Exchange PowerShell - 08th Nov 2019

Contents
Home
Exchange Server PowerShell
Open the Exchange Management Shell
Connect to Exchange servers using remote PowerShell
Control remote PowerShell access to Exchange servers
Find the permissions required to run any Exchange cmdlet
Exchange cmdlet syntax
Use Update-ExchangeHelp to update Exchange PowerShell help topics on Exchange
servers
Recipient filters in Exchange PowerShell commands
Filterable properties for the Filter parameter
Filterable properties for the RecipientFilter parameter
Exchange Online PowerShell
Connect to Exchange Online PowerShell
Connect to Exchange Online PowerShell using multi-factor authentication
Find the permissions required to run any Exchange cmdlet
Enable or disable access to Exchange Online PowerShell
Recipient filters in Exchange Management Shell commands
Exchange Online PowerShell V2
Property sets in cmdlets
Office 365 Security & Compliance Center PowerShell
Connect to Office 365 Security & Compliance Center PowerShell
Connect to Office 365 Security & Compliance Center PowerShell using multi-
factor authentication
Exchange Online Protection PowerShell
Connect to Exchange Online Protection PowerShell
Exchange PowerShell enables you to manage your Exchange Server and Office 365 organizations from the command line. For
more information, select your environment:
Exchange Server PowerShell

Exchange Server PowerShell (Exchange Management
Shell)
10/30/2019 • 4 minutes to read • Edit Online
The Exchange Management Shell is built on Windows PowerShell technology and provides a powerful command-
line interface that enables the automation of Exchange administration tasks. You can use the Exchange
Management Shell to manage every aspect of Exchange. For example, you can create email accounts, create Send
connectors and Receive connectors, configure mailbox database properties, and manage distribution groups. You
can use the Exchange Management Shell to perform every task that's available in the Exchange graphical
management tools, plus things that you can't do there (for example, bulk operations). In fact, when you do
something in the Exchange admin center (EAC ), the Exchange Control Panel (ECP ), or the Exchange Management
Console (EMC ), it's the Exchange Management Shell that does the work behind the scenes.
The Exchange Management Shell also provides a robust and flexible scripting platform. Visual Basic scripts that
required many lines of code can be replaced by Exchange Management Shell commands that use as little as one
line of code. The Exchange Management Shell provides this flexibility because it uses an object model that's based
on the Microsoft .NET Framework. This object model enables Exchange cmdlets to apply the output from one
command to subsequent commands.
To start using the Exchange Management Shell immediately, see the Exchange Management Shell documentation
section later in this topic.
How the Exchange Management Shell works on all Exchange server

roles except Edge Transport
Whether you use the Exchange Management Shell on a local Exchange server or on an Exchange server that's
located across the country, remote PowerShell does the work.
When you click the Exchange Management Shell shortcut on an Exchange server, the local instance of Windows
PowerShell performs the following steps:
1. Connect to the closest Exchange server (most often, the local Exchange server) using a required Windows
PowerShell component called Windows Remote Management (WinRM ).
2. Perform authentication checks.
3. Create a remote PowerShell session for you to use.
You only get access to the Exchange cmdlets and parameters that are associated with the Exchange management
role groups and management roles you're assigned. For more information about how Exchange uses role groups
and roles to manage who can do what tasks, see Exchange Server permissions.
A benefit of remote PowerShell is that you can use Windows PowerShell on a local computer to connect to a
remote Exchange server, and import the Exchange cmdlets in the Windows PowerShell session so you can
administer Exchange. The only requirements for the computer are:
A supported operating system for Exchange Server.
A supported version of the .NET Framework.
A supported version of the Windows Management Framework (WMF ), which includes WinRM and
Windows PowerShell.
For details, see the following topics:
Exchange 2019 system requirements
However, we recommend that you install the Exchange management tools (which includes the Exchange
Management Shell) on any computer that you use to extensively manage Exchange Server. Without the Exchange
management tools installed, you need to connect to the remote Exchange server manually, and you don't have
access to the additional capabilities that the Exchange management tools provide.
For more information about connecting to Exchange servers without the Exchange management tools installed,
see Connect to Exchange servers using remote PowerShell.
How Exchange Management Shell works on Edge Transport servers

On Edge Transport servers, the Exchange Management Shell works differently. You typically deploy Edge Transport
servers in your perimeter network, either as stand-alone servers or as members of a perimeter Active Directory
domain.
When you click the Exchange Management Shell shortcut on an Exchange Edge Transport server, the local instance
of Windows PowerShell creates a local PowerShell session for you to use.
Edge Transport servers don't use management roles or management role groups to control permissions. The local
Administrators group controls who can configure the Exchange features on the local server.
For more information about Edge Transport servers, see Edge Transport Servers.
Exchange Management Shell documentation

The following table provides links to topics that can help you learn about and use the Exchange Management Shell.
TOPIC DESCRIPTION
Open the Exchange Management Shell Find and open the Exchange Management Shell on an
Exchange server or a computer that has the Exchange
management tools installed.
Connect to Exchange servers using remote PowerShell Use Windows PowerShell on a local computer to connect to
an Exchange server.
Control remote PowerShell access to Exchange servers Learn how to block or allow users' remote PowerShell access
to Exchange servers.
Find the permissions required to run any Exchange cmdlet Find the permissions you need to run a specific cmdlet, or one
or more parameters on the cmdlet.
Exchange cmdlet syntax Learn about the structure and syntax of cmdlets in Exchange
PowerShell.
Recipient filters in Exchange Management Shell commands Learn about recipient filters in the Exchange Management
Shell.
TOPIC DESCRIPTION
Use Update-ExchangeHelp to update Exchange PowerShell Learn how to use Update-ExchangeHelp to update help for
help topics on Exchange servers Exchange cmdlet reference topics on Exchange servers.
Open the Exchange Management Shell
When you open the Exchange Management Shell you can perform administrative tasks on Exchange Server from
the command line. You can open the Exchange Management Shell from the following locations:
On the Exchange server directly or in a Remote Desktop Connection session.
On a local computer after you install the Exchange management tools. For more information, see Install the
Exchange management tools.
What do you need to know before you begin?

Estimated time to complete this procedure: less than 1 minute.
The user must be assigned at least one management role. For detailed steps, see Exchange Server
permissions.
If you want to run the Exchange Management Shell from a local installation of the Exchange management
tools, you need to consider remote PowerShell access for your user account. By default, users are allowed
to use remote PowerShell to connect to an Exchange server. However, you can block remote PowerShell
access for a user account. For more information, see Control remote PowerShell access to Exchange
servers.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
Open the Exchange Management Shell in Windows Server 2016 or

Windows 10
Click Start > Microsoft Exchange Server 2016 > Exchange Management Shell.
Open the Exchange Management Shell in Windows Server 2012 R2 or

Windows 8.1
When you install Exchange on Windows Server 2012 R2 or the Exchange management tools on Windows 8.1, the
Exchange Management Shell shortcut isn't automatically pinned to the Start screen.
To pin the shortcut to the Start screen, do the following:
1. On the Start screen, open the Apps view by clicking the down arrow near the lower-left corner or swiping
up from the middle of the screen.
2. The Exchange Management Shell shortcut is in a group named Microsoft Exchange Server 2016.
When you find the shortcut, right-click it or press and hold it, and select Pin to Start. To pin it to the
desktop taskbar, select Pin to taskbar.
To use the Search charm to find and run the Exchange Management Shell, use one of the methods described in
the next section.
Open the Exchange Management Shell in Windows Server 2012
When you install Exchange on Windows Server 2012, the Exchange Management Shell shortcut should
automatically be pinned to the Start screen.
If it's not, or if you just want to quickly find and run the Exchange Management Shell, use one of the following
methods:
On the Start screen, click an empty area, and type Exchange Management Shell. When the shortcut appears
in the search results, you can select it.
On the desktop or the Start screen, press Windows key + Q. In the Search charm, type Exchange
Management Shell. When the shortcut appears in the results, you can select it.
On the desktop or the Start screen, move your cursor to the upper-right corner, or swipe left from the right
edge of the screen to show the charms. Click the Search charm, and type Exchange Management Shell.
When the shortcut appears in the results, you can select it.
If you are using Remote Desktop Connection, you might need to use one of the following methods so the Search
charm appears on the remote Exchange server and not on your local computer:
Open Remote Desktop Connection and click Show Options > Local Resources tab > Apply Windows
key combinations. The default value is Only when using the full screen, but you can change it to On
the remote computer.
While you're connected to the remote Exchange server, use the connection bar that appears at the top of the
screen to open the Exchange server's Search charm or Start screen by clicking the down arrow and
selecting Charms or Start.
Connect to Exchange servers using remote
PowerShell
If you don't have the Exchange management tools installed on your local computer, you can use Windows
PowerShell to create a remote PowerShell session to an Exchange server. It's a simple three-step process, where
you enter your credentials, provide the required connection settings, and then import the Exchange cmdlets into
your local Windows PowerShell session so that you can use them.
NOTE
We recommend that you use the Exchange Management Shell on any computer that you use to extensively administer
Exchange servers. You'll get the Exchange Management Shell by installing the Exchange management tools. For more
information, see Install the Exchange Server Management Tools and Open the Exchange Management Shell. For more
information about the Exchange Management Shell, see Exchange Server PowerShell (Exchange Management Shell).

Estimated time to complete: less than 5 minutes
You can use the following versions of Windows:
Windows 10
Windows 8.1
Windows Server 2019
Windows Server 2016
Windows Server 2012 or Windows Server 2012 R2
Windows 7 Service Pack 1 (SP1)*
Windows Server 2008 R2 SP1*
*For older versions of Windows, you need to install the Microsoft.NET Framework 4.5 or later and
then an updated version of the Windows Management Framework: 3.0, 4.0, or 5.1 (only one). For
more information, see Installing the .NET Framework, Windows Management Framework 3.0,
Windows Management Framework 4.0, and Windows Management Framework 5.1.
Windows PowerShell needs to be configured to run scripts, and by default, it isn't. You'll get the following
error when you try to connect:
Files cannot be loaded because running scripts is disabled on this system. Provide a valid certificate
with which to sign the files.
To require all scripts that you download from the internet are signed by a trusted publisher, run the
following command in an elevated Windows PowerShell window (a Windows PowerShell window you
open by selecting Run as administrator):
Set-ExecutionPolicy RemoteSigned
You need to configure this setting only once on your computer, not every time you connect.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Server.
Connect to a remote Exchange server

1. On your local computer, open Windows PowerShell, and run the following command:
$UserCredential = Get-Credential
In the Windows PowerShell Credential Request dialog box that opens, enter your user principal name
(UPN ) (for example, chris@contoso.com ) and password, and then click OK.
2. Replace <ServerFQDN> with the fully qualified domain name of your Exchange server (for example,
mailbox01.contoso.com ) and run the following command:
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri

http://<ServerFQDN>/PowerShell/ -Authentication Kerberos -Credential $UserCredential
Note: The ConnectionUri value is http , not https .

3. Run the following command:
Import-PSSession $Session -DisableNameChecking
NOTE
Be sure to disconnect the remote PowerShell session when you're finished. If you close the Windows PowerShell window
without disconnecting the session, you could use up all the remote PowerShell sessions available to you, and you'll need to
wait for the sessions to expire. To disconnect the remote PowerShell session, run the following command:
Remove-PSSession $Session
How do you know this worked?

After Step 3, the Exchange cmdlets are imported into your local Windows PowerShell session and tracked by a
progress bar. If you don't receive any errors, you connected successfully. A quick test is to run an Exchange cmdlet
(for example, Get-Mailbox) and review the results.
If you receive errors, check the following requirements:
A common problem is an incorrect password. Run the three steps again, and pay close attention to the user
name and password you enter in Step 1.
The account you use to connect to the Exchange server needs to be enabled for remote PowerShell access.
For more information, see Control remote PowerShell access to Exchange servers.
TCP port 80 traffic needs to be open between your local computer and the Exchange server. It's probably
open, but it's something to consider if your organization has a restrictive network access policy.
See also
The cmdlets that you use in this topic are Windows PowerShell cmdlets. For more information about these
cmdlets, see the following topics.
Get-Credential
New -PSSession
Import-PSSession
Remove-PSSession
Set-ExecutionPolicy
Control remote PowerShell access to Exchange
servers
Remote PowerShell in Microsoft Exchange allows you to manage your Exchange organization from a remote
computer that's on your internal network or from the Internet. You can disable or enable a user's ability to connect
to an Exchange server using remote PowerShell. For more information about remote PowerShell, see Exchange
Server PowerShell (Exchange Management Shell).
For additional management tasks related to remote PowerShell, see Connect to Exchange servers using remote
PowerShell.

Estimated time to complete each procedure: less than 5 minutes
You can only use PowerShell to perform this procedure. To learn how to open the Exchange Management
Shell in your on-premises Exchange organization, see Open the Exchange Management Shell.
By default, all user accounts have access to remote PowerShell. However, to actually use remote
PowerShell to connect to an Exchange server, the user needs to be a member of a management role group,
or be directly assigned a management role that enables the user to run Exchange cmdlets. For more
information about role groups and management roles, see Exchange Server permissions.
For detailed information about OPath filter syntax in Exchange, see Additional OPATH syntax information.
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "Remote PowerShell" entry in the Exchange infrastructure and PowerShell
permissions topic.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at Exchange Server.
Use the Exchange Management Shell to enable or disable remote

PowerShell access for a user
This example disables remote PowerShell access for the user named Therese Lindqvist.
Set-User "Therese Lindqvist" -RemotePowerShellEnabled $false
This example enables remote PowerShell access for the user named Sirirat Kitjakarn.
Set-User "Sirirat Kitjakarn" -RemotePowerShellEnabled $true
Use the Exchange Management Shell to disable remote PowerShell

access for many users
To prevent remote PowerShell access for a specific group of existing users, you have the following options:
Filter users based on an existing attribute: This method assumes that the target user accounts all share
a unique filterable attribute. Some attributes, such as Title, Department, address information, and telephone
number, are visible only when you use the Get-User cmdlet. Other attributes, such as CustomAttribute1-
15, are visible only when you use the Get-Mailbox cmdlet.
Use a list of specific users: After you generate the list of specific users, you can use that list to disable
their access to remote PowerShell.
Filter users based on an existing attribute
To disable access to remote PowerShell for any number of users based on an existing attribute, use the following
syntax:
$<VariableName> = <Get-Mailbox | Get-User> -ResultSize unlimited -Filter <Filter>
$<VariableName> | foreach {Set-User -RemotePowerShellEnabled $false}
This example removes access to remote PowerShell for all users whose Title attribute contains the value "Sales
Associate".
$DSA = Get-User -ResultSize unlimited -Filter "(RecipientType -eq 'UserMailbox') -and (Title -like '*Sales
Associate*')"
$DSA | foreach {Set-User -RemotePowerShellEnabled $false}
Use a list of specific users

To disable access to remote PowerShell for a list of specific users, use the following syntax:
$<VariableName> = Get-Content <text file>
$<VariableName> | foreach {Set-User -RemotePowerShellEnabled $false
This example uses the text file C:\My Documents\NoPowerShell.txt to identify the users by their user principal
name (UPN ). The text file must contain one UPN on each line like this:
akol@contoso.com
tjohnston@contoso.com
kakers@contoso.com
After you populate the text file with the user accounts you want to update, run the following commands:
$NPS = Get-Content "C:\My Documents\NoPowerShell.txt"
$NPS | foreach {Set-User -RemotePowerShellEnabled $false}
View the remote PowerShell access for users

To view the remote PowerShell access status for a specific user, use the following syntax:
Get-User -Identity <UserIdentity> | Format-List RemotePowerShellEnabled
This example displays the remote PowerShell access status of the user named Sarah Jones.
Get-User -Identity "Sarah Jones" | Format-List RemotePowerShellEnabled
To display the remote PowerShell access status for all users, run the following command:
Get-User -ResultSize unlimited | Format-Table -Auto Name,DisplayName,RemotePowerShellEnabled
To display only those users who don't have access to remote PowerShell, run the following command:
Get-User -ResultSize unlimited -Filter 'RemotePowerShellEnabled -eq $false'
To display only those users who have access to remote PowerShell, run the following command:
Get-User -ResultSize unlimited -Filter 'RemotePowerShellEnabled -eq $true'

Find the permissions required to run any Exchange
cmdlet
You can use PowerShell to find the permissions required to run any Exchange or Exchange Online cmdlet. This
procedure shows the role-based access control (RBAC ) management roles and role groups that give you access to
a specified cmdlet—even if your organization has custom roles, custom role groups, or custom role assignments.

Estimated time to complete this procedure: less than 5 minutes.
You can only use PowerShell to perform this procedure.
Basically, you need to be an administrator to complete this procedure. Specifically, you need access to the
Get-ManagementRole and Get-ManagementRoleAssignment cmdlets. By default, access to these
cmdlets is granted by the View -Only Configuration or Role Management roles, which are assigned to the
View -Only Organization Management and Organization Management role groups.
The procedures in this topic don't work in the Office 365 Security & Compliance Center. For more
information about permissions in the Security & Compliance Center, see Permissions in Office 365
Compliance Center.
The procedures in this topic don't work in Exchange Online Protection (EOP ). For more information about
permissions in EOP, see Feature permissions in EOP.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server or Exchange Online.
Use PowerShell to find the permissions required to run a cmdlet

1. Open the PowerShell environment where you want to run the cmdlet.
To learn how to use Windows PowerShell to connect to Exchange Online, see Connect to Exchange
Online PowerShell.
To learn how to open the Exchange Management Shell in your on-premises Exchange organization,
see Open the Exchange Management Shell.
2. Run the following command to identify the cmdlet and, optionally, one or more parameters on the cmdlet.
Be sure to replace <Cmdlet> and optionally, <Parameter1>,<Parameter2>,... with the actual cmdlet and
parameter names you are interested in. If you specify multiple parameters separated by commas, only the
roles that include all of the parameters are returned.
$Perms = Get-ManagementRole -Cmdlet <Cmdlet> [-CmdletParameters <Parameter1>,<Parameter2>,...]

