Get-DistributionGroup -Filter
"RejectMessagesFrom -eq
'contoso.com/Users/Angela
Gruber'"
.
To find the distinguished name of
the individual recipient, replace
<RecipientIdentity> with the
name, alias, or email address of the
recipient, and run this command:
Get-Recipient -Identity "
<RecipientIdentity>" |
Format-List
Name,DistinguishedName
.
Although this is a multivalued
property, the filter will return a
match if the property contains the
specified value.
RejectMessagesFromDLMembers dLMemRejectPerms Get-DistributionGroup String or $null This filter requires the distinguished
Get-DynamicDistributionGroup name or canonical distinguished
Get-Mailbox name of the group (a distribution
Get-MailContact group, mail-enabled security group,
Get-MailPublicFolder or dynamic distribution group). For
Get-MailUser example,
Get-RemoteMailbox Get-Mailbox -Filter
Get-UnifiedGroup "RejectMessagesFromDLMembers -eq
'CN=Marketing
Department,CN=Users,DC=contoso,DC=com'"
or
Get-Mailbox -Filter
"RejectMessagesFromDLMembers
-eq
'contoso.com/Users/Marketing
Department'"
.
To find the distinguished name of
the group, replace
<GroupIdentity> with the name,
alias, or email address of the group,
and run one of these commands:
Get-DistributionGroup -
Identity "<GroupIdentity>" |
Format-List
Name,DistinguishedName
or
Get-DynamicDistributionGroup
-Identity "<GroupIdentity>" |
Format-List
Name,DistinguishedName
.
Although this is a multivalued
property, the filter will return a
match if the property contains the
specified value.
RemoteAccountPolicy msExchSyncAccountsPolicyDN Get-Mailbox String or $null This filter requires the distinguished
name of the remote account policy.
For example,
Get-Mailbox -Filter "RemoteAccountPolicy -eq 'CN=Contoso
Remote Account Policy,CN=Remote Accounts Policies
Container,CN=Contoso Corporation,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com'"
.
RetainDeletedItemsFor garbageCollPeriod Get-Mailbox A time span value: dd.hh:mm:ss You can't use the Filter parameter
Get-MailUser where dd = days, hh = hours, mm to look for time span values for this
Get-RemoteMailbox = minutes, and ss = seconds. property. Instead, use this syntax:
Get-Mailbox | where
"$_.RetainDeletedItemsFor -
<Operator> '<TimeSpan>'"
. For example,
Get-Mailbox | where
"$_.RetainDeletedItemsFor -gt
'14.00:00:00'"
.
RetentionPolicy n/a Get-Mailbox String or $null This filter requires the distinguished
Get-Recipient name of the retention policy. For
example,
Get-Mailbox -Filter "RetentionPolicy -eq 'CN=Default MRM
Policy,CN=Retention Policies Container,CN=Contoso
Corporation,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com'"
.
To find the distinguished names of
retention policies, run this
command:
Get-RetentionPolicy | Format-
List Name,DistinguishedName
.
RoleAssignmentPolicy msExchRBACPolicyLink Get-Mailbox String (wildcards accepted) or This filter requires the distinguished
$null name of the role assignment policy
in Exchange Online. For example,
Get-Mailbox -Filter "RoleAssignmentPolicy -eq 'CN=Default
Policy,CN=Policies,CN=RBAC,CN=Configuration,CN=contoso.onm
.
To find the distinguished names of
role assignment policies in
Exchange Online, run this
command:
Get-RoleAssignmentPolicy |
Format-List
Name,DistinguishedName
.
RulesQuota msExchMDBRulesQuota Get-Mailbox A byte quantified size value (for You can't use the Filter parameter
example, 50B or 128KB ). to look for size values of this
Unqualified values are treated as property. Instead, use this syntax:
bytes. Get-Mailbox | where
"$_.RulesQuota -<Operator>
'<Size>'"
. For example,
Get-Mailbox | where
"$_.RulesQuota -lt '256KB'"
.
SafeRecipientsHash msExchSafeRecipientsHash Get-Recipient Blank ( $null ) or a hashed value. Realistically, you can only use this
value to filter on blank or non-
blank values. For example,
Get-Recipient -Filter
'SafeRecipientsHash -ne
$null'.
SafeSendersHash msExchSafeSendersHash Get-Recipient Blank ( $null ) or a hashed value. Realistically, you can only use this
value to filter on blank or non-
blank values. For example,
Get-Recipient -Filter
'SafeSendersHash -ne $null'.
SCLDeleteThresholdInt msExchMessageHygieneSCLDeleteT Get-Mailbox -2147483648 (SCL value 0), - This property is displayed as
hreshold 2147483647 (SCL value 1), - SCLDeleteThreshold in the results
2147483646 (SCL value 2), - of the command
2147483645 (SCL value 3), - Get-Mailbox -Identity
2147483644 (SCL value 4), - <MailboxIdentity> | Format-
List
2147483643 (SCL value 5), -
2147483642 (SCL value 6), - , but you need to use the property
2147483641 (SCL value 7), - name SCLDeleteThresholdInt in
2147483640 (SCL value 8), - the filter. For example,
Get-Mailbox -Filter
2147483639 (SCL value 9) or "SCLDeleteThresholdInt -ge -
$null 2147483640"
.
PROPERTY NAME LDAP DISPLAY NAME AVAILABLE ON CMDLETS VALUE COMMENTS
SCLJunkThresholdInt msExchMessageHygieneSCLJunkTh Get-Mailbox -2147483648 (SCL value 0), - This property is displayed as
reshold 2147483647 (SCL value 1), - SCLJunkThreshold in the results
2147483646 (SCL value 2), - of the command
2147483645 (SCL value 3), - Get-Mailbox -Identity
2147483644 (SCL value 4), - <MailboxIdentity> | Format-
List
2147483643 (SCL value 5), -
2147483642 (SCL value 6), - , but you need to use the property
2147483641 (SCL value 7), - name SCLJunkThresholdInt in the
2147483640 (SCL value 8), - filter. For example,
Get-Mailbox -Filter
2147483639 (SCL value 9) or "SCLJunkThresholdInt -ge -
$null 2147483645"
.
SCLQuarantineThresholdInt msExchMessageHygieneSCLQuaran Get-Mailbox -2147483648 (SCL value 0), - This property is displayed as
tineThreshold 2147483647 (SCL value 1), - SCLQuarantineThreshold in the
2147483646 (SCL value 2), - results of the command
2147483645 (SCL value 3), - Get-Mailbox -Identity
2147483644 (SCL value 4), - <MailboxIdentity> | Format-
List
2147483643 (SCL value 5), -
2147483642 (SCL value 6), - , but you need to use the property
2147483641 (SCL value 7), - name
2147483640 (SCL value 8), - SCLQuarantineThresholdInt in
2147483639 (SCL value 9) or the filter. For example,
Get-Mailbox -Filter
$null "SCLQuarantineThresholdInt -
ge -2147483643"
.
SCLRejectThresholdInt msExchMessageHygieneSCLRejectT Get-Mailbox -2147483648 (SCL value 0), - This property is displayed as
hreshold 2147483647 (SCL value 1), - SCLRejectThreshold in the results
2147483646 (SCL value 2), - of the command
2147483645 (SCL value 3), - Get-Mailbox -Identity
2147483644 (SCL value 4), - <MailboxIdentity> | Format-
List
2147483643 (SCL value 5), -
2147483642 (SCL value 6), - , but you need to use the property
2147483641 (SCL value 7), - name SCLRejectThresholdInt in
2147483640 (SCL value 8), - the filter. For example,
Get-Mailbox -Filter
2147483639 (SCL value 9) or "SCLRejectThresholdInt -ge -
$null 2147483641"
.
SharingPolicy msExchSharingPolicyLink Get-Mailbox String or $null This filter requires the distinguished
Get-Recipient name of the sharing policy. For
example,
Get-Mailbox -Filter "SharingPolicy -eq 'CN=Custom Sharing
Policy,CN=Federation,CN=Contoso Corporation,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com'"
.
To find the distinguished names of
sharing policies, run this command:
Get-SharingPolicy | Format-
List Name,DistinguishedName
.
Note: For the default assignment
of the default sharing policy
(named Default Sharing Policy) to a
mailbox, the value of the
SharingPolicy property is blank (
$null ).
ThrottlingPolicy msExchThrottlingPolicyDN Get-Mailbox String or $null This filter requires the distinguished
name of the throttling policy. For
example,
Get-Mailbox -Filter "ThrottlingPolicy -eq 'CN=Custom
Throttling Policy,CN=Global Settings,CN=Contoso
Corporation,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com'"
.
To find the distinguished names of
throttling policies, run this
command:
Get-ThrottlingPolicy |
Format-List
Name,DistinguishedName
.
UMMailboxPolicy msExchUMTemplateLink Get-Recipient String or $null This filter requires the distinguished
Get-UMMailbox name of the UM mailbox policy. For
example,
Get-Recipient -Filter "UMMailboxPolicy -eq 'CN=Contoso
Default Policy,CN=UM Mailbox Policies,CN=Contoso
Corporation,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com'"
.
To find the distinguished names of
UM mailbox policies, run this
command:
Get-UMMailboxPolicy | Format-
List Name,DistinguishedName
.
UMRecipientDialPlanId msExchUMRecipientDialPlanLink Get-Recipient String or $null This filter requires the distinguished
name of the UM dial plan. For
example,
Get-Recipient -Filter "UMMailboxPolicy -eq 'CN=Contoso
Dial Plan,CN=UM DialPlan Container,CN=Contoso
Corporation,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com'"
.
To find the distinguished names of
UM dial plans, run this command:
Get-UMDialPlan | Format-List
Name,DistinguishedName
.