$Perms | foreach {Get-ManagementRoleAssignment -Role $_.Name -Delegating $false | Format-Table -Auto
Role,RoleAssigneeType,RoleAssigneeName}
Interpreting the results

The results contain the following information:
Role: Indicates the role that gives access to the cmdlet or the combination of cmdlet and parameters. Note
that role names that begin with "My" are user roles that allow regular users to operate on objects they own
(for example, their own mailbox or their distribution groups).
RoleAssigneeType and RoleAssigneeName: These values are inter-related. RoleAssigneeType is the
type of object that has the role assigned to it, and RoleAssigneeName is the name of the object.
RoleAssigneeType can be a role group, role assignment policy, security group, or user. Typically,
administrator roles are assigned to role groups.
Troubleshooting
What if there are no results?
Verify that you entered the cmdlet and parameter names correctly.
You might have entered too many parameters, and all of the parameters on the cmdlet aren't defined in a
single role. Try specifying only the cmdlet name in Step 2, and run Step 3 to verify that the cmdlet is available
in your environment. Then, add parameters one at a time to Step 2 before running Step 3.
These possible causes have the same solution:
You might have entered a cmdlet or parameters that are defined in a role that isn't assigned to anyone
by default.
You might have entered a cmdlet or parameter that isn't available in your environment. For example,
when you enter an Exchange Online cmdlet or parameters in an on-premises Exchange 2016
environment.
Run the following command to find the role that contains the cmdlet or parameters. Be sure to replace
<Cmdlet> and optionally, <Parameter1>,<Parameter2>,... with the actual cmdlet and parameter names you
are interested in. Note that you can use wildcard characters (*) in the cmdlet and parameter names (for
example, *-Mailbox* ).
Get-ManagementRoleEntry -Identity *\<Cmdlet> [-Parameters <Parameter1>,<Parameter2>,... ]
If the command returns an error saying the object couldn't be found, the cmdlet or parameters aren't
available in your environment.
If the command returns one or more entries for Name, Role, and Parameters, the cmdlet (or
parameters on the cmdlet) is available in your environment, but the required role isn't assigned to
anyone. To see all roles that aren't assigned to anyone, run the following command:
$na = Get-ManagementRole ; $na | foreach {If ((Get-ManagementRoleAssignment -Role $_.Name -

Delegating $false) -eq $null) {$_.Name}}
Related procedures
Management role scopes define where cmdlets can operate (in particular, write scopes).
To include scope information in Step 2, substitute the following command:
$Perms | foreach {Get-ManagementRoleAssignment -Role $_.Name -Delegating $false | Format-List

Role,RoleAssigneeType,RoleAssigneeName,*Scope*}
To see all roles assigned to a specific user, run the following command:
Get-ManagementRoleAssignment -RoleAssignee <UserIdentity> -Delegating $false | Format-Table -Auto

Role,RoleAssigneeName,RoleAssigneeType
For example:
Get-ManagementRoleAssignment -RoleAssignee julia@contoso.com -Delegating $false | Format-Table -Auto

To see all users who are assigned a specific role, run the following command:
Get-ManagementRoleAssignment -Role "<Role name>" -GetEffectiveUsers -Delegating $false | Where-Object

{$_.EffectiveUserName -ne "All Group Members"} | Format-Table -Auto
EffectiveUserName,Role,RoleAssigneeName,AssignmentMethod
For example:
Get-ManagementRoleAssignment -Role "Mailbox Import Export" -GetEffectiveUsers -Delegating $false |

Where-Object {$_.EffectiveUserName -ne "All Group Members"} | Format-Table -Auto
To see the members of a specific role group, run the following command:
Get-RoleGroupMember "<Role group name>"
For example:
Get-RoleGroupMember "Organization Management"

Exchange cmdlet syntax
Exchange cmdlet reference topics use a standardized method that describes key aspects about the cmdlet. For
example:
Parameters that are available on the cmdlet.
Values that each parameter accepts.
Parameters that can be used together, and parameters that need to be used separately.
This topic explains these conventions, and also the syntax that's required to run commands in Exchange
PowerShell.
Command conventions in Exchange PowerShell

Exchange PowerShell help follows conventions that indicate what's required or optional, and how to enter
parameters and values when you run a command. These command conventions are listed in the following table.
SYMBOL DESCRIPTION
- A hyphen indicates a parameter. For example, -Identity .
<> Angle brackets indicate the possible values for a parameter.

For example, -Location <ServerName> or -Enabled <$true |
$false>.
[] Square brackets indicate optional parameters and their values.

For example, [-WhatIf] or [-ResultSize <Unlimited>] .
Parameter-value pairs that aren't enclosed in square brackets
are required. For example, -Password <SecureString> .
If the parameter name itself is enclosed in square brackets,
that indicates the parameter is a positional parameter (you
can use the parameter value without specifying the
parameter), and positional parameters can be required or
optional.
For example,
Get-Mailbox [[-Identity] <MailboxIdParameter>] means
the Identity parameter is positional (because it's enclosed in
square brackets) and optional (because the whole parameter-
value pair is enclosed in square brackets), so you can use
Get-Mailbox -Identity <MailboxIdParameter> or
Get-Mailbox <MailboxIdParameter> . Similarly,
Set-Mailbox [-Identity] <MailboxIdParameter> means
the Identity parameter is positional (because it's enclosed in
square brackets) and required (because the whole parameter-
value pair is not enclosed in square brackets), so you can use
Set-Mailbox -Identity <MailboxIdParameter> or
Set-Mailbox <MailboxIdParameter> .
| Pipe symbols in parameter values indicate a choice between

values. For example, -Enabled <$true | $false> indicates the
Enabled parameter can have the value $true or $false .
These command conventions help you understand how a command is constructed. With the exception of the
hyphen that indicates a parameter, you don't use these symbols as they're described in the table when you run
cmdlets in Exchange PowerShell.
Parameter sets in Exchange PowerShell

Parameter sets are groups of parameters that can be used with each other in the same command. Although
parameter sets typically share some parameters, each parameter set contains at least one parameter that isn't
available in the other parameter sets, and can't be used with some of the parameters in different parameter sets.
Many cmdlets have only one parameter set, which means that all available parameters can be used with each
other. Other cmdlets have several parameter sets, which indicates some parameters perform functions that are
incompatible with other parameters. For example, suppose the following parameter sets are available on the
New-SystemMessage cmdlet:
New-SystemMessage -DsnCode <EnhancedStatusCode> -Internal <$true | $false> -Language <CultureInfo> -Text

<String> [-Confirm] [-DomainController <Fqdn>] [-WhatIf] <COMMON PARAMETERS>
New-SystemMessage -Language <CultureInfo> -QuotaMessageType <WarningMailboxUnlimitedSize|

WarningPublicFolderUnlimitedSize | WarningMailbox | WarningPublicFolder | ProhibitSendMailbox |
ProhibitPostPublicFolder | ProhibitSendReceiveMailBox> -Text <String> [-Confirm] [-DomainController <Fqdn>] [-
WhatIf] <COMMON PARAMETERS>
This cmdlet has two separate parameter sets. Based on the entries, you can use these parameters together in the
same command:
DsnCode
Internal
Language
Text
Confirm
DomainController
WhatIf
And you can use these parameters together in the same command:
Language
QuotaMessageType
Text
Confirm
DomainController
WhatIf
But you can't use these parameters together in the same command:
DsnCode and QuotaMessageType.
Internal and QuotaMessageType.
The <COMMON PARAMETERS> entry indicates the cmdlet supports the basic Windows PowerShell parameters that are
available on virtually any cmdlet (for example, Debug). You can use common parameters with parameters from
any parameter set. For more information, see about_CommonParameters.
Quotation marks in Exchange PowerShell

In Exchange PowerShell, you use single quotation marks ( ' ) or double quotation marks ( " ) to enclose parameter
values that contain spaces. For example, the following commands behave the same:
Get-ReceiveConnector -Identity "Contoso Receive Connector"
Get-ReceiveConnector -Identity 'Contoso Receive Connector'
If you don't enclose the value Contoso Receive Connector in quotes, Exchange PowerShell tries to treat each word
as a new argument, and the command will fail. In this example, you'll receive an error that looks like this:
A positional parameter cannot be found that accepts argument 'Receive'
If the value contains variables, you need choose carefully between single quotes and double quotes. For example,
suppose you have a variable named $Server that has the value Mailbox01 .
Double quotation marks: Variables are substituted with their values. The input "$Server Example"
results in the output Mailbox01 Example .
Single quotation marks: Variables are treated literally. The input '$Server Example' results in the output
$Server Example .
For more information about variables, see about_Variables and about_Automatic_Variables.
Escape characters in Exchange PowerShell

In any programming language, an escape character is used to identify special characters literally, and not by their
normal function in that language. In Exchange PowerShell, when you enclose a text string in double quotation
marks, the escape character is the back quotation mark escape character ( ` ).
For example, if you want the output The price is $23 , enter the value "The price is `$23". The escape character
is required because the dollar sign character ( $ ) defines variables in Exchange PowerShell.
If you enclose the string in single quotation marks, the only special character you need to worry about is the single
quotation mark character itself, which requires two single quotation marks ( '' ).
For example, if you want the output Don't confuse two single quotation marks with a double quotation mark! ,
enter the value 'Don''t confuse two single quotation marks with a double quotation mark!'.
Command operators in Exchange PowerShell

The following table shows the valid operators that you can use in an Exchange command. Some of these symbols
were also described in the earlier Command conventions in Exchange PowerShell section. However, these
symbols have different meanings when they're used on the command line as operators. For example, the minus
sign that's used to indicate a parameter can also be used in a command as a mathematical operator.
OPERATOR DESCRIPTION
= The equal sign is used as an assignment character. The value

on the right side of the equal sign is assigned to the variable
on the left side of the equal sign. The following characters are
also assignment characters:
• +=: Add the value on the right side of the equal sign to the
current value that's contained in the variable on the left side
of the equal sign.
• -=: Subtract the value on the right side of the equal sign
from the current value that's contained in the variable on the
left side of the equal sign.
• *=: Multiply the current value of the variable on the left side
of the equal sign by the value that's specified on the right side
of the equal sign.
• /=: Divide the current value of the variable on the left side
of the equal sign.
• %=: Modify the current value of the variable on the left side
of the equal sign.
: A colon can be used to separate a parameter's name from the

parameter's value. For example, -Enabled:$True . Using a
colon is optional with all parameter types except switch
parameters. For more information about switch parameters,
see about_Parameters.
! The exclamation point is a logical NOT operator. When it is

used with the equal ( = ) sign, the combined pair means "not
equal to."
[] Brackets are used to specify the index value of an array

position. Index values are offsets that start at zero. For
example, $Red[9] refers to the tenth index position in the
array, $Red .
Brackets can also be used to assign a type to a variable (for
example, $A=[XML] "<Test><A>value</A></Test>" ). The
following variable types are available: Array , Bool , Byte ,
Char , Char[] , Decimal , Double , Float , Int , Int[]
, Long , Long[] , RegEx , Single , ScriptBlock , String
, Type , and XML.
{} Braces are used to include an expression in a command. For

example, Get-Process | Where {$_.HandleCount -gt 400}
| The pipe symbol is used when one cmdlet pipes a result to

another cmdlet. For example, Get-Mailbox -Server SRV1 | Set-
Mailbox -ProhibitSendQuota 2GB.
> The right-angle bracket is used to send the output of a

command to a file, and the contents of the file are
overwritten. For example,
Get-TransportRulePredicate > "C:\My
Documents\Output.txt"
.
>> Double right-angle brackets are used to append the output of

a command to an existing file. If the file doesn't exist, a new
file is created. For example,
Get-TransportRulePredicate >> "C:\My
Documents\Output.txt"
.
" Double quotation marks are used to enclose text strings that
contains spaces.
$ A dollar sign indicates a variable. For example, $Blue = 10

assigns the value 10 to the variable $Blue .
@ The @ symbol references an associative array. For more

information, see about_Arrays.
$( ) A dollar sign ( $ ) with parentheses indicates command

substitution. You can use command substitution when you
want to use the output of one command as an argument in
another command. For example,
Get-ChildItem $(Read-Host -Prompt "Enter FileName:
")
.
.. Double-periods indicate a value range. For example, if an

array contains several indexes, you can return the values of all
indexes between the second and fifth indexes by running the
command: $Blue[2..5] .
+ The + operator adds two values together. For example,

6 + 6 equals 12 .
- The - operator subtracts one value from another value (for

example, 12 - 6 equals 6 ) or indicates a negative number
(for example, -6 * 6 equals -36 ).
* You can use the wildcard character to match strings (for

example, Get-User | Where-Object {$_.Department -like
'Sales*'}), multiply numeric values (for example, 6 * 6 equals
36 ), or repeat the string value the specified number of times
(for example, "Test" * 3 equals TestTestTest ).
/ The / operator divides one value by another. For example,

6 / 6 equals 1 .
% In a numerical evaluation, the % operator returns the

remainder from a division operator. For example, 6 % 4
equals 2 .
In a pipeline, the percent character ( % ) is shorthand for the
ForEach-Object cmdlet. For example, Import-Csv
c:\MyFile.csv | ForEach-Object {Set-Mailbox $_.Identity -Name
$_.Name} is the same as Import-Csv c:\MyFile.csv | % {Set-
Mailbox $_.Identity -Name $_.Name}. For more information,
see about_Pipelines.
? The question mark character ( ? ) is shorthand for the Where-

Object cmdlet. For example, Get-Alias | Where-Object
{$_.Definition -eq "Clear-Host"} is the same as Get-Alias | ?
{$_.Definition -eq "Clear-Host"}
Use Update-ExchangeHelp to update Exchange
PowerShell help topics on Exchange servers
Exchange cmdlet reference topics are created and updated all the time, but it's been difficult to get those updates
into Exchange code in a timely manner so they're available in the Exchange Management Shell. Now, you can use
the Update-ExchangeHelp cmdlet in the Exchange Management Shell to get the most up-to-date cmdlet
reference topics for the command line in Exchange 2013 or later.
The Update-ExchangeHelp cmdlet automatically connects to a predefined website, compares the version of the
local Exchange server and the installed languages to what's available in the update packages, and then downloads
and installed the updated Exchange Management Shell help. Typically, the cmdlet connects to the internet, but you
can configure it to connect to an intranet source inside your organization.

Estimated time to complete:
Use Update-ExchangeHelp on a single Internet-connected Exchange server: less than 5 minutes.
Configure Update-ExchangeHelp to get updates from an internal web server: 30 minutes.
You need to be assigned permissions before you can perform this procedure or procedures. To see what
permissions you need, see the "Exchange server configuration settings" entry in the Exchange infrastructure
and PowerShell permissions topic.
You can only use PowerShell to perform this procedure. To learn how to open the Exchange Management
Shell in your on-premises Exchange organization, see Open the Exchange Management Shell.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server.
Use Update-ExchangeHelp on a single Internet-connected Exchange

server
This method requires that the Exchange server has direct access to the Internet.
Run the following command in the Exchange Management Shell:
Update-ExchangeHelp -Verbose
Notes:
The Verbose switch is important because it provides useful information. For example, it tells you if your
Exchange server already has the latest version of help installed, or if you've run the command in the last 24
hours.
If you want to check for updates again within 24 hours, use the Force switch.
Configure Update-ExchangeHelp to get updates from an internal web
server
In some organizations, internal servers don't have access to the Internet. If your internal Exchange servers don't
have Internet access, you can configure Update-ExchangeHelp to point to an internal web server to get updates.
The steps are as follows:
1. Download and inspect the ExchangeHelpInfo.xml manifest file.
2. Download the update packages, publish the update packages on an internal web server, and customize the
ExchangeHelpInfo.xml manifest file.
3. Publish the customized ExchangeHelpInfo.xml manifest file on an internal web server.
4. Modify the registry of the Exchange servers to point to the customized ExchangeHelpInfo.xml manifest file.
5. Use and maintenance of Update-ExchangeHelp.
Step 1. Download and inspect the ExchangeHelpInfo.xml manifest file
On a computer that has Internet access, open https://go.microsoft.com/fwlink/p/?LinkId=287244, save the
ExchangeHelpInfo.xml manifest file in a location that's easy to remember, and open the file in Notepad.
Each available update package is defined in a <HelpVersion> section, and each <HelpVersion> section contains
the following keys.
<Version>: This key identifies the version Exchange that the update package applies to. 15.01.xxxx.xxx is
Exchange 2016. 15.00.xxxx.xxx is Exchange 2013. Typically, this key specifies a range of versions.
<CulturesUpdated>: This key identifies the language that the update package applies to. This key might
specify only one language or multiple languages.
<Revision>: This key identifies the order that the updated packages were released for the major version of
Exchange. In other words, the first update package released for Exchange 2016 is 001 , the second is 002 ,
etc. And, there's no relationship between the update packages and the order they were released in. For
example, 001 might be an English only update, 002 might be an update for all other supported languages,
and 003 might be a German-only update.
<CabinetUrl>: This key identifies the name and location of the update package for the <HelpVersion>
section.
The update package that's defined in a <HelpVersion> section applies to an Exchange server based on the
combination of <Version> and <CulturesUpdated> values.
You might find that multiple <HelpVersion> sections apply to your Exchange servers for a given version of
Exchange. For example, there might be multiple updates for the same language, or separate updates for different
languages that both apply to your Exchange servers because you have multiple languages installed. Either way,
you need only the most recent update for your Exchange server version and language based on the <Revision>
key.
For example, suppose your Exchange servers are running Exchange 2016 version 15.01.0225.040 with English and
Spanish installed, and the ExchangeHelpInfo.xml manifest file looks like this:
<?xml version="1.0" encoding="utf-8"?>
<ExchangeHelpInfo>
<HelpVersions>
<HelpVersion>
<Version>15.01.0225.030-15.01.0225.050</Version>
<Revision>001</Revision>
<CulturesUpdated>en</CulturesUpdated>
<CabinetUrl>https://download.microsoft.com/download/8/7/0/870FC9AB-6D22-4478-BFBF-
66CE775BCD18/ExchangePS_Update_En.cab</CabinetUrl>
</HelpVersion>
<HelpVersion>
<Version>15.01.0225.030-15.01.0225.050</Version>
<CulturesUpdated>de, es, fr, it, ja, ko, pt, pu, ru, zh-HanS, zh-HanT</CulturesUpdated>
66CE775BCD18/ExchangePS_Update_Loc.cab</CabinetUrl>
</HelpVersion>
<HelpVersion>
<Version>15.01.0225.030-15.01.0225.050</Version>
<CulturesUpdated>en</CulturesUpdated>
66CE775BCD18/ExchangePS_Update_En2.cab</CabinetUrl>
</HelpVersion>
</HelpVersions>
</ExchangeHelpInfo>
In this example, all the updates apply to you based on the version of Exchange. However, you need only revision
003 for English, and revision 002 for Spanish. You don't need revision 001 for English because revision 003 is
newer.
Step 2. Download the update packages, publish the update packages on an internal web server, and customize
the ExchangeHelpInfo.xml manifest file
The easiest and least time-consuming approach might be to download every available update package that's
defined in the ExchangeHelpInfo.xml manifest file. The benefits to this approach are:
No analysis required: It's difficult to make a mistake and accidentally miss an update that applies to you,
because you're downloading every available update package. The Update-ExchangeHelp cmdlet ignores
the update packages that don't apply to the Exchange server, so it doesn't hurt to download unneeded
update packages.
Easier maintenance: Whenever a new update package is released, you don't need to spend time
determining if the update package applies to you. You just download and customize the new
ExchangeHelpInfo.xml manifest file, and download the new cabinet (.cab) file that's defined in it.
To download all of the update packages, follow these steps:
1. Download all of the .cab files that are defined in the ExchangeHelpInfo.xml manifest file by using the
<CabinetUrl> values. Save the files in a location that's easy to remember.
2. Publish the .cab files on an internal web server (for example
https://intranet.contoso.com/downloads/exchange ).
3. Modify the URL values of the <CabinetUrl> keys to point to the internal web server where you published
the .cab files.
For example, change the value
https://download.microsoft.com/download/8/7/0/870FC9AB-6D22-4478-BFBF-
66CE775BCD18/ExchangePS_Update_En.cab
to https://intranet.contoso.com/downloads/exchange/ExchangePS_Update_En.cab .
4. Save the customized ExchangeHelpInfo.xml manifest file.
The drawback to this approach is you download more .cab files than you actually need, and the unneeded .cab files
consume space on your internal web server.
If you want to identify only the update packages that apply to you, follow these steps.
1. Find the version details for your Exchange servers.
To find the version details on a single Exchange server, run the following command:
Get-Command Exsetup.exe | ForEach {$_.FileVersionInfo}
To find the version details for all Exchange servers in your organization, run the following command:
Get-ExchangeServer | Sort-Object Name | ForEach {Invoke-Command -ComputerName $_.Name -ScriptBlock {Get-

Command ExSetup.exe | ForEach{$_.FileVersionInfo}}} | Format-Table -Auto
The result for ProductVersion will be in the format 15.01.0225.xxx .