UsageLocation msExchUsageLocation Get-Mailbox String or $null This filter requires the ISO 3166-1
Get-MailUser country name (for example,
Get-Recipient United States ), or two-letter
country code (for example US ) for
the user in Office 365. For more
information, see Country Codes -
ISO 3166.
For example,
Get-Recipient -Filter
'UsageLocation -ne $null'
.
WhenSoftDeleted msExchWhenSoftDeletedTime Get-LinkedUser A date/time value This filter requires the SoftDeleted
Get-Mailbox switch in the command for
Get-MailUser mailboxes.
Get-RemoteMailbox For example,
Get-User Get-Mailbox -SoftDeleted -
Get-UnifiedGroup Filter "WhenSoftDeleted -gt
'8/1/2017 2:00:00 PM'"
.
PROPERTY NAME LDAP DISPLAY NAME AVAILABLE ON CMDLETS VALUE COMMENTS
You use the RecipientFilter parameter to create OPATH filters based on the properties of recipient objects in Exchange Server 2016 or later,
and Exchange Online. The RecipientFilter parameter is available in the following cmdlets:
New-AddressList and Set-AddressList
New-DynamicDistributionGroup and Set-DynamicDistributionGroup
New-EmailAddressPolicy and Set-EmailAddressPolicy
New-GlobalAddressList and Set-GlobalAddressList
Properties that are present, but correspond to features that are no longer used in Exchange.
You can't use properties from other Active Directory schema extensions with the RecipientFilter parameter.
Not all recipient properties have a corresponding Active Directory property. The LDAP display name value in the table is "n/a" for
these properties, which indicates that the property is calculated (likely by Exchange).
Enclose the whole OPath filter in double quotation marks " ". If the filter contains system values (for example, $true , $false , or
$null ), use single quotation marks ' ' instead. Although this parameter is a string (not a system block), you can also use braces { },
but only if the filter doesn't contain variables. For more information, see Additional OPATH syntax information.
You typically use the object's name for properties that require a valid object value (for example, a mailbox, a distribution group, or
an email address policy, but the property might also accept the object's distinguished name (DN ) or globally unique identifier
(GUID ). To find the object's DN or GUID, use the Get- cmdlet that corresponds to the object's type (for example,
Get-EmailAddressPolicy | Format-List Name,DistinguishedName,GUID ).
Text string properties that accept wildcard characters require the -like operator (for example, "Property -like '*abc'" ).
The Value column in the table describes the acceptable values for the filter, not necessarily for the property itself. For example, a
property might obviously contain a date or numeric value, but when you use that property in a filter, it might be treated like a text
string (no value check, and wildcards are supported).
To look for blank or non-blank property values, use the value $null (for example, 'Property -eq $null' or 'Property -ne $null' ).
AuditLogAgeLimit msExchMailboxAuditLogAgeLimit Dynamic distribution groups: String The value of this property is a time
(wildcards accepted). span: dd.hh:mm:ss where dd =
Others: Blank or non-blank. days, hh = hours, mm = minutes,
and ss = seconds.
Database homeMDB String (wildcards accepted). The identity of the user's mailbox
database.
ExternalEmailAddress targetAddress String (wildcards accepted). This property contains the external
email address for mail contacts and
mail users.
HiddenFromAddressListsEnabled msExchHideFromAddressLists Boolean ( $true or $false ) This property specifies whether the
recipient is visible in the global
address list or other address lists.
IsMailboxEnabled n/a Boolean ( $true or $false ) This property specifies whether the
user is mailbox-enabled.
ManagedBy managedBy String (wildcards accepted in This property identifies the security
dynamic distribution groups). principal that's the manager of the
group.
PROPERTY NAME LDAP DISPLAY NAME VALUE COMMENTS
Name name String (wildcards accepted). The unique name value of the
recipient.
ObjectCategory objectCategory Dynamic distribution groups: String Valid values use the format
(wildcards accepted). CN=
Others: Valid Active Directory <Type>,CN=Schema,CN=Configuration,DC=
<domain>
ObjectCategory values.
, where <Type> is typically
Person or Group for recipients.
For example,
CN=Person,CN=Schema,CN=Configuration,DC=contoso
.
ObjectClass objectClass Dynamic distribution groups: String Common values for recipients are:
(wildcards accepted). contact ,
Others: Valid Active Directory organizationalPerson , person ,
ObjectCategory values. top , group ,
msExchDynamicDistributionList ,
and user .
OfflineAddressBook msExchUseOAB String (wildcards accepted in This property contains the offline
dynamic distribution groups). address book (OAB) that's
associated with this recipient.
UserPrincipalName userPrincipalName String (wildcards accepted). This property contains the user
principal name (UPN) for this
recipient (for example,
kim@contoso.com ).
VoiceMailSettings msExchUCVoiceMailSettings String (wildcards accepted). Valid values for this property are:
ExchangeHostedVoiceMail=0 ,
ExchangeHostedVoiceMail=1 ,
CsHostedVoiceMail=0 , or
CsHostedVoiceMail=1 .
The Exchange Online PowerShell V2 module (abbreviated as the EXO V2 module) enables admins to connect to
their Exchange Online environment in Office 365 to retrieve data, create new objects, update existing objects,
remove objects as well as configure Exchange Online & its features.
Connect-ExchangeOnline Connect-EXOPSSession
or
New-PSSession
Get-EXOMailbox Get-Mailbox
Get-EXORecipient Get-Recipient
Get-EXOCASMailbox Get-CASMailbox
Get-EXOMailboxPermission Get-MailboxPermission
Get-EXORecipientPermission Get-RecipientPermission
Get-EXOMailboxStatistics Get-MailboxStatistics
Get-EXOMailboxFolderStatistics Get-MailboxFolderStatistics
Get-EXOMailboxFolderPermission Get-MailboxFolderPermission
Get-EXOMobileDeviceStatistics Get-MobileDeviceStatistics
2. Windows PowerShell needs to be configured to run scripts, and by default, it isn't. To require all PowerShell
scripts that you download from the internet are signed by a trusted publisher, run the following command in
an elevated Windows PowerShell window:
Set-ExecutionPolicy RemoteSigned
Notes:
You need to configure this setting only once on your computer.
If you don't do this step, you'll receive the following error when you try to connect:
Files cannot be loaded because running scripts is disabled on this system. Provide a valid
certificate with which to sign the files.
3. From an elevated Windows PowerShell session and run the following command:
2. Run the following command to update the EXO V2 module to latest version that's available in the
PowerShell Gallery:
Remove-Module ExchangeOnlineManagement
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Online, or Exchange Online Protection.
1. On your local computer, open a Windows PowerShell window and run the following command:
$UserCredential = Get-Credential
In the Windows PowerShell Credential Request dialog box, type your work or school account and
password, and then click OK.
Note:
Get-Credential doesn't work for MFA enabled accounts. For using MFA enabled-accounts, remove the
Credential parameter from below command instruction.
2. Run the following command:
Properties: This parameter accepts one or more property names separated by commas.
This example returns the specified properties:
Note: Cmdlets that only return a small number of output properties don't have the PropertySet or
Properties parameters.
You can use PropertySets and Properties in the same command. For example:
We've also included a Minimum property set (or minset) in the available property sets that includes a bare
minimum set of properties for the cmdlet output.
If you don't use the PropertySets or Properties parameters, you automatically get the properties that are
included in the Minimum property set.
If you use the PropertySets or Properties parameters, you you only get the specified properties.
Either way, the cmdlet output will contain far fewer properties, and the time it takes to return those results will be
much faster.
This example returns the properties in the Minimum property set for the first ten mailboxes.
Get-EXOMailbox -ResultSize 10
In contrast, the same Get-Mailbox cmdlet would return at least 230 properties for the same ten mailboxes.
For details about the property sets that are available in EXO V2 module cmdlets, see Property sets in Exchange
Online PowerShell V2 cmdlets or the individual EXO V2 module cmdlet reference topics.
EXO cmdlets also provide a way to retreive all properties for an object by using the ProperySets parameter with
the value All .
The following example returns all properties for the 10 mailboxes:
NOTE
We highly discourage using the PropertySets parameter with the value All because it slows down the cmdlet and reduces
reliability. Always use the PropertySets and Properties parameters to retreive only the requires properties.
Property sets in Exchange Online PowerShell V2
cmdlets
11/7/2019 • 2 minutes to read • Edit Online
This topic describes the property sets that are available in the new cmdlets in the Exchange Online PowerShell V2
module. For more information about property sets, see Properties and property sets.