2. Find the <HelpVersion> sections in the ExchangeHelpInfo.xml manifest file that apply to your Exchange
servers based on the values of the <Version>, <CulturesUpdated>, and <Revision> keys. The
methodology was described in Step 1.
After you identify the update packages that apply to you, follow these steps:
1. Download the applicable .cab files by using the <CabinetUrl> values. Save the files in a location that's easy
to remember.
2. Publish the .cab files on an internal web server (for example
https://intranet.contoso.com/downloads/exchange ).
3. Modify the URL values of the <CabinetUrl> keys to point to the internal web server where you published
the .cab files.
For example, change the value
https://download.microsoft.com/download/8/7/0/870FC9AB-6D22-4478-BFBF-
66CE775BCD18/ExchangePS_Update_En.cab
to https://intranet.contoso.com/downloads/exchange/ExchangePS_Update_En.cab .
4. Optionally, you can delete the <HelpInfo> sections that don't apply to you.
5. Save the customized ExchangeHelpInfo.xml manifest file.
Step 3. Publish the customized ExchangeHelpInfo.xml manifest file on an internal web server
Publish the customized ExchangeHelpInfo.xml manifest file from Step 2 on an internal web server that's accessible
to your internal Exchange servers. For example,
https://intranet.contoso.com/downloads/exchange/ExchangeHelpInfo.xml . You'll use the URL value of this location in
Step 4.
Note that there's no relationship between the ExchangeHelpInfo.xml manifest file and .cab file locations. You can
have them available at the same URL or on different servers.
Step 4. Modify the registry of your Exchange servers to point to the customized ExchangeHelpInfo.xml
manifest file
You need the download location of the customized ExchangeHelpInfo.xml manifest file that you configured in Step
3. This example uses the value https://intranet.contoso.com/downloads/exchange/ExchangeHelpInfo.xml .
1. Copy and paste the following text into Notepad, customize the URL for your environment, and save the file
as UpdateExchangeHelp.reg in a location that's easy to remember.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v15\UpdateExchangeHelp]
"ManifestUrl"="https://intranet.contoso.com/downloads/exchange/ExchangeHelpInfo.xml"
2. Run the UpdateExchangeHelp.reg file on your internal Exchange servers.

Step 5. Use and maintenance of Update -ExchangeHelp
Now, when you run Update-ExchangeHelp in the Exchange Management Shell on your internal Exchange
servers, the command gets download information and downloads files from the internal locations you specified.
More interesting is the long-term maintenance of this customized configuration. Basically, you'll need to repeat
Step 1 through Step 3 when you discover an update has been made available for Exchange cmdlet reference help,
and you want to deploy that updated help to your Exchange servers.
An easy way to find new update packages is to periodically run Update-ExchangeHelp on an Internet-connected
Exchange server, or computer that has the Exchange management tools installed.
Details about Update-ExchangeHelp

Windows PowerShell has the Update-Help and Save-Help cmdlets for online and offline updates of cmdlet
reference topics. However, these cmdlets don't support Exchange cmdlet help, so a specific Exchange cmdlet is
required to update cmdlet reference topics in the Exchange Management Shell.
You can use several Exchange Management Shell and Exchange Online PowerShell commands to filter a set of
recipients. You can create the following types of filters in an Exchange command:
Precanned filters
Custom filters using the RecipientFilter parameter
Custom filters using the Filter parameter
Custom filters using the ContentFilter parameter
Older versions of Exchange used LDAP filtering syntax to create custom address lists, global address lists (GALs),
email address policies, and distribution groups. In Exchange Server 2007 and later versions, OPATH filtering syntax
replaced LDAP filtering syntax.
Precanned filters
A precanned filter is a commonly used Exchange filter that you can use to meet a variety of recipient-filtering
criteria for creating dynamic distribution groups, email address policies, address lists, or GALs. With precanned
filters, you can use either the Exchange PowerShell or the Exchange admin center (EAC ). Using precanned filters,
you can do the following:
Determine the scope of recipients.
Add conditional filtering based on properties such as company, department, and state or region.
Add custom attributes for recipients. For more information, see Custom Attributes.
The following parameters are considered precanned filters:
IncludedRecipients
ConditionalCompany
ConditionalDepartment
ConditionalStateOrProvince
ConditionalCustomAttribute1 to ConditionalCustomAttribute15.
Precanned filters are available for the following cmdlets:
New -DynamicDistributionGroup
Set-DynamicDistributionGroup
New -EmailAddressPolicy
Set-EmailAddressPolicy
New -AddressList
Set-AddressList
New -GlobalAddressList
Set-GlobalAddressList
Precanned filter example
This example describes using precanned filters in the Exchange Management Shell to create a dynamic distribution
group. The syntax in this example is similar but not identical to the syntax you would use to create an email address
policy, address list, or GAL. When creating a precanned filter, you should ask the following questions:
From which organizational unit (OU ) do you want to include recipients? (This question corresponds to the
RecipientContainer parameter.)
NOTE
Selecting the OU for this purpose applies only when creating dynamic distribution groups, and not when creating email
address policies, address lists, or GALs.
What type of recipients do you want to include? (This question corresponds to the IncludedRecipients
parameter.)
What additional conditions do you want to include in the filter? (This question corresponds to the
ConditionalCompany, ConditionalDepartment, ConditionalStateOrProvince, and
ConditionalCustomAttribute parameters.)
This example creates the dynamic distribution group Contoso Finance for user mailboxes in the OU
Contoso.com/Users and specifies the condition to include only recipients who have the Department attribute
defined as Finance and the Company attribute defined as Contoso.
New-DynamicDistributionGroup -Name "Contoso Finance" -OrganizationalUnit Contoso.com/Users -RecipientContainer

Contoso.com/Users -IncludedRecipients MailboxUsers -ConditionalDepartment "Finance" -ConditionalCompany
"Contoso"
This example displays the properties of this new dynamic distribution group.
Get-DynamicDistributionGroup -Identity "Contoso Finance" | Format-List Recipient*,Included*

If precanned filters don't meet your needs for creating or modifying dynamic distribution groups, email address
policies, and address lists, you can create a custom filter by using the RecipientFilter parameter.
The recipient filter parameter is available for the following cmdlets:
New -AddressList
Set-AddressList
For more information about the filterable properties you can use with the RecipientFilter parameter, see Filterable
properties for the RecipientFilter parameter.
Custom filter example
The following example uses the RecipientFilter parameter to create a dynamic distribution group. The syntax in this
example is similar but not identical to the syntax you use to create an email address policy, address list, or GAL.
This example uses custom filters to create a dynamic distribution group for user mailboxes that have the Company
attribute defined as Contoso and the Office attribute defined as North Building.
New-DynamicDistributionGroup -Name AllContosoNorth -OrganizationalUnit contoso.com/Users -RecipientFilter "

((RecipientType -eq 'UserMailbox') -and (Company -eq 'Contoso') -and (Office -eq 'North Building'))"

You can use the Filter parameter to filter the results of a command to specify which objects to retrieve. For example,
instead of retrieving all users or groups, you can specify a set of users or groups by using a filter string. This type of
filter doesn't modify any configuration or attributes of objects. It only modifies the set of objects that the command
returns.
Using the Filter parameter to modify command results is known as server-side filtering. Server-side filtering
submits the command and the filter to the server for processing. We also support client-side filtering, in which the
command retrieves all objects from the server and then applies the filter in the local console window. To perform
client-side filtering, use the Where-Object cmdlet. For more information about server-side and client-side filtering,
see "How to Filter Data" in Working with Command Output.
To find the filterable properties for cmdlets that have the Filter parameter, you can run the Get command against an
object and format the output by pipelining the Format-List parameter. Most of the returned values will be available
for use in the Filter parameter. The following example returns a detailed list for the mailbox Ayla.
Get-Mailbox -Identity Ayla | Format-List
The Filter parameter is available for the following recipient cmdlets:

Get-CASMailbox
Get-Contact
Get-DistributionGroup
Get-DynamicDistributionGroup
Get-Group
Get-Mailbox
Get-MailContact
Get-MailPublicFolder
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-SecurityPrincipal
Get-UMMailbox
Get-User
Get-UnifiedGroup
For more information about the filterable properties you can use with the Filter parameter, see Filterable properties
for the Filter parameter.
Example
This example uses the Filter parameter to return information about users whose title contains the word "manager".
Get-User -Filter "Title -like 'Manager*'"

You can use the ContentFilter parameter to select specific message content to export when using the New -
MailboxExportRequest cmdlet. If the command finds a message that contains the match to the content filter, it
exports the message to a .pst file.
ContentFilter parameter example
This example creates an export request that searches Ayla's mailbox for messages where the body contains the
phrase "company prospectus". If that phrase is found, the command exports all messages with that phrase to a .pst
file.
New-MailboxExportRequest -Mailbox Ayla -ContentFilter "Body -like 'company prospectus*'"
For more information about the filterable properties that you can use with the ContentFilter parameter, see
Filterable properties for the ContentFilter parameter.
Additional OPATH syntax information

When creating your own custom OPath filters, consider the following items:
Use the following syntax to identify the types of values that you're searching for:
Text values: Enclose the text in single quotation marks (for example, 'Value' or
'Value with spaces' ). Or, you can enclose a text value in double quotation marks, but that limits the
characters you can use to enclose the whole OPath filter.
Variables: Enclose variables that need to be expanded in single quotation marks (for example,
'$User' ). If the variable value itself contains single quotation marks, you need to identify (escape) the
single quotation marks to expand the variable correctly. For example, instead of '$User' , use
'$($User -Replace "'","''")' .
Integer values: You don't need to enclose integers (for example, 500 ). You can often enclose
integers in single quotation marks or double quotation marks, but that limits the characters you can
use to enclose the whole OPath filter.
System values: Don't enclose system values (for example, $true , $false , or $null ). To enclose the
whole OPath filter in double quotation marks, you need to escape the dollar sign in system value (for
example, `$true ).
You need to enclose the whole OPath filter in double quotation marks " or " single quotation marks ' '.
Although any OPath filter object is technically a string and not a script block, you can still use braces { }, but
only if the filter doesn't contain variables that require expansion. The characters that you can use to enclose
the whole OPath filter depend on types of values that you're searching for and the characters you used (or
didn't use) to enclose those values:
Text values: Depends on how you enclosed the text to search for:
Text enclosed in single quotation marks: Enclose the whole OPath filter in double
quotation marks or braces.
Text enclosed in double quotation marks: Enclose the whole OPath filter in braces.
Variables: Enclose the whole OPath filter in double quotation marks (for example,
"Name -eq '$User'" ).
Integer values: Depends on how you enclosed (or didn't enclose) the integer to search for:
Integer not enclosed: Enclose the whole OPath filter in double quotation marks, single
quotation marks, or braces (for example "CountryCode -eq 840" ).
Integer enclosed in single quotation marks: Enclose the whole OPath filter in double
quotation marks or braces "CountryCode -eq '840'" .
Integer enclosed in double quotation marks: Enclose the whole OPath filter in braces (for
example {CountryCode -eq "840"} ).
System values: Enclose the whole OPath filter in single quotation marks or braces (for example
'HiddenFromAddressListsEnabled -eq $true' ). If you escape the dollar sign system value, you can also
enclose the whole OPath filter in double quotation marks (for example,
"HiddenFromAddressListsEnabled -eq `$true" ).
The compatibility of search criteria and the valid characters that you can use to enclose the whole OPath
filter are summarized in the following table:
OPATH FILTER ENCLOSED OPATH FILTER ENCLOSED

IN DOUBLE QUOTATION IN SINGLE QUOTATION OPATH FILTER ENCLOSED
SEARCH VALUE MARKS MARKS IN BRACES
'Text'
"Text"
'$Variable'
500
'500'
"500"
$true
`$true
Include the hyphen before all operators. The most common operators include:
-and
-or
-not
-eq (equals)
-ne (not equal)
-lt (less than)
-gt (greater than)
-like (string comparison)
-notlike (string comparison)
Many filterable properties accept wildcard characters. If you use a wildcard character, use the -like operator
instead of the -eq operator. The -like operator is used to find pattern matches in rich types (for example,
strings) whereas the -eq operator is used to find an exact match.
For more information about operators you can use, see:
about_Logical_Operators
about_Comparison_Operators
Recipient filter documentation

The following table contains links to topics that will help you learn more about the filterable properties that you can
use with Exchange recipient commands.
TOPIC DESCRIPTION
Filterable properties for the RecipientFilter parameter Learn more about the filterable properties that are available
for the RecipientFilter parameter.
Filterable properties for the Filter parameter Learn more about the filterable properties that are available
You use the Filter parameter to create OPATH filters based on the properties of user and group objects in Exchange Server and Exchange Online. The Filter parameter is
available on these recipient cmdlets:
Get-CASMailbox
Get-Contact
Get-Group
Get-LinkedUser
Get-Mailbox
Get-MailContact
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-UMMailbox
Get-User
Get-UnifiedGroup
For more information, see Recipient filters in Exchange PowerShell commands.
NOTE
The Filter parameter is also available on other cmdlets (for example, Get-MailboxStatistics, Get-Queue, and Get-Message). However, the property values that are accepted by the Filter
parameter on these cmdlets aren't similar to the user and group properties that are described in this topic.
Filterable properties
The properties that have been confirmed to work with the Filter parameter in user and group cmdlets are described in the following table.
Notes:
The list might include:
Properties that are only used in one type of environment: Microsoft Office 365, on-premises Exchange, or hybrid. The property might exist on recipient objects
in all environments, but the value is only meaningful (a value other than blank or None ) in one type of environment.
Properties that are present, but correspond to features that are no longer used in Exchange 2016 or later.
Not all recipient properties have a corresponding Active Directory property. The LDAP display name value in the table is "n/a" for these properties, which indicates that
the property is calculated (likely by Exchange).
Enclose the whole OPath filter in double quotation marks " ". If the filter contains system values (for example, $true , $false , or $null ), use single quotation marks ' '
instead. Although this parameter is a string (not a system block), you can also use braces { }, but only if the filter doesn't contain variables. For more information, see
Additional OPATH syntax information.
Text string properties that accept wildcard characters require the -like operator (for example, "Property -like '*abc'" ).
To look for blank or non-blank property values, use the value $null (for example, 'Property -eq $null' or 'Property -ne $null' ).
PROPERTY NAME LDAP DISPLAY NAME AVAILABLE ON CMDLETS VALUE COMMENTS

AcceptMessagesOnlyFrom authOrig Get-DistributionGroup String or $null This filter requires the distinguished
Get-DynamicDistributionGroup name of the individual recipient (a
Get-Mailbox mailbox, mail user, or mail contact).
Get-MailContact For example,
Get-MailPublicFolder Get-DistributionGroup -Filter
Get-MailUser "AcceptMessagesOnlyFrom -eq
'CN=Yuudai
Get-RemoteMailbox Uchida,CN=Users,DC=contoso,DC=com'"
Get-UnifiedGroup or
Get-DistributionGroup -Filter
"AcceptMessagesOnlyFrom -eq
'contoso.com/Users/Angela
Gruber'"
.
To find the distinguished name of
the individual recipient, replace
<RecipientIdentity> with the
name, alias, or email address of the
recipient, and run this command:
Get-Recipient -Identity "
<RecipientIdentity>" |
Format-List
Name,DistinguishedName
.
Although this is a multivalued
property, the filter will return a
match if the property contains the
specified value.
AcceptMessagesOnlyFromDLMemb dLMemSubmitPerms Get-DistributionGroup String or $null This filter requires the distinguished
ers Get-DynamicDistributionGroup name or canonical distinguished
Get-Mailbox name of the group (a distribution
Get-MailContact group, mail-enabled security group,
Get-MailPublicFolder or dynamic distribution group). For
Get-MailUser example,
Get-RemoteMailbox Get-Mailbox -Filter
Get-UnifiedGroup "AcceptMessagesOnlyFromDLMembers -eq
'CN=Marketing
Department,CN=Users,DC=contoso,DC=com'"
. or
Get-Mailbox -Filter
"AcceptMessagesOnlyFromDLMembers
-eq 'contoso.com/Users/Marketing
Department'"
.
the group, replace
<GroupIdentity> with the name,
alias, or email address of the group,
and run one of these commands:
Get-DistributionGroup -
Identity "<GroupIdentity>" |
Format-List
or
-Identity "<GroupIdentity>" |
Format-List
.
specified value.
ActiveSyncAllowedDeviceIDs msExchMobileAllowedDeviceIds Get-CASMailbox String (wildcards accepted) or A device ID is a text string that
$null uniquely identifies the device. Use
the Get-MobileDevice cmdlet to
see the devices that have
ActiveSync partnerships with a
mailbox. To see the device IDs on a
mailbox, replace <MailboxIdentity>
with the name, alias, or email
address of the mailbox, and run
this command:
Get-MobileDevice -Mailbox
<MailboxIdentity> | Format-
List
.
After you have the device ID value,
you can use it in the filter. For
example,
Get-CasMailbox -Filter "
(ActiveSyncAllowedDeviceIDs -
like '*text1') -or
eq 'text2'"
.
ActiveSyncBlockedDeviceIDs msExchMobileBlockedDeviceIds Get-CASMailbox String (wildcards accepted) or A device ID is a text string that
this command:
List
.
you can use it in a filter. For
example,
(ActiveSyncBlockedDeviceIDs -
like '*text1') -or
eq 'text2'"
.
ActiveSyncEnabled n/a Get-CASMailbox Boolean ( $true or $false ) For example,