PropertySet Properties
Minimum ActiveSyncEnabled
DisplayName
ECPEnabled
EmailAddresses
EwsEnabled
ExchangeVersion
Guid
Identity
ImapEnabled
MAPIEnabled
Name
OWAEnabled
OrganizationId
PopEnabled
PrimarySmtpAddress
ServerLegacyDN
ActiveSync ActiveSyncAllowedDeviceIDs
ActiveSyncBlockedDeviceIDs
ActiveSyncEnabled
ActiveSyncMailboxPolicy
ActiveSyncMailboxPolicyIsDefaulted
ActiveSyncSuppressReadReceipt
ExternalDirectoryObjectId
Guid
HasActiveSyncDevicePartnership
Identity
Name
OrganizationId
Ews EwsAllowMacOutlook
EwsAllowOutlook
EwsEnabled
ExternalDirectoryObjectId
Guid
Identity
Name
OrganizationId
Imap ExternalDirectoryObjectId
Guid
Identity
ImapEnableExactRFC822Size
ImapEnabled
ImapForceICalForCalendarRetrievalOption
ImapMessagesRetrievalMimeFormat
ImapSuppressReadReceipt
ImapUseProtocolDefaults
Name
OrganizationId
Mapi ExternalDirectoryObjectId
Guid
Identity
MAPIBlockOutlookExternalConnectivity
MAPIBlockOutlookNonCachedMode
MAPIBlockOutlookRpcHttp
MAPIBlockOutlookVersions
MAPIEnabled
MapiHttpEnabled
Name
OrganizationId
Pop ExternalDirectoryObjectId
Guid
Identity
Name
OrganizationId
PopEnableExactRFC822Size
PopEnabled
PopMessagesRetrievalMimeFormat
PopSuppressReadReceipt
PopUseProtocolDefaults
ProtocolSettings ExternalDirectoryObjectId
ExternalImapSettings
ExternalPopSettings
ExternalSmtpSettings
Guid
Identity
InternalImapSettings
InternalPopSettings
InternalSmtpSettings
Name
OrganizationId
PropertySet Properties
Minimum Alias
DisplayName
DistinguishedName
EmailAddresses
ExchangeVersion
ExternalDirectoryObjectId
Guid
Id
Name
OrganizationId
PrimarySmtpAddress
RecipientType
RecipientTypeDetails
UserPrincipalName
AddressList AddressBookPolicy
AddressListMembership
ExternalDirectoryObjectId
GeneratedOfflineAddressBooks
HiddenFromAddressListsEnabled
OfflineAddressBook
Archive ArchiveDatabase
ArchiveDomain
ArchiveGuid
ArchiveName
ArchiveQuota
ArchiveRelease
ArchiveState
ArchiveStatus
ArchiveWarningQuota
AutoExpandingArchiveEnabled
DisabledArchiveDatabase
DisabledArchiveGuid
ExternalDirectoryObjectId
JournalArchiveAddress
Audit AuditAdmin
AuditDelegate
AuditEnabled
AuditLogAgeLimit
AuditOwner
DefaultAuditSet
ExternalDirectoryObjectId
Custom CustomAttribute1
CustomAttribute2
CustomAttribute3
CustomAttribute4
CustomAttribute5
CustomAttribute6
CustomAttribute7
CustomAttribute8
CustomAttribute9
CustomAttribute10
CustomAttribute11
CustomAttribute12
CustomAttribute13
CustomAttribute14
CustomAttribute15
ExtensionCustomAttribute1
ExtensionCustomAttribute2
ExtensionCustomAttribute3
ExtensionCustomAttribute4
ExtensionCustomAttribute5
ExternalDirectoryObjectId
Delivery AcceptMessagesOnlyFrom
AcceptMessagesOnlyFromDLMembers
AcceptMessagesOnlyFromSendersOrMembers
DeliverToMailboxAndForward
DowngradeHighPriorityMessagesEnabled
ExternalDirectoryObjectId
ForwardingAddress
ForwardingSmtpAddress
GrantSendOnBehalfTo
MaxBlockedSenders
MaxReceiveSize
MaxSafeSenders
MaxSendSize
MessageCopyForSendOnBehalfEnabled
MessageCopyForSentAsEnabled
MessageRecallProcessingEnabled
MessageTrackingReadStatusEnabled
RecipientLimits
RejectMessagesFrom
RejectMessagesFromDLMembers
RejectMessagesFromSendersOrMembers
RulesQuota
Hold ComplianceTagHoldApplied
DelayHoldApplied
ExternalDirectoryObjectId
InPlaceHolds
InactiveMailboxRetireTime
LitigationHoldDate
LitigationHoldDuration
LitigationHoldEnabled
LitigationHoldOwner
Moderation BypassModerationFromSendersOrMembers
ExternalDirectoryObjectId
ModeratedBy
ModerationEnabled
SendModerationNotifications
Move ExternalDirectoryObjectId
MailboxMoveBatchName
MailboxMoveFlags
MailboxMoveRemoteHostName
MailboxMoveSourceMDB
MailboxMoveStatus
MailboxMoveTargetMDB
Policy AddressBookPolicy
DataEncryptionPolicy
EmailAddressPolicyEnabled
ExternalDirectoryObjectId
ManagedFolderMailboxPolicy
PoliciesExcluded
PoliciesIncluded
RemoteAccountPolicy
RetentionPolicy
RetentionUrl
RoleAssignmentPolicy
SharingPolicy
ThrottlingPolicy
PublicFolder DefaultPublicFolderMailbox
EffectivePublicFolderMailbox
ExternalDirectoryObjectId
IsExcludedFromServingHierarchy
IsHierarchyReady
IsHierarchySyncEnabled
IsRootPublicFolderMailbox
Quota ArchiveQuota
ArchiveWarningQuota
CalendarLoggingQuota
ExternalDirectoryObjectId
IssueWarningQuota
ProhibitSendQuota
ProhibitSendReceiveQuota
RecoverableItemsQuota
RecoverableItemsWarningQuota
RulesQuota
UseDatabaseQuotaDefaults
Resource ExternalDirectoryObjectId
IsResource
ResourceCapacity
ResourceCustom
ResourceType
RoomMailboxAccountEnabled
Retention EndDateForRetentionHold
ExternalDirectoryObjectId
OrphanSoftDeleteTrackingTime
RetainDeletedItemsFor
RetainDeletedItemsUntilBackup
RetentionComment
RetentionHoldEnabled
RetentionPolicy
RetentionUrl
SingleItemRecoveryEnabled
StartDateForRetentionHold
UseDatabaseRetentionDefaults
SCL AntispamBypassEnabled
ExternalDirectoryObjectId
SCLDeleteEnabled
SCLDeleteThreshold
SCLJunkEnabled
SCLJunkThreshold
SCLQuarantineEnabled
SCLQuarantineThreshold
SCLRejectEnabled
SCLRejectThreshold
SoftDelete ExternalDirectoryObjectId
IncludeInGarbageCollection
IsInactiveMailbox
IsSoftDeletedByDisable
IsSoftDeletedByRemove
WhenSoftDeleted
StatisticsSeed ArchiveDatabaseGuid
DatabaseGuid
ExchangeGuid
ExternalDirectoryObjectId
Minimum ExchangeVersion
ExternalDirectoryObjectID
Name
OrganizationId
RecipientType
RecipientTypeDetails
Archive ArchiveDatabase
ArchiveGuid
ArchiveRelease
ArchiveState
ArchiveStatus
Custom CustomAttribute1
CustomAttribute2
CustomAttribute3
CustomAttribute4
CustomAttribute5
CustomAttribute6
CustomAttribute7
CustomAttribute8
CustomAttribute9
CustomAttribute10
CustomAttribute11
CustomAttribute12
CustomAttribute13
CustomAttribute14
CustomAttribute15
ExtensionCustomAttribute1
ExtensionCustomAttribute2
ExtensionCustomAttribute3
ExtensionCustomAttribute4
ExtensionCustomAttribute5
MailboxMove MailboxMoveBatchName
MailboxMoveFlags
MailboxMoveRemoteHostName
MailboxMoveSourceMDB
MailboxMoveStatus
MailboxMoveTargetMDB
Policy ActiveSyncMailboxPolicy
ActiveSyncMailboxPolicyIsDefaulted
AddressBookPolicy
EmailAddressPolicyEnabled
ManagedFolderMailboxPolicy
OwaMailboxPolicy
PoliciesExcluded
PoliciesIncluded
RetentionPolicy
SharingPolicy
ShouldUseDefaultRetentionPolicy
UMMailboxPolicy
PropertySet Properties
Minimum DeletedItemCount
DisplayName
ItemCount
MailboxGuid
TotalDeletedItemSize
TotalItemSize
All AssociatedItemCount
AttachmentTableAvailableSize
AttachmentTableTotalSize
DatabaseIssueWarningQuota
DatabaseName
DatabaseProhibitSendQuota
DatabaseProhibitSendReceiveQuota
DeletedItemCount
DisconnectDate
DisconnectReason
DisplayName
DumpsterMessagesPerFolderCountReceiveQuota
DumpsterMessagesPerFolderCountWarningQuota
ExternalDirectoryOrganizationId
FastIsEnabled
FolderHierarchyChildrenCountReceiveQuota
FolderHierarchyChildrenCountWarningQuota
FolderHierarchyDepthReceiveQuota
FolderHierarchyDepthWarningQuota
FoldersCountReceiveQuota
FoldersCountWarningQuota
IsAbandonedMoveDestination
IsArchiveMailbox
IsDatabaseCopyActive
IsHighDensityShard
IsMoveDestination
IsQuarantined
ItemCount
LastLoggedOnUserAccount
LastLogoffTime
LastLogonTime
LegacyDN
MailboxGuid
MailboxMessagesPerFolderCountReceiveQuota
MailboxMessagesPerFolderCountWarningQuota
MailboxType
MailboxTypeDetail
MessageTableAvailableSize
MessageTableTotalSize
NamedPropertiesCountQuota
NeedsToMove
OtherTablesAvailableSize
OtherTablesTotalSize
OwnerADGuid
QuarantineClients
QuarantineDescription
QuarantineEnd
QuarantineFileVersion
QuarantineLastCrash
ResourceUsageRollingAvgDatabaseReads
ResourceUsageRollingAvgRop
ResourceUsageRollingClientTypes
ServerName
StorageLimitStatus
SystemMessageCount
SystemMessageSize
SystemMessageSizeShutoffQuota
SystemMessageSizeWarningQuota
TotalDeletedItemSize
TotalItemSize
Security & Compliance Center PowerShell is the administrative interface that enables you to manage your Office
365 Security & Compliance Center settings from the command line. For example, you can use Security &
Compliance Center PowerShell to perform Compliance Searches and configure access to the Security &
Compliance Center. The following topics provide information about using Security & Compliance Center
PowerShell:
To create a remote PowerShell session to the Security & Compliance Center, see Connect to Office 365
Security & Compliance Center PowerShell. Note that the connection instructions are different from
Exchange Online or Exchange Online Protection (the ConnectionUri value is different).