Get-CasMailbox -Filter
'ActiveSyncEnable -eq $false'
.
ActiveSyncMailboxPolicy msExchMobileMailboxPolicyLink Get-CASMailbox String or $null This filter requires the distinguished
Get-Recipient name of the ActiveSync mailbox
policy. For example,
Get-CASMailbox -Filter "ActiveSyncMailboxPolicy -eq
'CN=Default,CN=Mobile Mailbox Policies,CN=Contoso
Corporation,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com'"
.
You can find the distinguished
names of ActiveSync mailbox
policies by running this command:
Get-MobileDeviceMailboxPolicy
| Format-List
.
Note: For the default assignment
of the default ActiveSync mailbox
policy (named Default) to a
mailbox, the value of the
ActiveSyncMailboxPolicy
property is blank ( $null ).
ActiveSyncSuppressReadReceipt n/a Get-CASMailbox Boolean ( $true or $false ) For example,

'ActiveSyncSuppressReadReceipt
-eq $true'
.
AddressBookPolicy msExchAddressBookPolicyLink Get-Mailbox String or $null This filter requires the distinguished
Get-Recipient name of the address book policy.
For example,
Get-Mailbox -Filter "AddressBookPolicy -eq 'CN=Contoso
ABP,CN=AddressBook Mailbox Policies,CN=Contoso
.
names of address book policies by
running this command:
Get-AddressBookPolicy |
Format-List
.
AddressListMembership showInAddressBook Get-DistributionGroup String or $null This filter requires the distinguished
Get-DynamicDistributionGroup name of the address list. For
Get-Mailbox example,
Get-MailContact Get-MailContact -Filter "AddressListMembership -eq
Get-MailPublicFolder 'CN=All Contacts,CN=All Address Lists,CN=Address Lists
Container,CN=Contoso Corporation,CN=Microsoft
Get-MailUser Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com'"
Get-Recipient .
Get-RemoteMailbox You can find the distinguished
Get-UnifiedGroup names of address lists by running
this command:
Get-AddressList | Format-List
.
AdminDisplayName adminDisplayName Get-SecurityPrincipal String (wildcards accepted) or For example,

$null Get-SecurityPrincipal -Filter
'AdminDisplayName -ne $null'
| Format-Table -Auto
Name,AdminDisplayName
.
AdministrativeUnits msExchAdministrativeUnitLink Get-Contact String or $null For example,

Get-DistributionGroup Get-User -Filter
Get-DynamicDistributionGroup 'AdministrativeUnits -ne
$null'
Get-Group
Get-LinkedUser .
Get-Mailbox
Get-MailContact
Get-MailUser
Get-RemoteMailbox
Get-User
Get-UnifiedGroup
AggregatedMailboxGuids msExchAlternateMailboxes Get-Mailbox String or $null For example,

Get-MailUser Get-Mailbox -Filter
Get-RemoteMailbox 'AggregatedMailboxGuids -ne
$null'
.
Alias mailNickname Get-DistributionGroup String (wildcards accepted) For example,

Get-DynamicDistributionGroup Get-Recipient -Filter "Alias
Get-Mailbox -like '*smith'"
Get-MailContact .
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-UnifiedGroup
AllowUMCallsFromNonUsers msExchUMListInDirectorySearch Get-Contact None (0) or SearchEnabled (1) For example,

Get-LinkedUser Get-User -Filter
Get-UMMailbox "AllowUMCallsFromNonUsers -ne
'SearchEnabled'"
Get-User
.
ArbitrationMailbox msExchArbitrationMailbox Get-DistributionGroup String or $null This filter requires the distinguished
Get-DynamicDistributionGroup name of the arbitration mailbox.
Get-Mailbox For example,
Get-MailContact Get-DistributionGroup -Filter
Get-MailPublicFolder "ArbitrationMailbox -eq
'CN=SystemMailbox"1f05a927-2e8f-4cbb-9039-
Get-MailUser 2cfb8b95e486",CN=Users,DC=contoso,DC=com'"
Get-RemoteMailbox .
names of arbitration mailboxes by
Get-Mailbox -Arbitration |
Format-List
.
ArchiveDatabase msExchArchiveDatabaseLink Get-Mailbox String or $null This filter requires the distinguished
Get-MailUser name of the archive mailbox
Get-Recipient database. For example,
Get-RemoteMailbox Get-Mailbox -Filter "ArchiveMailbox -eq 'CN=MBX
DB02,CN=Databases,CN=Exchange Administrative Group
(FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Contoso
.
names of mailbox databases by
Get-MailboxDatabase | Format-
List Name,DistinguishedName
.
ArchiveDomain msExchArchiveAddress Get-Mailbox String (wildcards accepted) or This property is used in on-
$null premises Exchange environments
to identify the Office 365
organization that holds the archive
mailbox. For example,
Get-Mailbox -Filter
"ArchiveDomain -like
'*contoso.onmicrosoft.com'"
.
ArchiveGuid msExchArchiveGUID Get-Mailbox String or $null This filter requires the GUID of the
Get-MailUser archive mailbox. For example,
Get-Recipient Get-Mailbox -Filter
Get-RemoteMailbox "ArchiveMailbox -eq
'6476f55e-e5eb-4462-a095-
f2cb585d648d'"
.
You can find the GUID of archive
mailboxes by running this
command:
Get-Mailbox -Archive |
Format-Table -Auto
Name,ArchiveGUID
.
ArchiveName msExchArchiveName Get-Mailbox String (wildcards accepted) or This filter requires the name of the
Get-MailUser $null archive mailbox. For example,
"ArchiveName -like 'In-Place
Archive*'"
.
You can find the names of archive
command:
Format-Table -Auto
Name,ArchiveName
.
ArchiveQuota msExchArchiveQuota Get-Mailbox A byte quantified size value (for You can only use the Filter
Get-MailUser example, 300MB or 1.5GB ), or parameter to look for the value
Get-RemoteMailbox Unlimited . Unqualified values are Unlimited for this property. For
treated as bytes. example,
Get-Mailbox -Filter
"ArchiveQuota -eq
'Unlimited'"
or
Get-Mailbox -Filter
"ArchiveQuota -ne
'Unlimited'"
.
You can't use the Filter parameter
to look for size values of this
property. Instead, use this syntax:
Get-Mailbox | where
"$_.ArchiveQuota -<Operator>
'<Size>'"
. For example,
Get-Mailbox | where
"$_.ArchiveQuota -gt '85GB'"
.
ArchiveRelease msExchArchiveRelease Get-Mailbox None , E14 , E15 , or $null . For example,

Get-MailUser Get-Recipient -Filter
Get-Recipient 'ArchiveRelease -ne $null'
Get-RemoteMailbox .
Get-User
ArchiveState n/a Get-Mailbox None (0), Local (1), For example,

Get-Recipient HostedProvisioned (2), Get-Recipient -Filter
Get-RemoteMailbox "ArchiveState -eq
HostedPending (3), or 'HostedProvisioned'"
OnPremise (4). .
ArchiveStatus msExchArchiveStatus Get-Mailbox None (0) or Active (1). For example,

Get-Recipient "ArchiveStatus -eq 'Active'"
Get-RemoteMailbox .
ArchiveWarningQuota msExchArchiveWarnQuota Get-Mailbox A byte quantified size value (for You can only use the Filter
Get-Mailbox -Filter
"ArchiveWarningQuota -eq
'Unlimited'"
or
Get-Mailbox -Filter
"ArchiveWarningQuota -ne
'Unlimited'"
.
Get-Mailbox | where
"$_.ArchiveWarningQuota -
<Operator> '<Size>'"
. For example,
Get-Mailbox | where
"$_.ArchiveWarningQuota -gt
'85GB'"
.
AssistantName msExchAssistantName Get-Contact String (wildcards accepted) or For example,

Get-LinkedUser $null Get-User -Filter
Get-User "AssistantName -like
'Julia*'"
.
AuditEnabled msExchMailboxAuditEnable Get-Mailbox Boolean ( $true or $false ) For example,

Get-Mailbox -Filter
'AuditEnabled -eq $true'
.
AuditLogAgeLimit msExchMailboxAuditLogAgeLimit Get-Mailbox A time span value: dd.hh:mm:ss You can't use the Filter parameter
Get-UnifiedGroup where dd = days, hh = hours, mm to look for time span values for this
= minutes, and ss = seconds. property. Instead, use this syntax:
Get-Mailbox | where
"$_.AuditLogAgeLimit -
<Operator> '<TimeSpan>'"
. For example,
Get-Mailbox | where
"$_.AuditLogAgeLimit -gt
'60.00:00:00'"
.
BlockedSendersHash msExchBlockedSendersHash Get-Recipient Blank ( $null ) or a hashed value. Realistically, you can only use this
value to filter on blank or non-
blank values. For example,
Get-Recipient -Filter
'BlockedSendersHash -ne
$null'.
c c Get-Contact String (wildcards accepted) or This filter requires the ISO 3166-1
Get-LinkedUser $null two-letter country code for the
Get-Recipient user (for example, S for the
Get-SecurityPrincipal United States). This property is
Get-User used together with the co and
countryCode properties to define
the user's country in Active
Directory.
For example,
Get-User -Filter "c -eq 'US'" .
CalendarLoggingQuota msExchCalendarLoggingQuota Get-Mailbox A byte quantified size value (for You can only use the Filter
example, 300MB or 1.5GB ), or parameter to look for the value
Unlimited . Unqualified values are Unlimited for this property. For
Get-Mailbox -Filter
"CalendarLoggingQuota -eq
'Unlimited'"
or
Get-Mailbox -Filter
"CalendarLoggingQuota -ne
'Unlimited'"
.
Get-Mailbox | where
"$_.CalendarLoggingQuota -
. For example,
Get-Mailbox | where
"$_.CalendarLoggingQuota -gt
'10GB'"
.
CalendarRepairDisabled msExchCalendarRepairDisabled Get-Mailbox Boolean ( $true or $false ) For example,

Get-Mailbox -Filter
'CalendarRepairDisabled -eq
$true'
.
CertificateSubject n/a Get-LinkedUser String or $null The X509 certificate that's

Get-User published for the user account
(visible on the Published
Certificates tab in Active Directory
Users and Computers).
For example,
Get-User -Filter "CertificateSubject -eq 'X509:
C=US,O=InternetCA,CN=APublicCertificateAuthority<S>C=US
Smith
')
City l Get-Contact String (wildcards accepted) or For example,

Get-LinkedUser $null Get-User -Filter "City -eq
Get-Recipient 'Redmond'"
Get-User .
Company company Get-Contact String (wildcards accepted) or For example,

Get-LinkedUser $null Get-User -Filter "Company -
Get-Recipient like 'Contoso*'"
Get-User .
ComplianceTagHoldApplied n/a Get-Mailbox Boolean ( $true or $false ) For example,

'ComplianceTagHoldApplied -eq
$true'
.
ConsumerNetID n/a Get-LinkedUser String or $null For example,

Get-User Get-User -Filter
'ConsumerNetID -ne $null'
.
CountryCode countryCode Get-Contact Integer This filter requires the ISO 3166-1
Get-LinkedUser three-digit country code for the
Get-Recipient user (for example, 840 for the
Get-User used together with the c and co
properties to define the user's
country in Active Directory.
For example,
Get-User -Filter "countryCode
-eq 796"
.
CountryOrRegion co Get-Contact String This filter requires the ISO 3166-1

Get-LinkedUser country name for the user (for
Get-Recipient example, United States ). You
Get-SecurityPrincipal can select an available value in
Get-User Active Directory Users and
Computers ( Address tab >
Country/region field), or the
Exchange admin center (user
properties > Contact information
tab > Country/Region field).
When you select a user's country in
Active Directory Users and
Computers or the EAC, the
corresponding values for the co
and countryCode properties are
automatically configured.
For example,
Get-User -Filter
"CountryOrRegion -like
'United*'"
.
CustomAttribute1 to extensionAttribute1 to Get-DistributionGroup String (wildcards accepted) or For example,

CustomAttribute15 extensionAttribute15 Get-DynamicDistributionGroup $null Get-Recipient -Filter
Get-Mailbox "CustomAttribute8 -like
'*audited*'"
Get-MailContact
Get-MailPublicFolder .
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-UnifiedGroup
Database homeMDB Get-Mailbox String This filter requires the distinguished

Get-Recipient name of the mailbox database. For
example,
Get-Mailbox -Filter "Database -eq 'CN=MBX
.
.
DefaultPublicFolderMailbox msExchPublicFolderMailbox Get-Mailbox String or $null This filter requires the distinguished
name or canonical distinguished
name of the public folder mailbox.
For example,
Get-Mailbox -Filter
"DefaultPublicFolderMailbox -eq 'CN=PF
Mailbox01,CN=Users,DC=contoso,DC=com'"
or
Get-Mailbox -Filter
"DefaultPublicFolderMailbox -
eq 'contoso.com/Users/PF
Mailbox01'"
.
To find the distinguished names of
public folder mailboxes, run this
command:
Get-Mailbox -PublicFolder |
Format-List
.
DeletedItemFlags deletedItemFlags Get-Mailbox DatabaseDefault (0), For example,

Get-SecurityPrincipal RetainUntilBackupOrCustomPeriod Get-Mailbox -Filter
"DeletedItemFlags -ne
(3), or RetainForCustomPeriod 'DatabaseDefault'"
(5). .
DeliverToMailboxAndForward deliverAndRedirect Get-Mailbox Boolean ( $true or $false ) For example,

Get-MailPublicFolder Get-Mailbox -Filter
Get-MailUser 'DeliverToMailboxAndForward -
eq $true'
.
Department department Get-Contact String (wildcards accepted) or For example,

Get-LinkedUser $null Get-Recipient -Filter
Get-Recipient "Department -like
'Engineering*'"
Get-User
.
DirectReports directReports Get-Contact String or $null This filter requires the distinguished
Get-LinkedUser name or canonical distinguished
Get-User name of the direct report. For
example,
Get-User -Filter "DirectReports -eq
'CN=Angela
Gruber,CN=Users,DC=contoso,DC=com'"
or
Get-User -Filter
"DirectReports -eq
Gruber'"
.
To find the distinguished name of a
direct report, replace
Format-List
.
specified value.
DisabledArchiveDatabase msExchDisabledArchiveDatabaseLi Get-Mailbox String or $null This filter requires the distinguished
nk Get-MailUser name of the disabled archive
Get-RemoteMailbox mailbox database. For example,
Get-Mailbox -Filter "DisabledArchiveDatabase -eq 'CN=MBX
.
.
DisabledArchiveGuid msExchDisabledArchiveDatabaseG Get-Mailbox String or $null This filter requires the GUID of the
UID Get-MailUser disabled archive mailbox. For
Get-RemoteMailbox example,
Get-Mailbox -Filter
"DisabledArchiveGuid -eq
'6476f55e-e5eb-4462-a095-
f2cb585d648d'"
.
command:
Format-Table -Auto
Name,ArchiveGUID
.
DisplayName displayName Get-CASMailbox String (wildcards accepted) For example,

Get-Contact Get-Recipient -Filter
Get-DistributionGroup "DisplayName -like 'Julia*'"
Get-DynamicDistributionGroup .
Get-Group
Get-LinkedUser
Get-Mailbox
Get-MailContact
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-UMMailbox
Get-User
Get-UnifiedGroup
DistinguishedName distinguishedName Get-CASMailbox String This filter requires the distinguished

Get-Contact name of the recipient. For example,
Get-DistributionGroup Get-Mailbox -Filter
Get-DynamicDistributionGroup "DistinguishedName -eq 'CN=Basho
Kato,CN=Users,DC=contoso,DC=com'"
Get-Group
Get-LinkedUser .
Get-Mailbox You can find the distinguished
Get-MailContact names of recipients by running this
Get-MailPublicFolder command:
Get-Recipient | Format-List
Get-MailUser Name,RecipientType,DistinguishedName
Get-Recipient .
Get-RemoteMailbox
Get-UMMMailbox
Get-User
Get-UnifiedGroup
EcpEnabled n/a Get-CASMailbox Boolean ( $true or $false ) For example,

Get-CASMailbox -Filter
'EcpEnabled -eq $false'
.
EmailAddresses proxyAddresses Get-CASMailbox String (wildcards accepted) For example,

Get-DistributionGroup Get-Recipient -Filter
Get-DynamicDistributionGroup "EmailAddresses -like
'*marketing*'"
Get-Mailbox
Get-MailContact .
Get-MailPublicFolder When you use a complete email
Get-MailUser address, you don't need to account
Get-Recipient for the smtp: prefix. If you use
Get-RemoteMailbox wildcards, you do. For example, if
Get-UMMailbox "EmailAddresses -eq
'lila@fabrikam.com'"
Get-UnifiedGroup
returns a match,
"EmailAddresses -like
'lila*'"
won't return a match, but
'*lila*'"
or
'smtp:lila*'"
will return a match.
specified value.
EmailAddressPolicyEnabled n/a Get-DistributionGroup Boolean ( $true or $false ) For example,

Get-DynamicDistributionGroup Get-Recipient -Filter
Get-Mailbox 'EmailAddressPolicyEnabled -
eq $false'
Get-MailContact
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-UnifiedGroup
EntryId msExchPublicFolderEntryId Get-MailPublicFolder String (wildcards accepted) For example,

Get-MailPublicFolder -Filter
"EntryId -like '*60000'"
.
You can find the entry IDs of mail-
enabled public folders by running
this command:
Get-MailPublicFolder |
Format-List Name,EntryId
.
EwsApplicationAccessPolicy msExchEwsApplicationAccessPolicy Get-CASMailbox EnforceAllowList , For example,

EnforceBlockList . or $null Get-CASMailbox -Filter
'EwsApplicationAccessPolicy -
ne $null'
.
EwsEnabled msExchEwsEnabled Get-CASMailbox 0 (disabled), 1 (enabled) or $null . For example,

"EwsEnabled -eq 1"
.
ExchangeGuid msExchMailboxGuid Get-Mailbox String For example,

Get-Recipient "ExchangeGuid -eq 'c80a753d-
bd4a-4e19-804a-6344d833ecd8'"
Get-RemoteMailbox
Get-UnifiedGroup .
To find the Exchange GUID of a
recipient, replace
Format-List Name,ExchangeGuid
.
Note that an object's Exchange
GUID value is different than its
GUID value. Also, the Exchange
GUID value for non-mailboxes (mail
contacts, mail users, distribution
groups, dynamic distribution
groups, mail-enabled security
groups, and mail-enabled public
folders) is
00000000-0000-0000-0000-
000000000000
.
ExchangeUserAccountControl msExchUserAccountControl Get-Mailbox None (0) or AccountDisabled (2) For example,

Get-RemoteMailbox "ExchangeUserAccountControl -
eq 'AccountDisabled'"
.
ExchangeVersion msExchVersion Get-CASMailbox Integer This property contains the earliest

Get-Contact version of Exchange that you can
Get-DistributionGroup use to manage the recipient. The
Get-DynamicDistributionGroup property values that you see are
Get-Group different than the values that you
Get-LinkedUser need to use in the filter. To see the
Get-Mailbox ExchangeVersion property values,
Get-MailContact run this command:
Get-MailPublicFolder Get-Recipient | Format-Table
Get-MailUser Name,RecipientType,ExchangeVersion
Get-Recipient .
Get-RemoteMailbox For the Exchange 2010 value
Get-SecurityPrincipal 0.10 (14.0.100.0) , use the
Get-UMMMailbox value 44220983382016 in the
Get-User filter.
For the Exchange 2013 or
Exchange 2016 value
0.20 (15.0.0.0) , use the value
88218628259840 in the filter.
For example,
"ExchangeVersion -lt
88218628259840"
.
ExpansionServer msExchExpansionServerName Get-DistributionGroup String (wildcards accepted) or For example,

Get-DynamicDistributionGroup $null Get-Recipient -Filter
Get-Recipient "ExpansionServer -like
'*Mailbox01'"
.
For an exact match, you need to
use the ExchangeLegacyDN value
of the server. For example,
Get-Recipient -Filter "ExpansionServer -eq '/o=Contoso
Corporation/ou=Exchange Administrative Group
(FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=Mailbox01
You can find the
ExchangeLegacyDN value by
Get-ExchangeServer | Format-
List Name,ExchangeLegacyDN
.
ExtensionCustomAttribute1 to msExchExtensionCustomAttribute1 Get-DistributionGroup String (wildcards accepted) or For example,

ExtensionCustomAttribute5 to Get-DynamicDistributionGroup $null Get-Recipient -Filter
msExchExtensionCustomAttribute5 Get-Mailbox "ExtensionCustomAttribute8 -
like '*audited*'"
Get-MailContact
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-UnifiedGroup
ExternalDirectoryObjectId msExchExternalDirectoryObjectId Get-DistributionGroup String or $null For example,

Get-LinkedUser 'ExternalDirectoryObjectId -
ne $null'
Get-Mailbox
Get-MailContact .
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-User
Get-UnifiedGroup
ExternalEmailAddress targetAddress Get-MailContact String (wildcards accepted) or For example,

Get-MailPublicFolder $null Get-Recipient -Filter
Get-MailUser "ExternalEmailAddress -like
'*@fabrikam.com'"
Get-Recipient
.
When you use a complete email
address, you don't need to account
for the smtp: prefix. If you use
wildcards, you do. For example, if
"ExternalEmailAddress -eq
returns a match,
"ExternalEmailAddress -like
'lila*'"
'*lila*'"
or
'smtp:lila*'"
ExternalOofOptions msExchExternalOOFOptions Get-Mailbox External (0) or InternalOnly For example,

(1) Get-Mailbox -Filter
"ExternalOofOptions -eq
'External'"
.
Fax facsimileTelephoneNumber Get-Contact String (wildcards accepted) or For example,

Get-LinkedUser $null Get-User -Filter "Fax -like
Get-User '206*'"
.
FirstName givenName Get-Contact String (wildcards accepted) or For example,

Get-LinkedUser $null Get-User -Filter "FirstName -
Get-Recipient like 'Chris*'"
Get-User .
ForwardingAddress altRecipient Get-Mailbox String or $null This filter requires the distinguished
Get-MailPublicFolder name or canonical distinguished
Get-MailUser name of the forwarding recipient.
Get-RemoteMailbox For example,
Get-Mailbox -Filter
"ForwardingAddress -eq 'CN=Angela
or
Get-Mailbox -Filter
"ForwardingAddress -eq
Gruber'"
.
forwarding recipient, replace
Format-List
.
ForwardingSmtpAddress msExchGenericForwardingAddress Get-Mailbox String (wildcards accepted) or For example,

$null Get-Mailbox -Filter
"ForwardingSmtpAddress -like
'*@fabrikam.com'"
.
"ForwardingSmtpAddress -eq
returns a match,
'lila*'"
'*lila*'"
or
'smtp:lila*'"
GeneratedOfflineAddressBooks msExchOABGeneratingMailboxBL Get-Mailbox String or $null This property is only meaningful on

arbitration mailboxes, so you need
to use the Arbitration switch in the
filter command. Also, This filter
requires the distinguished name of
the offline address book. For
example,
Get-Mailbox -Arbitration -Filter
"GeneratedOfflineAddressBooks -eq 'CN=OAB 1,CN=Offline
Address Lists,CN=Address Lists Container,CN=Contoso
.
names of offline address books by
Get-OfflineAddressBook |
Format-List
.
specified value.
GrantSendOnBehalfTo publicDelegates Get-DistributionGroup String or $null This filter requires the distinguished
Get-DynamicDistributionGroup name or canonical distinguished
Get-Mailbox name of the mail-enabled security
Get-MailContact principal (mailbox, mail user, or
Get-MailPublicFolder mail-enabled security group). For
Get-UnifiedGroup "GrantSendOnBehalfTo -eq 'CN=Angela
or
Get-Mailbox -Filter
"GrantSendOnBehalfTo -eq
Gruber'"
.
mail-enabled security principal,
replace <RecipientIdentity> with
the name, alias, or email address of
the recipient, and run this
command:
Format-List
.
specified value.
GroupMemberCount n/a Get-UnifiedGroup Integer For example,

Get-UnifiedGroup -Filter
"GroupMemberCount -gt 100"
.
GroupExternalMemberCount n/a Get-UnifiedGroup Integer For example,

"GroupExternalMemberCount -gt
0"
.
GroupType groupType Get-DistributionGroup None (0), (2),

Global Distribution groups have the value
Get-Group DomainLocal (4), BuiltinLocal Universal , and mail-enabled
Get-UnifiedGroup (5), Universal (8), or security groups have the value
SecurityEnabled (-2147483648). Universal, SecurityEnabled .
You can specify multiple values
separated by commas, and the
order doesn't matter. For example,
"GroupType -eq
'Universal,SecurityEnabled'"
returns the same results as
"GroupType -eq
'SecurityEnabled,Universal'"
.
This multivalued property will only
return a match if the property
equals the specified value.
Guid objectGuid Get-CASMailbox String For example,

Get-Contact Get-Recipient -Filter "Guid -
Get-DistributionGroup eq '8a68c198-be28-4a30-83e9-
bffb760c65ba'"
Get-Group .
Get-LinkedUser You can find the GUIDs of
Get-Mailbox recipients by running this
Get-MailContact command:
Get-MailPublicFolder Name,RecipientType,Guid
Get-MailUser .
Get-Recipient Note that an object's GUID value is
Get-RemoteMailbox different than its Exchange GUID
Get-SecurityPrincipal value.
Get-UMMMailbox
Get-User
Get-UnifiedGroup
HasActiveSyncDevicePartnership n/a Get-CASMailbox Boolean ( $true or $false ) For example,

Get-Recipient Get-Recipient -Filter
'HasActiveSyncDevicePartnership
-eq $true'
.
HiddenFromAddressListsEnabled msExchHideFromAddressLists Get-DistributionGroup Boolean ( $true or $false ) For example,

Get-Mailbox 'HiddenFromAddressListsEnabled
-eq $true'
Get-MailContact
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-UnifiedGroup
HiddenGroupMembershipEnabled hideDLMembership Get-UnifiedGroup Boolean ( $true or $false ) For example,

'HiddenGroupMembershipEnabled
-eq $true'
.
HomePhone homePhone Get-Contact String (wildcards accepted) or For example,

Get-LinkedUser $null Get-User -Filter "HomePhone -
Get-User like '206*'"
.
Id distinguishedName Get-CASMailbox String This filter requires the distinguished

Get-Contact name or canonical distinguished
Get-DistributionGroup name of the recipient. For example,
Get-DynamicDistributionGroup Get-Mailbox -Filter "Id -eq
Get-Group 'CN=Angela
Get-LinkedUser
Get-Mailbox or
Get-Mailbox -Filter "Id -eq
Get-MailContact 'contoso.com/Users/Angela
Get-MailPublicFolder Gruber'"
Get-MailUser .
Get-Recipient To find the distinguished name of a
Get-RemoteMailbox recipient, replace
Get-UMMMailbox <RecipientIdentity> with the
Get-User name, alias, or email address of the
Get-SecurityPrincipal recipient, and run this command:
Get-UnifiedGroup Get-Recipient -Identity "
Format-List
.
IgnoreMissingFolderLink n/a Get-MailPublicFolder Boolean ( $true or $false ) For example,

'IgnoreMissingFolderLink -eq
$true'
.
ImapEnabled n/a Get-CASMailbox Boolean ( $true or $false ) For example,

'ImapEnabled -eq $false'
.
ImmutableId msExchGenericImmutableId Get-Mailbox String or $null For example,

Get-RemoteMailbox 'ImmutableId -ne $null'
.
IncludeInGarbageCollection n/a Get-Mailbox Boolean ( $true or $false ) For example,

Get-Mailbox -Filter
'IncludeInGarbageCollection -
eq $true'
.
Initials initials Get-Contact String (wildcards accepted) or For example,

Get-LinkedUser $null Get-User -Filter "Initials -
Get-User like 'B.'"
.
InPlaceHolds msExchUserHoldPolicies Get-Mailbox String This filter requires the

Get-MailUser InPlaceHoldIdentity value of the
Get-RemoteMailbox mailbox search. For example,
Get-Mailbox -Filter "InPlaceHolds -
eq
'9d0f81154cc64c6b923ecc0be5ced0d7'"
.
To find the InPlaceHoldIdentity
values of mailbox searches, run this
command:
Get-MailboxSearch | Format-
Table
Name,InPlaceHoldIdentity
.
specified value.
InPlaceHoldsRaw n/a Get-LinkedUser String This filter requires the

Get-User InPlaceHoldIdentity value of the
mailbox search. For example,
Get-Mailbox -Filter
"InPlaceHoldsRaw -eq
.
command:
Table
.
specified value.
IsDirSynced msExchIsMSODirsynced Get-Contact Boolean ( $true or $false ) For example,

Get-DistributionGroup Get-User -Filter 'IsDirSynced
Get-Group -eq $true'
Get-LinkedUser .
Get-Mailbox
Get-MailContact
Get-MailUser
Get-RemoteMailbox
Get-User
Get-UnifiedGroup
IsExcludedFromServingHierarchy n/a Get-Mailbox Boolean ( $true or $false ) For example,

Get-Mailbox -Filter
'IsExcludedFromServingHierarchy
-eq $true'
.
IsHierarchyReady n/a Get-Mailbox Boolean ( $true or $false ) For example,

Get-Mailbox -Filter
'IsHierarchyReady -eq $false'
.
IsHierarchySyncEnabled n/a Get-Mailbox Boolean ( $true or $false ) For example,

Get-Mailbox -Filter
'IsHierarchySyncEnabled -eq
$false'
.
IsInactiveMailbox n/a Get-Mailbox Boolean ( $true or $false ) For example,

Get-Mailbox -Filter
'IsInactiveMailbox -eq
$false'
.
IsLinked n/a Get-LinkedUser Boolean ( $true or $false ) For example,

Get-Mailbox Get-Mailbox -Filter 'IsLinked
Get-User -eq $true'
.
IsMailboxEnabled n/a Get-Mailbox Boolean ( $true or $false ) For example,

Get-Mailbox -Filter
'IsMailboxEnabled -eq $false'
.
IsResource n/a Get-Mailbox Boolean ( $true or $false ) For example,

Get-Mailbox -Filter
'IsResource -eq $true'
.
IsSecurityPrincipal n/a Get-LinkedUser Boolean ( $true or $false ) For example,

'IsSecurityPrincipal -eq
$false'
.
IsShared n/a Get-Mailbox Boolean ( $true or $false ) For example,

Get-Mailbox -Filter 'IsShared
-eq $true'
.
IsSoftDeletedByDisable n/a Get-LinkedUser Boolean ( $true or $false ) For example,

Get-Mailbox Get-Mailbox -Filter
Get-MailUser 'IsSoftDeletedByDisable -eq
$true'
Get-RemoteMailbox
Get-User .
IsSoftDeletedByRemove n/a Get-LinkedUser Boolean ( $true or $false ) For example,

Get-MailUser 'IsSoftDeletedByRemove -eq
$true'
Get-RemoteMailbox
Get-User .
IssueWarningQuota mDBStorageQuota Get-Mailbox A byte quantified size value (for You can only use the Filter
Get-Mailbox -Filter
"IssueWarningQuota -eq
'Unlimited'"
or
Get-Mailbox -Filter
"IssueWarningQuota -ne
'Unlimited'"
.
Get-Mailbox | where
"$_.IssueWarningQuota -
<Operator> '<Size>'
". For example,
Get-Mailbox | where
"$_.IssueWarningQuota -lt
'50GB'"
.
JournalArchiveAddress n/a Get-Mailbox String This property uses an SMTP email

Get-MailUser address. For example,
"JournalArchiveAddress -eq
'michelle@contoso.com'"
.
LanguagesRaw msExchUserCulture Get-Mailbox String (wildcards accepted) or This property is named Languages
$null in the properties of a mailbox, and
it contains the language preference
for the mailbox in the format
<ISO 639 two-letter culture
code>-<ISO 3166 two-letter
subculture code>
. For example, United States English
is en-US . For more information,
see CultureInfo Class.
separated by commas, but the
order matters. For example,
Get-Mailbox -Filter
"LanguagesRaw -eq 'en-US,es-
MX'"
returns different results than
Get-Mailbox -Filter
"LanguagesRaw -eq 'es-MX,en-
US'"
.
For single values, this multivalued
property will return a match if the
property contains the specified
value.
LastExchangeChangedTime msExchLastExchangeChangedTime Get-DistributionGroup A date/time value or $null For example,

Get-DynamicDistributionGroup Get-Mailbox -Filter
Get-Mailbox 'LastExchangeChangedTime -ne
$null'
Get-MailContact
Get-MailUser
Get-RemoteMailbox
Get-UnifiedGroup
LegacyExchangeDN legacyExchangeDN Get-CASMailbox String (wildcards accepted) For example,

Get-DynamicDistributionGroup "LegacyExchangeDN -like '*-
Osca'"
Get-LinkedUser
Get-Mailbox .
Get-MailContact You can find LegacyExchangeDN
Get-MailPublicFolder values for users by running this
Get-MailUser command:
Get-User | Format-List
Get-RemoteMailbox Name,LegacyExchangeDN
Get-UMMailbox
Get-User
Get-UnifiedGroup
LitigationHoldDate msExchLitigationHoldDate Get-Mailbox A date/time value or $null For example,

Get-RemoteMailbox "LitigationHoldDate -gt
'8/13/2017'"
.
LitigationHoldEnabled n/a Get-Mailbox Boolean ( $true or $false ) For example,

Get-Recipient 'LitigationHoldEnabled -eq
$true'
Get-RemoteMailbox
.
LitigationHoldOwner msExchLitigationHoldOwner Get-Mailbox String (wildcards accepted) or This property uses the user
Get-MailUser $null principal name of the litigation hold
Get-RemoteMailbox owner. For example,
Get-Mailbox -Filter
"LitigationHoldOwner -eq
'agruber@contoso.com'"
.
LastName sn Get-Contact String (wildcards accepted) or For example,

Get-LinkedUser $null Get-User -Filter "LastName -
Get-Recipient like 'Martin*'"
Get-User .
MailboxContainerGUID msExchMailboxContainerGuid Get-Mailbox String or $null For example,

Get-RemoteMailbox 'MailboxContainerGUID -ne
$null'
.
MailboxMoveBatchName msExchMailboxMoveBatchName Get-Mailbox String (wildcards accepted) or This property includes the name of
Get-MailUser $null the migration batch. For example,
Get-RemoteMailbox "MailboxMoveBatchName -like
'*LocalMove 01*'"
.
You can find the names of
migration batches by running the
Get-MigrationBatch command.
Note that migration batches that
you create in the Exchange admin
center use the naming convention
MigrationService:
<MigrationBatchName>
.
MailboxMoveFlags msExchMailboxMoveFlags Get-Mailbox For valid values, see the description For example,
Get-MailUser of the Flags parameter inGet- Get-Mailbox -Filter
Get-Recipient MoveRequest. "MailboxMoveFlags -ne 'None'"
Get-RemoteMailbox .
"MailboxMoveFlags -eq
'IntraOrg,Pull'"
'Pull,IntraOrg'"
.
MailboxMoveRemoteHostName msExchMailboxMoveRemoteHostN Get-Mailbox String or $null For example,

ame Get-MailUser Get-Mailbox -Filter
Get-Recipient 'MailboxMoveRemoteHostName -
ne $null'
Get-RemoteMailbox
.
MailboxMoveSourceMDB msExchMailboxMoveSourceMDBLin Get-Mailbox String or $null This filter requires the distinguished
k Get-MailUser name of the source mailbox
Get-RemoteMailbox Get-Mailbox -Filter "MailboxMoveSourceMDB -eq 'CN=MBX
.
.
MailboxMoveStatus msExchMailboxMoveStatus Get-Mailbox For valid values, see the description For example,
Get-MailUser of the MoveStatus parameter Get-Mailbox -Filter
Get-Recipient inGet-MoveRequest. "MailboxMoveStatus -eq
'Completed'"
Get-RemoteMailbox
.
MailboxMoveTargetMDB msExchMailboxMoveTargetMDBLin Get-Mailbox String or $null This filter requires the distinguished
k Get-MailUser name of the target mailbox
Get-RemoteMailbox Get-Mailbox -Filter "MailboxMoveTargetMDB -eq 'CN=MBX
.
.
MailboxPlan msExchParentPlanLink Get-Mailbox String or $null Mailbox plans correspond to Office