A cmdlet is a lightweight command that is imported into your local Windows PowerShell session. Note that
some cmdlets are available only in the Security & Compliance Center. Other cmdlets have the same names
and functionality as those in Exchange Online, but they are also available in the Security & Compliance
Center.
Connect to Office 365 Security & Compliance Center
PowerShell
9/23/2019 • 5 minutes to read • Edit Online
Office 365 Security & Compliance Center PowerShell allows you to manage your Office 365 Security &
Compliance Center settings from the command line. You use Windows PowerShell on your local computer to
create a remote PowerShell session to the Security & Compliance Center. It's a simple three-step process where
you enter your Office 365 credentials, provide the required connection settings, and then import the Security &
Compliance Center cmdlets into your local Windows PowerShell session so that you can use them.
NOTE
The procedures in this topic won't work if:
• Your account uses multi-factor authentication (MFA).
• Your organization uses federated authentication.
• A location condition in an Azure Active Directory conditional access policy restricts your access to trusted IPs.
In these scenarions, you need to download and use the Exchange Online Remote PowerShell Module to connect to Security
& Compliance Center PowerShell. For instructions, see Connect to Office 365 Security & Compliance Center PowerShell using
multi-factor authentication.
Some features in the Security & Compliance Center (for example, mailbox archiving) link to existing functionality in the
Exchange admin center (EAC). To use PowerShell with these features, you need to connect to Exchange Online PowerShell
instead of Security & Compliance Center PowerShell. For instructions, see Connect to Exchange Online PowerShell.
For more information about the Security & Compliance Center, see Office 365 Security & Compliance Center.
To require all PowerShell scripts that you download from the internet are signed by a trusted publisher, run
the following command in an elevated Windows PowerShell window (a Windows PowerShell window you
open by selecting Run as administrator):
Set-ExecutionPolicy RemoteSigned
You need to configure this setting only once on your computer, not every time you connect.
$UserCredential = Get-Credential
In the Windows PowerShell Credential Request dialog box that appears, type your work or school
account and password, and then click OK.
2. Run the following command:
Notes:
For Office 365 Germany, use the ConnectionUri value:
https://ps.compliance.protection.outlook.de/powershell-liveid/ .
For Office 365 Government Community Cloud High (GCC High), use the ConnectionUri value:
https://ps.compliance.protection.office365.us/powershell-liveid/ .
If you want to connect to Security & Compliance Center PowerShell in the same window as an active
Exchange Online PowerShell connection, you need to add the Prefix parameter and value (for
example, -Prefix "CC" ) to the end of this command to prevent cmdlet name collisions (both
environments share some cmdlets with the same names).
3. Run the following command:
NOTE
Be sure to disconnect the remote PowerShell session when you're finished. If you close the Windows PowerShell window
without disconnecting the session, you could use up all the remote PowerShell sessions available to you, and you'll need to
wait for the sessions to expire. To disconnect the remote PowerShell session, run the following command:
Remove-PSSession $Session
To fix the issue, use an SNAT pool that contains a single IP address, or force the use of a specific IP address
for connections to the Security & Compliance Center PowerShell endpoint.
See also
The cmdlets that you use in this topic are Windows PowerShell cmdlets. For more information about these
cmdlets, see the following topics.
Get-Credential
New -PSSession
Import-PSSession
Remove-PSSession
Set-ExecutionPolicy
Connect to Office 365 Security & Compliance Center
PowerShell using multi-factor authentication
10/30/2019 • 5 minutes to read • Edit Online
If your account uses multi-factor authentication (MFA) or federated authentication, you can't use the instructions at
Connect to Office 365 Security & Compliance Center PowerShell to use remote PowerShell to connect to the
Office 365 Security & Compliance Center. Instead, you need to install the Exchange Online Remote PowerShell
Module, and use the Connect-IPPSSession cmdlet to connect to Security & Compliance Center PowerShell.
NOTE
• Delegated Access Permission (DAP) partners can't use the procedures in this topic to connect to their customer tenant
organizations in Security & Compliance Center PowerShell. MFA and the Exchange Online Remote PowerShell Module don't
work with delegated authentication.
• The Exchange Online Remote PowerShell Module is not supported in PowerShell Core (macOS, Linux, or Windows Nano
Server). As a workaround, you can install the module on a computer that's running a supported version of Windows (physical
or virtual), and use remote desktop software to connect.