365 license types. The availability of
a license plans is determined by the
selections that you make when you
enroll your domain.
For example,
Get-Mailbox -Filter
'MailboxPlan -ne $null'
.
MailboxRelease msExchMailboxRelease Get-Mailbox None , E14 , E15 , or $null . For example,

Get-Recipient 'MailboxRelease -ne $null'
Get-RemoteMailbox .
Get-User
MailTipTranslations msExchSenderHintTranslations Get-DistributionGroup String (wildcards accepted) or When you use this property in a
Get-DynamicDistributionGroup $null filter, you need to account for the
Get-Mailbox leading and trailing HTML tags. For
Get-MailContact example,
Get-MailUser "MailTipTranslations -like
'*is not monitored.*'"
Get-RemoteMailbox
Get-UnifiedGroup .
ManagedBy managedBy Get-DistributionGroup String or $null This filter requires the distinguished
Get-Group name of the group owner (a mail-
Get-Recipient enabled security principal, which is
Get-UnifiedGroup a mailbox, mail user, or mail-
enabled security group). For
example,
Get-Mailbox -Filter "ManagedBy -eq
'CN=Angela
or
Get-Mailbox -Filter
"ManagedBy -eq
Gruber'"
.
command:
Format-List
.
specified value.
ManagedFolderMailboxPolicy msExchMailboxTemplateLink Get-Mailbox String or $null Managed folder mailbox policies

Get-Recipient aren't available in Exchange 2013
or later.
For example,
Get-Mailbox -Filter
'ManagedFolderMailboxPolicy -
eq $null'
.
This filter requires the distinguished
name of the managed folder
mailbox policy. For example,
Get-Mailbox -Filter "ManagedFolderMailboxPolicy -eq
'CN=MFM Inbox Policy,CN=ELC Mailbox Policies,CN=Contoso
.
names of managed folder mailbox
policies on Exchange 2010 servers
by running this command:
Get-
ManagedFolderMailboxPolicy |
Format-List
.
Manager manager Get-Contact String or $null This filter requires the distinguished
Get-Recipient name of the manager (a mailbox or
Get-User mail user). For example,
Get-User -Filter "Manager -eq
'CN=Angela
or
Get-Mailbox -Filter "Manager
-eq 'contoso.com/Users/Angela
Gruber'"
.
manager, replace
Format-List
Name,DistinguishedName.
MAPIEnabled n/a Get-CASMailbox Boolean ( $true or $false ) For example,

'MAPIEnabled -eq $false'
.
MasterAccountSid msExchMasterAccountSid Get-Mailbox String or $null For example,

Get-LinkedUser Get-Mailbox -Filter
Get-Recipient 'MasterAccountSid -ne $null'
Get-SecurityPrincipal .
Get-User This value is blank ( $null ) for
mailboxes with associated user
accounts, and S-1-5-10 (Self) for
mailboxes without associated user
accounts (for example, shared
mailboxes, resource mailboxes,
discovery search mailboxes,
arbitration mailboxes, and public
folder mailboxes).
MaxBlockedSenders msExchMaxBlockedSenders Get-Mailbox Integer or $null For example,

Get-Mailbox -Filter
"MaxBlockedSenders -gt 0"
.
MaxReceiveSize delivContLength Get-DistributionGroup A byte quantified size value (for You can only use the Filter
Get-DynamicDistributionGroup example, 75MB ), or Unlimited . parameter to look for the value
Get-Mailbox Unqualified values are treated as Unlimited for this property. For
Get-MailContact bytes. example,
Get-MailUser "MaxReceiveSize -eq
'Unlimited'"
Get-RemoteMailbox
Get-UnifiedGroup or
Get-Mailbox -Filter
"MaxReceiveSize -ne
'Unlimited'"
.
Get-Mailbox | where
"$_.MaxReceiveSize -
. For example,
Get-Mailbox | where
"$_.MaxReceiveSize -gt
'50GB'"
.
MaxSafeSenders msExchMaxSafeSenders Get-Mailbox Integer or $null For example,

Get-Mailbox -Filter
"MaxSafeSenders -gt 0"
.
MaxSendSize submissionContLength Get-DistributionGroup A byte quantified size value (for You can only use the Filter
Get-MailUser "MaxSendSize -eq 'Unlimited'"
Get-RemoteMailbox or
Get-UnifiedGroup Get-Mailbox -Filter
"MaxSendSize -ne 'Unlimited'"
.
Get-Mailbox | where
. For example,
Get-Mailbox | where
"$_.MaxSendSize -gt '50GB'"
.
MemberDepartRestriction msExchGroupDepartRestriction Get-DistributionGroup Closed (0), Open (1), or For example,

ApprovalRequired (2). Get-DistributionGroup -Filter
"MemberDepartRestriction -eq
'ApprovalRequired'"
.
MemberJoinRestriction msExchGroupDepartRestriction Get-DistributionGroup Closed (0), Open (1), or For example,

"MemberJoinRestriction -eq
'ApprovalRequired'"
.
MemberOfGroup memberOf Get-CASMailbox String or $null This filter requires the distinguished
Get-DistributionGroup name of the distribution group or
Get-DynamicDistributionGroup mail-enabled security group. For
Get-Group example,
Get-LinkedUser Get-User -Filter "MemberOfGroup -eq
Get-Mailbox 'CN=Marketing
Get-MailContact
Get-MailPublicFolder or
Get-User -Filter
Get-MailUser "MemberOfGroup -eq
Get-Recipient 'contoso.com/Users/Marketing
Get-RemoteMailbox Group'"
Get-UMMMailbox To find the distinguished name of a
Get-User group, replace <GroupIdentity>
address of the group, and run this
command:
Format-List
.
specified value.
Members member Get-DistributionGroup String or $null This filter requires the distinguished
Get-Group name or canonical distinguished
Get-Recipient name of the group member. For
Get-SecurityPrincipal example,
Get-Group -Filter "Members -eq
'CN=Angela
or
Get-User -Filter "Members -eq
Gruber'"
.
group member, replace
group member, and run this
command:
Format-List
.
specified value.
MobilePhone mobile Get-Contact String (wildcards accepted) or For example,

Get-LinkedUser $null Get-User -Filter "MobilePhone
Get-User -like '*5555'"
.
ModeratedBy msExchModeratedByLink Get-DistributionGroup String This filter requires the distinguished

Get-Mailbox name of the group moderator (a
Get-MailContact mail-enabled security principal,
Get-MailPublicFolder which is a mailbox, mail-user, or
Get-MailUser mail-enabled security group). For
Get-UnifiedGroup Get-DistributionGroup -Filter
"ModeratedBy -eq 'CN=Angela
or
"ModeratedBy -eq
Gruber'"
.
command:
Format-List
.
specified value.
ModerationEnabled msExchEnableModeration Get-DistributionGroup Boolean ( $true or $false ) For example,

Get-DynamicDistributionGroup Get-DistributionGroup -Filter
Get-Mailbox 'ModerationEnabled -eq $true'
Get-MailContact .
Get-MailUser
Get-RemoteMailbox
Get-UnifiedGroup
Name name Get-CASMailbox String (wildcards accepted) For example,

Get-Contact Get-User -Filter "Name -like
Get-DistributionGroup 'Laura*'"
Get-Group
Get-LinkedUser
Get-Mailbox
Get-MailContact
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-UMMailbox
Get-User
Get-UnifiedGroup
NetID n/a Get-LinkedUser String or $null This property is populated for

Get-Mailbox Office 365 mailboxes in hybrid
Get-User environments. A sample value is
1003BFFD9A0CFA03 .
For example,
Get-User -Filter 'NetId -ne
$null'
.
Notes info Get-Contact String (wildcards accepted) or For example,

Get-DynamicDistributionGroup $null Get-User -Filter "Notes -like
Get-Group '*Events Team*'"
Get-LinkedUser .
Get-Recipient
Get-User
Get-UnifiedGroup
ObjectCategory objectCategory Get-CASMailbox String This filter requires the canonical

Get-Contact distinguished name of the object.
Get-DistributionGroup The value uses the syntax
Get-DynamicDistributionGroup <domain>/Configuration/Schema/<Type>
Get-Group .
Get-LinkedUser Valid <Type> values are: Person
Get-Mailbox for mailboxes, mail users, and mail
Get-MailContact contacts, Group for distribution
Get-MailPublicFolder groups, mail-enabled security
Get-MailUser groups and Office 365 groups,
Get-Recipient ms-Exch-Public-Folder for mail-
Get-RemoteMailbox enabled public folders, and
Get-SecurityPrincipal ms-Exch-Dynamic-Distribution-
Get-UMMailbox List
Get-User for dynamic distribution groups.
Get-UnifiedGroup For example,
Get-Recipient -Filter "ObjectCategory -eq
'contoso.com/Configuration/Schema/Group'"
.
ObjectClass objectClass Get-CASMailbox String The value of this property is

Get-Contact top, person,
Get-DistributionGroup organizationalPerson, user
Get-DynamicDistributionGroup for mailboxes and mail users,
Get-Group top, person,
organizationalPerson, contact
Get-LinkedUser
Get-Mailbox for mail contacts, top, group for
Get-MailContact distribution groups, mail-enabled
Get-MailPublicFolder security groups and Office 365
Get-MailUser groups,
Get-Recipient msExchDynamicDistributionList
Get-RemoteMailbox for dynamic distribution groups
Get-SecurityPrincipal and top, publicFolder for mail-
Get-UMMailbox enabled public folders
Get-User For example,
Get-UnifiedGroup Get-Recipient -Filter
"ObjectClass -eq 'Contact'"
.
specified value.
Office physicalDeliveryOfficeName Get-Contact String (wildcards accepted) or For example,

Get-LinkedUser $null Get-User -Filter "Office -
Get-Mailbox like '22*'"
Get-Recipient .
Get-User
OfflineAddressBook msExchUseOAB Get-Mailbox String or $null This filter requires the distinguished
name of the offline address book.
For example,
Get-Mailbox -Arbitration -Filter "OfflineAddressBook -eq
'CN=OAB 1,CN=Offline Address Lists,CN=Address Lists
Format-List
.
OnPremisesObjectId n/a Get-MailPublicFolder String or $null For example,

'OnPremisesObjectId -ne
$null'
.
OperatorNumber msExchUMOperatorNumber Get-UMMailbox String (wildcards accepted) or For example,

$null Get-UMMailbox -Filter
"OperatorNumber -eq 5"
.
OtherFax otherFacsimileTelephoneNumber Get-Contact String (wildcards accepted) or For example,

Get-LinkedUser $null Get-User -Filter "OtherFax -
.
OtherHomePhone otherHomePhone Get-Contact String (wildcards accepted) or For example,

Get-User "OtherHomePhone -like '206*'"
.
OtherTelephone otherTelephone Get-Contact String (wildcards accepted) or For example,

Get-User "OtherTelephone -like '206*'"
.
OWAEnabled n/a Get-CASMailbox Boolean ( $true or $false ) The filter operates backwards. For
example,
'OWAEnabled -eq $true'
returns mailboxes where the
OWAEnabled property is False ,
and
'OWAEnabled -eq $false'
OWAEnabled property is True
OWAforDevicesEnabled msExchOmaAdminWirelessEnable Get-CASMailbox Boolean ( $true or $false ) For example,

'OWAForDevicesEnabled -eq
$true'
.
OWAMailboxPolicy msExchOWAPolicy Get-CASMailbox String or $null This filter requires the distinguished
Get-Recipient name of the Outlook on the web
mailbox policy (formerly known as
an Outlook Web App mailbox
policy). For example,
Get-CASMailbox -Filter "OWAMailboxPolicy -eq
'CN=Default,CN=OWA Mailbox Policies,CN=Contoso
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com
'".
names of Outlook on the web
mailbox policies by running this
command:
Get-OwaMailboxPolicy |
Format-List
.
Pager pager Get-Contact String (wildcards accepted) or For example,

Get-LinkedUser $null Get-User -Filter "Pager -like
Get-User '206*'"
.
PersistedCapabilities n/a Get-Mailbox String or $null Typically, the value of this property
Get-MailUser something other than $null
Get-RemoteMailbox (blank) for Office 365 accounts and
mailboxes. For more information
about the valid property values,
seeCapability enumeration.
For example,
Get-Mailbox -Filter
'PersistedCapabilities -ne
$null'
.
specified value.
Phone telephoneNumber Get-Contact String (wildcards accepted) or For example,

Get-LinkedUser $null Get-User -Filter "Phone -like
Get-Recipient '206*'"
Get-User .
PhoneProviderId msExchUMPhoneProvider Get-UMMailbox String (wildcards accepted) or For example,

"PhoneProviderId -like
'*206*'"
.
PhoneticDisplayName msDS-PhoneticDisplayName Get-Contact String (wildcards accepted) or For example,

Get-DynamicDistributionGroup $null Get-User -Filter
Get-Group "PhoneticDisplayName -like
'*Lila*'"
Get-LinkedUser
Get-User
PoliciesExcluded msExchPoliciesExcluded Get-DistributionGroup String or $null For example,

Get-Mailbox 'PoliciesExcluded -ne $null'
Get-MailContact .
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-UnifiedGroup
PoliciesIncluded msExchPoliciesIncluded Get-DistributionGroup String or $null For example,

Get-Mailbox 'PoliciesIncluded -eq $null'
Get-MailContact .
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-UnifiedGroup
PopEnabled n/a Get-CASMailbox Boolean ( $true or $false ) For example,

'POPEnabled -eq $false'
.
PostalCode postalCode Get-Contact String (wildcards accepted) or For example,

Get-Recipient "PostalCode -eq 90210"
Get-User .
PostOfficeBox postOfficeBox Get-Contact String (wildcards accepted) or For example,

Get-User "PostOfficeBox -like '*555*'"
.
PreviousRecipientTypeDetails msExchPreviousRecipientTypeDetai Get-LinkedUser String or $null For valid values, see the description
ls Get-User of the RecipientTypeDetails
parameter inGet-Recipient.
For example,
Get-User -Filter
'PreviousRecipientTypeDetails
-ne $null'
.
PrimarySmtpAddress n/a Get-CASMailbox String (wildcards accepted) For example,

Get-DynamicDistributionGroup "PrimarySMTPAddress -like
'vasil*'"
Get-Mailbox
Get-MailContact .
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-UMMailbox
Get-UnifiedGroup
ProhibitSendQuota mDBOverQuotaLimit Get-Mailbox A byte quantified size value (for You can only use the Filter
Get-Mailbox -Filter
"ProhibitSendQuota -eq
'Unlimited'"
or
Get-Mailbox -Filter
"ProhibitSendQuota -ne
'Unlimited'"
.
Get-Mailbox | where
"$_.ProhibitSendQuota -
. For example,
Get-Mailbox | where
"$_.ProhibitSendQuota -lt
'70GB'"
.
ProhibitSendReceiveQuota mDBOverHardQuotaLimit Get-Mailbox A byte quantified size value (for You can only use the Filter
Get-Mailbox -Filter
"ProhibitSendReceiveQuota -eq
'Unlimited'"
or
Get-Mailbox -Filter
"ProhibitSendReceiveQuota -ne
'Unlimited'"
.
Get-Mailbox | where
"$_.ProhibitSendReceiveQuota
-<Operator> '<Size>'"
. For example,
Get-Mailbox | where
-lt '70GB'"
.
ProtocolSettings protocolSettings Get-Mailbox String (wildcards accepted) or The default value of this property
Get-MailUser $null on mailboxes is
Get-RemoteMailbox RemotePowerShell§1 . This
property is populated with
additional values when you use
Set-CASMailbox to disable
protocols (for example, POP3 or
IMAP4).
For example,
Get-Mailbox -Filter
"ProtocolSettings -like
'*POP3*'"
.
PublicFolderContacts pFContacts Get-MailPublicFolder String or $null This property is displayed as

Contacts in the results of the
command
Get-MailPublicFolder -
Identity
<PublicFolderIdentity> |
Format-List
, but you need to use the property
name PublicFolderContacts in the
filter.
name of the public folder contact.
For example,
"PublicFolderContacts -eq
'CN=Angela
or
Gruber'"
.
public folder contact, replace
Format-List
.
specified value.
QueryBaseDN msExchQueryBaseDN Get-Mailbox String or $null This property was used in Exchange
2007 global address list
segregation to specify a location in
Active Directory. This feature was
replaced by address book policies
in Exchange 2010 Service Pack 2,
so the value of this property
should always be blank ( $null ).
For example,
Get-Mailbox -Filter
'QueryBaseDN -ne $null'
.
RecipientContainer msExchDynamicDLBaseDN Get-DynamicDistributionGroup String or $null This filter requires the distinguished
name of the organizational unit or
container in Active Directory. For
example,
-Filter "RecipientContainer -
eq
'CN=Users,DC=contoso,DC=com'"
or
eq 'contoso.com/Users'"
To find the distinguished names or
canonical distinguished names of
organizational units and containers
in Active Directory, run this
command:
Get-OrganizationalUnit -
IncludeContainers | Format-
List
Name,DistinguishedName,ID
.
RecipientLimits msExchRecipLimit Get-Mailbox Integer or Unlimited For example,

Get-RemoteMailbox "RecipientLimits -ne
'Unlimited'"
.
RecipientType n/a Get-Contact DynamicDistributionGroup , For example,

Get-DistributionGroup MailContact , Get-Recipient -Filter
Get-DynamicDistributionGroup "RecipientType -eq
MailNonUniversalGroup , 'MailContact'"
Get-Group MailUniversalDistributionGroup
Get-LinkedUser .
, MailUniversalSecurityGroup ,
Get-Mailbox
MailUser , PublicFolder or
Get-MailContact
UserMailbox
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-User
Get-UnifiedGroup
RecipientTypeDetails n/a Get-Contact String For valid values, see the description
Get-DistributionGroup of the RecipientTypeDetails
Get-DynamicDistributionGroup parameter in Get-Recipient.
Get-Group For example,
Get-LinkedUser Get-Recipient -Filter
Get-Mailbox "RecipientTypeDetails -eq
'SharedMailbox'"
Get-MailContact
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-User
Get-UnifiedGroup
RecoverableItemsQuota msExchDumpsterQuota Get-Mailbox A byte quantified size value (for You can only use the Filter
Get-Mailbox -Filter
"RecoverableItemsQuota -eq
'Unlimited'"
or
Get-Mailbox -Filter
"RecoverableItemsQuota -ne
'Unlimited'"
.
Get-Mailbox | where
"$_.RecoverableItemsQuota -
<Operator> '<Size>'
. For example,
Get-Mailbox | where
"$_.RecoverableItemsQuota -gt
'35GB'"
.
RecoverableItemsWarningQuota msExchDumpsterWarningQuota Get-Mailbox A byte quantified size value (for You can only use the Filter
Get-Mailbox -Filter
"RecoverableItemsWarningQuota
-eq 'Unlimited'"
or
Get-Mailbox -Filter
-ne 'Unlimited'"
.
Get-Mailbox | where
"$_.RecoverableItemsWarningQuota
-<Operator> '<Size>'
". For example,
Get-Mailbox | where
-gt '25GB'"
.
RejectMessagesFrom unauthOrig Get-DistributionGroup String or $null This filter requires the distinguished
Get-MailUser "RejectMessagesFrom -eq 'CN=Yuudai
Uchida,CN=Users,DC=contoso,DC=com'"
Get-RemoteMailbox
Get-UnifiedGroup or
"RejectMessagesFrom -eq
Gruber'"
.
Format-List
.
specified value.
RejectMessagesFromDLMembers dLMemRejectPerms Get-DistributionGroup String or $null This filter requires the distinguished
Get-UnifiedGroup "RejectMessagesFromDLMembers -eq
'CN=Marketing
or
Get-Mailbox -Filter
"RejectMessagesFromDLMembers
-eq
'contoso.com/Users/Marketing
Department'"
.
the group, replace
Format-List
or
Format-List
.
specified value.
RemoteAccountPolicy msExchSyncAccountsPolicyDN Get-Mailbox String or $null This filter requires the distinguished
name of the remote account policy.
For example,
Get-Mailbox -Filter "RemoteAccountPolicy -eq 'CN=Contoso
Remote Account Policy,CN=Remote Accounts Policies
.
RemotePowerShellEnabled n/a Get-User Boolean ( $true or $false ) For example,

Get-User -Filter
'RemotePowerShellEnabled -eq
$false'
.
RemoteRecipientType msExchRemoteRecipientType Get-Mailbox None (0), ProvisionMailbox (1), For example,

Get-RemoteMailbox ProvisionArchive (2), Get-RemoteMailbox -Filter
"RemoteRecipientType -eq
Migrated (4), 'ProvisionMailbox'"
DeprovisionMailbox (8), .
DeprovisionArchive (16),
RoomMailbox (32),
EquipmentMailbox (64),
SharedMailbox (96),
TeamMailbox (128), or $null .
ReportToManagerEnabled reportToOwner Get-DistributionGroup Boolean ( $true or $false ) For example,

Get-UnifiedGroup 'ReportToManagerEnabled -eq
$true'
.
ReportToOriginatorEnabled reportToOriginator Get-DistributionGroup Boolean ( $true or $false ) For example,

Get-UnifiedGroup 'ReportToOriginatorEnabled -
eq $false'
.
RequireAllSendersAreAuthenticate msExchRequireAuthToSendTo Get-DistributionGroup Boolean ( $true or $false ) This property is displayed as

d Get-DynamicDistributionGroup RequireSenderAuthenticationEn
Get-Mailbox abled in the results of the
Get-MailContact command
Get-MailPublicFolder Get-<RecipientType> -Identity
Get-MailUser <RecipientIdentity> | Format-
List
Get-RemoteMailbox
Get-SecurityPrincipal , but you need to use the property
name
RequireAllSendersAreAuthentica
ted in the filter. For example,
'RequireAllSendersAreAuthenticated
-eq $false'
.
ResourceBehaviorOptions n/a Get-UnifiedGroup AllowOnlyMembersToPost , For example,

CalendarMemberReadOnly , Get-UnifiedGroup -Filter
"ResourceBehaviorOptions -eq
ConnectorsEnabled , 'CalendarMemberReadOnly'"
HideGroupInOutlook ,
NotebookForLearningCommunitiesEnabled
, ReportToOriginator ,
SharePointReadonlyForMembers ,
SubscriptionEnabled ,
SubscribeMembersToCalendarEvents
,
SubscribeMembersToCalendarEventsDisabled
, SubscribeNewGroupMembers ,
WelcomeEmailDisabled ,
WelcomeEmailEnabled , or $null
ResourceCapacity msExchResourceCapacity Get-Mailbox Integer or $null For example,

Get-Mailbox -Filter
"ResourceCapacity -gt 15"
ResourceCustom n/a Get-Mailbox String or $null You create custom resource

properties by using the Set-
ResourceConfig cmdlet. For
example,
Set-ResourceConfig -
ResourcePropertySchema
Room/Whiteboard,Equipment/Van
. After you create the properties,
you can assign them to room or
equipment mailboxes. For example,
Set-Mailbox -Identity
"Conference Room 1" -
ResourceCustom Whiteboard
.
When you search for values, use
the custom resource property
that's assigned to the room or
equipment mailbox. For example,
Get-Mailbox -Filter
"ResourceCustom -eq
'Whiteboard'"
.
ResourceProvisioningOptions n/a Get-UnifiedGroup Team or $null For example,

"ResourceProvisioningOptions
-eq 'Team'"
ResourceType n/a Get-Mailbox Room (0), Equipment (1), or For example,

Get-Recipient $null Get-Mailbox -Filter
"ResourceType -eq
'Equipment'"
RetainDeletedItemsFor garbageCollPeriod Get-Mailbox A time span value: dd.hh:mm:ss You can't use the Filter parameter
Get-MailUser where dd = days, hh = hours, mm to look for time span values for this
Get-RemoteMailbox = minutes, and ss = seconds. property. Instead, use this syntax:
Get-Mailbox | where
"$_.RetainDeletedItemsFor -
. For example,
Get-Mailbox | where
"$_.RetainDeletedItemsFor -gt
'14.00:00:00'"
.
RetentionComment msExchRetentionComment Get-Mailbox String (wildcards accepted) or For example,

Get-MailUser $null Get-Mailbox -Filter
Get-RemoteMailbox "RetentionComment -like '*7
years*'"
RetentionPolicy n/a Get-Mailbox String or $null This filter requires the distinguished
Get-Recipient name of the retention policy. For
example,
Get-Mailbox -Filter "RetentionPolicy -eq 'CN=Default MRM
Policy,CN=Retention Policies Container,CN=Contoso
.
retention policies, run this
command:
Get-RetentionPolicy | Format-
.
RetentionUrl msExchRetentionURL Get-Mailbox String (wildcards accepted) or For example,

Get-MailUser $null Get-Mailbox -Filter "RetentionUrl
Get-RemoteMailbox -like
'https://intranet.contoso.com/*'"
RoleAssignmentPolicy msExchRBACPolicyLink Get-Mailbox String (wildcards accepted) or This filter requires the distinguished
$null name of the role assignment policy
in Exchange Online. For example,
Get-Mailbox -Filter "RoleAssignmentPolicy -eq 'CN=Default
Policy,CN=Policies,CN=RBAC,CN=Configuration,CN=contoso.onm
.
role assignment policies in
Exchange Online, run this
command:
Get-RoleAssignmentPolicy |
Format-List
.
RulesQuota msExchMDBRulesQuota Get-Mailbox A byte quantified size value (for You can't use the Filter parameter
example, 50B or 128KB ). to look for size values of this
Unqualified values are treated as property. Instead, use this syntax:
bytes. Get-Mailbox | where
"$_.RulesQuota -<Operator>
'<Size>'"
. For example,
Get-Mailbox | where
"$_.RulesQuota -lt '256KB'"
.
SafeRecipientsHash msExchSafeRecipientsHash Get-Recipient Blank ( $null ) or a hashed value. Realistically, you can only use this
'SafeRecipientsHash -ne
$null'.
SafeSendersHash msExchSafeSendersHash Get-Recipient Blank ( $null ) or a hashed value. Realistically, you can only use this
'SafeSendersHash -ne $null'.
SamAccountName SamAccountName Get-CASMailbox String (wildcards accepted) or For example,

Get-DistributionGroup $null Get-Recipient -Filter
Get-Group "SamAccountName -like
'*laura*'"
Get-LinkedUser
Get-Mailbox
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-UMMailbox
Get-User
SCLDeleteThresholdInt msExchMessageHygieneSCLDeleteT Get-Mailbox -2147483648 (SCL value 0), - This property is displayed as
hreshold 2147483647 (SCL value 1), - SCLDeleteThreshold in the results
2147483646 (SCL value 2), - of the command
2147483645 (SCL value 3), - Get-Mailbox -Identity
2147483644 (SCL value 4), - <MailboxIdentity> | Format-
List
2147483643 (SCL value 5), -
2147483642 (SCL value 6), - , but you need to use the property
2147483641 (SCL value 7), - name SCLDeleteThresholdInt in
2147483640 (SCL value 8), - the filter. For example,
Get-Mailbox -Filter
2147483639 (SCL value 9) or "SCLDeleteThresholdInt -ge -
$null 2147483640"
.
SCLJunkThresholdInt msExchMessageHygieneSCLJunkTh Get-Mailbox -2147483648 (SCL value 0), - This property is displayed as
reshold 2147483647 (SCL value 1), - SCLJunkThreshold in the results
List
2147483643 (SCL value 5), -
2147483641 (SCL value 7), - name SCLJunkThresholdInt in the
2147483640 (SCL value 8), - filter. For example,
Get-Mailbox -Filter
2147483639 (SCL value 9) or "SCLJunkThresholdInt -ge -
$null 2147483645"
.
SCLQuarantineThresholdInt msExchMessageHygieneSCLQuaran Get-Mailbox -2147483648 (SCL value 0), - This property is displayed as
tineThreshold 2147483647 (SCL value 1), - SCLQuarantineThreshold in the
2147483646 (SCL value 2), - results of the command
List
2147483643 (SCL value 5), -
2147483641 (SCL value 7), - name
2147483640 (SCL value 8), - SCLQuarantineThresholdInt in
2147483639 (SCL value 9) or the filter. For example,
Get-Mailbox -Filter
$null "SCLQuarantineThresholdInt -
ge -2147483643"
.
SCLRejectThresholdInt msExchMessageHygieneSCLRejectT Get-Mailbox -2147483648 (SCL value 0), - This property is displayed as
hreshold 2147483647 (SCL value 1), - SCLRejectThreshold in the results
List
2147483643 (SCL value 5), -
2147483641 (SCL value 7), - name SCLRejectThresholdInt in
Get-Mailbox -Filter
2147483639 (SCL value 9) or "SCLRejectThresholdInt -ge -
$null 2147483641"
.
SendOofMessageToOriginatorEnab oOFReplyToOriginator Get-DistributionGroup Boolean ( $true or $false ) For example,

led Get-DynamicDistributionGroup Get-DistributionGroup -Filter
Get-UnifiedGroup 'SendOofMessageToOriginatorEnabled
-eq $true'
.
ServerLegacyDN msExchHomeServerName Get-CASMailbox String (wildcards accepted) or For example,

Get-Mailbox $null Get-Mailbox -Filter
Get-Recipient "ServerLegacyDN -like
'*Mailbox01'"
Get-UMMailbox
.
This is an example of a complete
ServerLegacyDN value:
/o=Contoso Corporation/ou=Exchange Administrative Group
.
ServerName n/a Get-CASMailbox String or $null For example,

Get-Mailbox Get-Recipient -Filter
Get-Recipient "ServerName -eq 'Mailbox01'"
Get-UMMailbox .
SharingPolicy msExchSharingPolicyLink Get-Mailbox String or $null This filter requires the distinguished
Get-Recipient name of the sharing policy. For
example,
Get-Mailbox -Filter "SharingPolicy -eq 'CN=Custom Sharing
Policy,CN=Federation,CN=Contoso Corporation,CN=Microsoft
.
sharing policies, run this command:
Get-SharingPolicy | Format-
.
of the default sharing policy
(named Default Sharing Policy) to a
SharingPolicy property is blank (
$null ).
Sid objectSid Get-Group String For example,

Get-LinkedUser Get-User -Filter "Sid -eq 's-
Get-SecurityPrincipal 1-5-21-3628364307-1600040346-
819251021-2603'"
Get-User
.
SidHistory SIDHistory Get-Group String or $null For example,

Get-LinkedUser Get-User -Filter "SidHistory
Get-User -eq 's-1-5-21-3628364307-
1600040346-819251021-2603'"
.
SimpleDisplayName displayNamePrintable Get-Contact String (wildcards accepted) or For example,

Get-DistributionGroup $null Get-User -Filter
Get-DynamicDistributionGroup "SimpleDisplayName -like
'*lila*'"
Get-Group
Get-LinkedUser .
Get-Mailbox
Get-MailContact
Get-MailUser
Get-RemoteMailbox
Get-User
SingleItemrecoveryEnabled n/a Get-Mailbox Boolean ( $true or $false ) For example,

Get-RemoteMailbox 'SingleItemRecoveryEnabled -
eq $true'
.
SKUAssigned n/a Get-LinkedUser Boolean ( $true or $false ) or For example,

Get-Mailbox $null . Get-User -Filter 'SKUAssigned
Get-MailUser -eq $true'
Get-Recipient .
Get-User
SourceAnchor n/a Get-Mailbox String (wildcards accepted) or For example,

'SourceAnchor -ne $null'
.
StateOrProvince st Get-Contact String (wildcards accepted) or For example,

Get-Recipient "StateOrProvince -like
'*Carolina'"
Get-User
.
StreetAddress streetAddress Get-Contact String (wildcards accepted) or For example,

Get-User "StreetAddress -like '*36th
Ave NE*'"
.
StsRefreshTokensValidFrom msExchStsRefreshTokensValidFrom Get-LinkedUser A date/time value or $null For example,

Get-Mailbox Get-User -Filter
Get-MailUser "StsRefreshTokensValidFrom -
gt '8/1/2017'"
Get-RemoteMailbox
Get-User .
TelephoneAssistant telephoneAssistant Get-Contact String (wildcards accepted) or For example,

Get-User "TelephoneAssistant -like
'206*'"
.
ThrottlingPolicy msExchThrottlingPolicyDN Get-Mailbox String or $null This filter requires the distinguished
name of the throttling policy. For
example,
Get-Mailbox -Filter "ThrottlingPolicy -eq 'CN=Custom
Throttling Policy,CN=Global Settings,CN=Contoso
.
throttling policies, run this
command:
Get-ThrottlingPolicy |
Format-List
.
Title title Get-Contact String (wildcards accepted) or For example,

Get-LinkedUser $null Get-User -Filter "Title -eq
Get-Recipient 'Dr.'"
Get-User .
UMAddresses msExchUMAddresses Get-UMMailbox String (wildcards accepted) or For example,

'UMAddresses -ne $null'
.
UMCallingLineIds msExchUMCallingLineIds Get-Contact String (wildcards accepted) or For example,

Get-User "UMCallingLineIds -like
'123*'"
.
specified value.
UMDtmfMap msExchUMDtmfMap Get-Contact String (wildcards accepted) or For example,

Get-DistributionGroup $null Get-Mailbox -Filter
Get-DynamicDistributionGroup "UMDtmfMap -like '*26297*'"
Get-LinkedUser .
Get-Mailbox Although this is a multivalued
Get-MailContact property, the filter will return a
Get-MailPublicFolder match if the property contains the
Get-MailUser specified value.
Get-RemoteMailbox
Get-UMMailbox
Get-User
UMEnabled n/a Get-Mailbox Boolean ( $true or $false ) For example,

Get-UMMailbox 'UMEnabled -eq $true'
.
UMMailboxPolicy msExchUMTemplateLink Get-Recipient String or $null This filter requires the distinguished
Get-UMMailbox name of the UM mailbox policy. For
example,
Get-Recipient -Filter "UMMailboxPolicy -eq 'CN=Contoso
Default Policy,CN=UM Mailbox Policies,CN=Contoso
.
UM mailbox policies, run this
command:
Get-UMMailboxPolicy | Format-
.
UMRecipientDialPlanId msExchUMRecipientDialPlanLink Get-Recipient String or $null This filter requires the distinguished
name of the UM dial plan. For
example,
Dial Plan,CN=UM DialPlan Container,CN=Contoso
.
UM dial plans, run this command:
Get-UMDialPlan | Format-List
.
UpgradeRequest n/a Get-User None (0), TenantUpgrade (1), For example,

PrestageUpgrade (2), Get-User -Filter
"UpgradeRequest -ne 'None'"
CancelPrestageUpgrade (3),
PilotUpgrade (4), or .
TenantUpgradeDryRun (5),
UpgradeStatus n/a Get-User None (0), NotStarted (1), For example,

InProgress (2), Warning (3), Get-User -Filter
"UpgradeStatus -ne 'None'"
Error (4), Cancelled (5),
Complete (6), or ForceComplete
.
(7).
UsageLocation msExchUsageLocation Get-Mailbox String or $null This filter requires the ISO 3166-1
Get-MailUser country name (for example,
Get-Recipient United States ), or two-letter
country code (for example US ) for
the user in Office 365. For more
information, see Country Codes -
ISO 3166.
For example,
'UsageLocation -ne $null'
.
UseDatabaseQuotaDefaults mDBUseDefaults Get-Mailbox Boolean ( $true or $false ) For example,

Get-Mailbox -Filter
'UseDatabaseQuotaDefaults -eq
$false'
.
UserAccountControl userAccountControl Get-LinkedUser AccountDisabled , For example,

Get-User DoNotExpirePassword , or Get-User -Filter
"UserAccountControl -eq
NormalAccount 'NormalAccount'"
.
Get-User -Filter
'AccountDisabled,NormalAccount'"
Get-User -Filter
'NormalAccount,AccountDisabled'"
.
UserPrincipalName userPrincipalName Get-LinkedUser String (wildcards accepted) For example,

Get-MailUser "UserPrincipalName -like
'julia@*'"
Get-RemoteMailbox
Get-User .
VoiceMailSettings msExchUCVoiceMailSettings Get-Contact String or $null For example,

Get-User 'VoiceMailSettings -ne $null'
.
WebPage wWWHomePage Get-Contact String (wildcards accepted) or For example,

Get-LinkedUser $null Get-User -Filter "WebPage -like
Get-User 'https://intranet.contoso.com/*'"
.
WhenChanged WhenChanged Get-CASMailbox A date/time value For example,