Windows Remote Management (WinRM ) on your computer needs to allow basic authentication (it's
enabled by default). To verify that basic authentication is enabled, run this command in a Command
Prompt:
If you don't see the value Basic = true , you need to run this command from an elevated Command
Prompt (a Command Prompt window you open by selecting Run as administrator) to enable basic
authentication for WinRM:
If basic authentication is disabled, you'll get this error when you try to connect:
The WinRM client cannot process the request. Basic authentication is currently disabled in the client
configuration. Change the client configuration and try the request again.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
AZUREADAUTHORIZATIONENDPOINTU
OFFICE 365 OFFERING CONNECTIONURI PARAMETER VALUE RI PARAMETER VALUE
This example connects to the Security & Compliance Center in Office 365 using the account
chris@contoso.com.
This example connects to the Security & Compliance Center in Office 365 Germany using the account
lukas@fabrikam.com.
3. In the sign-in window that opens, enter your password, and then click Sign in.
For MFA, a verification code is generated and delivered based on the verification response option that's
configured for your account (for example, a text message or the Azure Authenticator app on your mobile
phone).
4. (MFA only): In the verification window that opens, enter the verification code, and then click Sign in.
5. (Optional): If you want to connect to an Exchange Online PowerShell module session in the same window,
you need to run
and then import the Exchange Online session into the current one using an specific prefix
To fix the issue, use an SNAT pool that contains a single IP address, or force the use of a specific IP address
for connections to the Security & Compliance PowerShell endpoint.
Exchange Online Protection PowerShell
10/30/2019 • 2 minutes to read • Edit Online
Exchange Online Protection PowerShell is the administrative interface that enables you to manage your Exchange
Online Protection (EOP ) organization from the command line. For example, you can use Exchange Online
Protection PowerShell to configure mail flow rules (also known as transport rules) and connectors.
NOTE
Exchange Online Protection PowerShell is only used in standalone EOP organizations (for example, you have a standalone
EOP subscription to protect your on-premises email environment). If you have an Office 365 subscription that includes EOP
(E3, E5, etc.), you don't use Exchange Online Protection PowerShell; the same features are available in Exchange Online
PowerShell.
The following topics provide information about using Exchange Online Protection PowerShell:
To create a remote PowerShell session to your standalone Exchange Online Protection organization, see
Connect to Exchange Online Protection PowerShell.
For a sample script that lets admins who manage multiple tenants (companies) apply configuration settings
to their tenants, see Sample script for applying EOP settings to multiple tenants.
The following introductory video shows you how to connect to and use Exchange Online Protection
PowerShell.
Note: This video applies to Exchange Online and standalone EOP organizations. When you connect to your
organization, be sure to specify the correct URL (ConnectionUri value). The required URL is different for
Exchange Online and standalone EOP organizations.
Use Remote PowerShell in EOP
Connect to Exchange Online Protection PowerShell
10/16/2019 • 4 minutes to read • Edit Online
Exchange Online Protection PowerShell allows you to manage your Exchange Online Protection organization
from the command line. You use Windows PowerShell on your local computer to create a remote PowerShell
session to Exchange Online Protection. It's a simple three-step process where you enter your Office 365
credentials, provide the required connection settings, and then import the Exchange Online Protection cmdlets
into your local Windows PowerShell session so that you can use them.
To require all scripts that you download from the internet are signed by a trusted publisher, run the
following command in an elevated Windows PowerShell window (a Windows PowerShell window
you open by selecting Run as administrator):
Set-ExecutionPolicy RemoteSigned
You need to configure this setting only once on your computer, not every time you connect.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
$UserCredential = Get-Credential
In the Windows PowerShell Credential Request dialog box, type your work or school account and
password, and then click OK.
2. Run the following command:
Notes:
For Office 365 Germany, use the ConnectionUri value:
https://ps.protection.outlook.de/powershell-liveid/
For Exchange Online Protection subscriptions that are Exchange Enterprise CAL with Services
(includes data loss prevention (DLP ) and reporting using web services), use the ConnectionUri value:
https://outlook.office365.com/powershell-liveid/
NOTE
Be sure to disconnect the remote PowerShell session when you're finished. If you close the Windows PowerShell
window without disconnecting the session, you could use up all the remote PowerShell sessions available to you, and
you'll need to wait for the sessions to expire. To disconnect the remote PowerShell session, run the following
command:
Remove-PSSession $Session
The New-PSSession command (Step 2) might fail to connect if your client IP address changes during the
connection request. This can happen if your organization uses a source network address translation (SNAT)
pool that contains multiple IP addresses. The connection error looks like this:
The request for the Windows Remote Shell with ShellId <ID> failed because the shell was not found on the
server. Possible causes are: the specified ShellId is incorrect or the shell no longer exists on the
server. Provide the correct ShellId or create a new shell and retry the operation.
To fix the issue, use an SNAT pool that contains a single IP address, or force the use of a specific IP address
for connections to the Exchange Online Protection PowerShell endpoint.
See also
The cmdlets that you use in this topic are Windows PowerShell cmdlets. For more information about these
cmdlets, see the following topics.
Get-Credential
New -PSSession
Import-PSSession
Remove-PSSession
Set-ExecutionPolicy