Get-DistributionGroup "WhenChanged -gt '8/1/2017
2:00:00 PM'"
Get-Group .
Get-LinkedUser
Get-Mailbox
Get-MailContact
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-UMMailbox
Get-User
Get-UnifiedGroup
WhenChangedUTC n/a Get-CASMailbox A date/time value in Coordinated For example,

Get-Contact Universal Time (UTC) Get-Recipient -Filter
Get-DistributionGroup "WhenChangedUTC -gt '8/1/2017
2:00:00 PM'"
Get-Group .
Get-LinkedUser
Get-Mailbox
Get-MailContact
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-UMMailbox
Get-User
Get-UnifiedGroup
WhenCreated whenCreated Get-CASMailbox A date/time value For example,

Get-DistributionGroup "WhenCreated -gt '8/1/2017
2:00:00 PM'"
Get-Group .
Get-LinkedUser
Get-Mailbox
Get-MailContact
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-UMMailbox
Get-User
Get-UnifiedGroup
WhenCreatedUTC n/a Get-CASMailbox A date/time value in Coordinated For example,

Get-DistributionGroup "WhenCreatedUTC -gt '8/1/2017
2:00:00 PM'"
Get-Group .
Get-LinkedUser
Get-Mailbox
Get-MailContact
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-UMMailbox
Get-User
Get-UnifiedGroup
WhenMailboxCreated msExchWhenMailboxCreated Get-Mailbox A date/time value For example,

Get-Recipient "WhenMailboxCreated -gt
'8/1/2017 2:00:00 PM'"
Get-RemoteMailbox
.
WhenSoftDeleted msExchWhenSoftDeletedTime Get-LinkedUser A date/time value This filter requires the SoftDeleted
Get-Mailbox switch in the command for
Get-MailUser mailboxes.
Get-User Get-Mailbox -SoftDeleted -
Get-UnifiedGroup Filter "WhenSoftDeleted -gt
'8/1/2017 2:00:00 PM'"
.
WindowsEmailAddress mail Get-Contact String (wildcards accepted) or For example,

Get-DynamicDistributionGroup "WindowsEmailAddress -like
'*@fabrikam.com'"
Get-Group
Get-LinkedUser .
Get-Mailbox
Get-MailContact
Get-MailUser
Get-RemoteMailbox
Get-User
WindowsLiveID msExchWindowsLiveID Get-LinkedUser String (wildcards accepted) or For example,

Get-MailUser "WindowsEmailAddress -like
'*@fabrikam.onmicrosoft.com'"
Get-Recipient
Get-User .
For more information

Exchange 2007 was the first version of Exchange that required OPATH filters instead of LDAP filters. For more information about converting LDAP filters to OPATH filters, see
the Microsoft Exchange Team Blog article, Need help converting your LDAP filters to OPATH?.
For more information about the syntax that can be used within OPATH filters, see Exchange cmdlet syntax.
You use the RecipientFilter parameter to create OPATH filters based on the properties of recipient objects in Exchange Server 2016 or later,
and Exchange Online. The RecipientFilter parameter is available in the following cmdlets:
New-AddressList and Set-AddressList
New-DynamicDistributionGroup and Set-DynamicDistributionGroup
New-EmailAddressPolicy and Set-EmailAddressPolicy
New-GlobalAddressList and Set-GlobalAddressList
Filterable recipient properties

The recipient properties that have been confirmed to work with the RecipientFilter parameter in all cmdlets are described in the following
table.
Notes:
Properties that are only used in one type of environment: Microsoft Office 365, on-premises Exchange, or hybrid. The
property might exist on recipient objects in all environments, but the value is only meaningful (a value other than blank or
None ) in one type of environment.
Properties that are present, but correspond to features that are no longer used in Exchange.
You can't use properties from other Active Directory schema extensions with the RecipientFilter parameter.
Not all recipient properties have a corresponding Active Directory property. The LDAP display name value in the table is "n/a" for
these properties, which indicates that the property is calculated (likely by Exchange).
Enclose the whole OPath filter in double quotation marks " ". If the filter contains system values (for example, $true , $false , or
$null ), use single quotation marks ' ' instead. Although this parameter is a string (not a system block), you can also use braces { },
but only if the filter doesn't contain variables. For more information, see Additional OPATH syntax information.
You typically use the object's name for properties that require a valid object value (for example, a mailbox, a distribution group, or an
email address policy, but the property might also accept the object's distinguished name (DN ) or globally unique identifier (GUID ).
To find the object's DN or GUID, use the Get- cmdlet that corresponds to the object's type (for example,
Get-EmailAddressPolicy | Format-List Name,DistinguishedName,GUID ).
The Value column in the table describes the acceptable values for the filter, not necessarily for the property itself. For example, a
property might obviously contain a date or numeric value, but when you use that property in a filter, it might be treated like a text
string (no value check, and wildcards are supported).
PROPERTY NAME LDAP DISPLAY NAME VALUE COMMENTS
AcceptMessagesOnlyFrom authOrig Dynamic distribution groups: String

(wildcards accepted).
Others: Blank or non-blank.
AcceptMessagesOnlyFromDLMemb dLMemSubmitPerms Dynamic distribution groups: String

ers (wildcards accepted).
ActiveSyncAllowedDeviceIDs msExchMobileAllowedDeviceIds String (wildcards accepted).
ActiveSyncBlockedDeviceIDs msExchMobileBlockedDeviceIds String (wildcards accepted).

ActiveSyncEnabled n/a Boolean ( $true or $false )
ActiveSyncMailboxPolicy msExchMobileMailboxPolicyLink String (wildcards accepted in The default Exchange ActiveSync

dynamic distribution groups). mailbox policy is named Default.
ActiveSyncSuppressReadReceipt n/a Boolean ( $true or $false )
AddressBookPolicy msExchAddressBookPolicyLink String (wildcards accepted in

dynamic distribution groups).
AddressListMembership showInAddressBook String (wildcards accepted in

AdminDisplayName adminDisplayName String (wildcards accepted).
AdministrativeUnits msExchAdministrativeUnitLink String (wildcards accepted in

AggregatedMailboxGuids msExchAlternateMailboxes String (wildcards accepted).
Alias mailNickname String (wildcards accepted). This property contains the

recipient's Exchange alias (also
known as the mail nickname). This
value identifies the recipient as a
mail-enabled object, and shouldn't
be confused with multiple email
addresses for the same recipient
(also known as proxy addresses). A
recipient can have only one Alias
value.
AllowUMCallsFromNonUsers msExchUMListInDirectorySearch None (0) or SearchEnabled (1)
ArbitrationMailbox msExchArbitrationMailbox String (wildcards accepted in

ArchiveDatabase msExchArchiveDatabaseLink String
ArchiveDomain msExchArchiveAddress String (wildcards accepted).
ArchiveGuid msExchArchiveGUID String (wildcards accepted).
ArchiveName msExchArchiveName String (wildcards accepted).
ArchiveQuota msExchArchiveQuota Dynamic distribution groups: A

byte quantified size value (for
example, 300MB or 1.5GB ).
Unqualified values are treated as
bytes.
ArchiveWarningQuota msExchArchiveWarnQuota Dynamic distribution groups: A

bytes.
ArchiveRelease msExchArchiveRelease String (wildcards accepted).
ArchiveState n/a None (0), Local (1),

HostedProvisioned (2),
HostedPending (3), or
OnPremise (4).
ArchiveStatus msExchArchiveStatus None (0) or Active (1).
AssistantName msExchAssistantName String (wildcards accepted). The name of the recipient's

assistant.
AuditEnabled msExchMailboxAuditEnable Boolean ( $true or $false )
AuditLogAgeLimit msExchMailboxAuditLogAgeLimit Dynamic distribution groups: String The value of this property is a time
(wildcards accepted). span: dd.hh:mm:ss where dd =
Others: Blank or non-blank. days, hh = hours, mm = minutes,
and ss = seconds.
AuthenticationPolicy msExchAuthPolicyLink String (wildcards accepted in

C C String (wildcards accepted). This property contains the two-

letter country/region designation
from International Organization for
Standardization (ISO) 3166. For
more information, see Country
Codes - ISO 3166.
CalendarLoggingQuota msExchCalendarLoggingQuota Dynamic distribution groups:

Unlimited or a byte quantified
size value (for example, 300MB or
1.5GB ). Unqualified values are
treated as bytes.
Others: Unlimited , or blank/non-
blank.
CalendarRepairDisabled msExchCalendarRepairDisabled Boolean ( $true or $false )
Certificate userCertificate System.Byte[] This property contains the DER-

encoded X509v3 certificates that
are issued to the user.
CertificateSubject n/a X509: The X509 certificate that's

X500Issuer<S>X500Subject published for the user account
(for example, (visible on the Published
X509: Certificates tab in Active Directory
C=US,O=InternetCA,CN=APublicCertificateAuthority<S>C=US,O=Fabrikam,OU=Sales,CN=J
Smith Users and Computers).
)
City l String (wildcards accepted). The recipient's city.
Co Co String (wildcards accepted). The name of the recipient's country

or region. You can locate valid Co
values on the Address tab in the
recipient's properties in Active
Directory Users and Computers.
CommonName cn String (wildcards accepted).
ComplianceTagHoldApplied n/a Boolean ( $true or $false )
Company company String (wildcards accepted). The recipient's company name.
CountryOrRegion c String (wildcards accepted). This property contains the two-

from ISO 3166. For more
ISO 3166.
CustomAttribute1 to extensionAttribute1 to String (wildcards accepted). These properties contain custom

CustomAttribute15 extensionAttribute15 attributes that you can add to a
recipient.
Database homeMDB String (wildcards accepted). The identity of the user's mailbox
database.
Department department String (wildcards accepted). The recipient's department.
DataEncryptionPolicy msExchDataEncryptionPolicyLink String (wildcards accepted in

DefaultPublicFolderMailbox msExchPublicFolderMailbox String (wildcards accepted in

DeletedItemFlags deletedItemFlags DatabaseDefault (0),

RetainUntilBackupOrCustomPeriod
(3), or RetainForCustomPeriod
(5).
DeliverToMailboxAndForward deliverAndRedirect Boolean ( $true or $false )
Description description String (wildcards accepted).
DirectReports directReports String (wildcards accepted in

DisabledArchiveDatabase msExchDisabledArchiveDatabaseLi String (wildcards accepted).

nk
DisabledArchiveGuid msExchDisabledArchiveDatabaseG String (wildcards accepted).

UID
DisplayName displayName String (wildcards accepted).
DistinguishedName distinguishedName String (wildcards accepted).
EcpEnabled n/a Boolean ( $true or $false )
ElcExpirationSuspensionEndDate msExchELCExpirySuspensionEnd Dynamic distribution groups: A This property contains a date-time

date/time value using the time value.
zone and regional settings of the
Exchange server.
ElcExpirationSuspensionStartDate msExchELCExpirySuspensionStart Dynamic distribution groups: A This property contains a date-time

Exchange server.
ElcMailboxFlags msExchELCMailboxFlags None (0), ExpirationSuspended

(1), ElcV2 (2),
DisableCalendarLogging (4),
LitigationHold (8),
SingleItemRecovery (16),
ValidArchiveDatabase (32),
ShouldUseDefaultRetentionPolicy
(128),
EnableSiteMailboxMessageDedup
(256), ElcProcessingDisabled
(512), or ComplianceTagHold
(1024).
EmailAddresses proxyAddresses String (wildcards accepted). This property contains the

recipient's email addresses (the
primary email address and all proxy
addresses).
EmailAddressPolicyEnabled n/a Boolean ( $true or $false )
EntryId msExchPublicFolderEntryId String (wildcards accepted).
EwsApplicationAccessPolicy msExchEwsApplicationAccessPolicy EnforceAllowList or

EnforceBlockList .
EwsEnabled msExchEwsEnabled Integer
ExchangeGuid msExchMailboxGuid String (wildcards accepted).
ExchangeUserAccountControl msExchUserAccountControl For valid values, see

ADS_USER_FLAG_ENUM
enumeration. The integer values will
work as described. Most of the text
values won't work as described
(even if you remove ADS_UF and
all underscores).
ExchangeVersion msExchVersion Dynamic distribution groups: String

Others: ExchangeObjectVersion
values.
ExpansionServer msExchExpansionServerName String (wildcards accepted).
ExtensionCustomAttribute1 to msExchExtensionCustomAttribute1 String (wildcards accepted).

ExtensionCustomAttribute5 to
msExchExtensionCustomAttribute5
ExternalDirectoryObjectId msExchExternalDirectoryObjectId String (wildcards accepted).
ExternalEmailAddress targetAddress String (wildcards accepted). This property contains the external
email address for mail contacts and
mail users.
ExternalOofOptions msExchExternalOOFOptions External (0) or InternalOnly

(1).
Fax facsimileTelephoneNumber String (wildcards accepted).
FirstName givenName String (wildcards accepted). The recipient's first name.
ForwardingAddress altRecipient String (wildcards accepted).
ForwardingSmtpAddress msExchGenericForwardingAddress String (wildcards accepted).
GeneratedOfflineAddressBooks msExchOABGeneratingMailboxBL String (wildcards accepted in

GrantSendOnBehalfTo publicDelegates String (wildcards accepted in

GroupType groupType None (0), (2),

Global
DomainLocal (4), BuiltinLocal
(5), Universal (8), or
SecurityEnabled (-2147483648).
Guid objectGuid String (wildcards accepted).
HasActiveSyncDevicePartnership n/a Boolean ( $true or $false )

HiddenFromAddressListsEnabled msExchHideFromAddressLists Boolean ( $true or $false ) This property specifies whether the
recipient is visible in the global
address list or other address lists.
HiddenGroupMembershipEnabled hideDLMembership Boolean ( $true or $false )
HomeMTA homeMTA String (wildcards accepted in

HomePhone homePhone String (wildcards accepted).
Id distinguishedName String (wildcards accepted in

ImapEnabled n/a Boolean ( $true or $false )
ImmutableId msExchGenericImmutableId String (wildcards accepted).
IncludedRecipients n/a None (0), MailboxUsers (1),

Resources (2), MailContacts
(4), MailGroups (8), MailUsers
(16), or AllRecipients (-1).
IncludeInGarbageCollection n/a Boolean ( $true or $false )
Initials initials String (wildcards accepted).
InPlaceHolds msExchUserHoldPolicies String
InPlaceHoldsRaw n/a String
InternetEncoding internetEncoding Integer For valid values, see the Remarks

section in the topic, Encoding Class.
IsDirSynced msExchIsMSODirsynced Boolean ( $true or $false )
IsExcludedFromServingHierarchy n/a Boolean ( $true or $false )
IsHierarchyReady n/a Boolean ( $true or $false )
IsHierarchySyncEnabled n/a Boolean ( $true or $false )
IsInactiveMailbox n/a Boolean ( $true or $false )
IsMailboxEnabled n/a Boolean ( $true or $false ) This property specifies whether the
user is mailbox-enabled.
IsSecurityPrincipal n/a Boolean ( $true or $false )
IsSoftDeletedByDisable n/a Boolean ( $true or $false )
IsSoftDeletedByRemove n/a Boolean ( $true or $false )
IssueWarningQuota mDBStorageQuota Dynamic distribution groups: A

bytes.
JournalArchiveAddress n/a An SMTP email address (for

example, julia@contoso.com ).
LanguagesRaw msExchUserCulture String (wildcards accepted). This property contains the

language preference for this
mailbox in the format
subculture code>
LastExchangeChangedTime msExchLastExchangeChangedTime Dynamic distribution groups: A

date/time value using the time
Exchange server.
LastName sn String (wildcards accepted).
LdapRecipientFilter msExchDynamicDLFilter String (wildcards accepted).
LegacyExchangeDN legacyExchangeDN String (wildcards accepted).
LitigationHoldDate msExchLitigationHoldDate Dynamic distribution groups: A

Exchange server.
LitigationHoldEnabled n/a Boolean ( $true or $false )
LitigationHoldOwner msExchLitigationHoldOwner String (wildcards accepted).
LocaleID localeID Integer For valid values, Microsoft Locale ID

Values.
MailboxMoveBatchName msExchMailboxMoveBatchName String (wildcards accepted).
MailboxMoveFlags msExchMailboxMoveFlags For valid values, see the description

of the Flags parameter inGet-
MoveRequest.
MailboxMoveRemoteHostName msExchMailboxMoveRemoteHostN String (wildcards accepted).

ame
MailboxMoveSourceMDB msExchMailboxMoveSourceMDBLin String (wildcards accepted in

k dynamic distribution groups).
MailboxMoveStatus msExchMailboxMoveStatus For valid values, see the description

of the MoveStatus parameter
inGet-MoveRequest.
MailboxMoveTargetMDB msExchMailboxMoveTargetMDBLink String (wildcards accepted in

MailboxPlan msExchParentPlanLink String (wildcards accepted). Mailbox plans correspond to Office

enroll your domain.
MailboxRelease msExchMailboxRelease String (wildcards accepted).
MailTipTranslations msExchSenderHintTranslations String (wildcards accepted).

ManagedBy managedBy String (wildcards accepted in This property identifies the security
dynamic distribution groups). principal that's the manager of the
group.
Manager manager String (wildcards accepted in The recipient's manager.

MAPIEnabled n/a Boolean ( $true or $false )
MapiRecipient mAPIRecipient Boolean ( $true or $false )
MaxBlockedSenders msExchMaxBlockedSenders Unlimited or an integer.
MaxSafeSenders msExchMaxSafeSenders Unlimited or an integer.
MaxReceiveSize delivContLength Dynamic distribution groups: A

example, 50MB ). Unqualified values
are treated as bytes.
MaxSendSize submissionContLength Dynamic distribution groups: A

example, 50MB ). Unqualified values
are treated as bytes.
MemberDepartRestriction msExchGroupDepartRestriction Closed (0), Open (1), or

ApprovalRequired (2).
MemberJoinRestriction msExchGroupDepartRestriction Closed (0), Open (1), or

MemberOfGroup memberOf String (wildcards accepted in

Members member String (wildcards accepted in

MessageHygieneFlags msExchMessageHygieneFlags None (0) or AntispamBypass (1).
MobileAdminExtendedSettings msExchOmaAdminExtendedSetting String (wildcards accepted).

s
MobileMailboxFlags msExchMobileMailboxFlags None (0), HasDevicePartnership

(1), or
ActiveSyncSuppressReadReceipt (2).
MobileFeaturesEnabled msExchOmaAdminWirelessEnable None (0), AirSyncDisabled (4),

or MowaDisabled (8).
MobilePhone mobile String (wildcards accepted).
ModeratedBy msExchModeratedByLink String (wildcards accepted in

ModerationEnabled msExchEnableModeration Boolean ( $true or $false )
Name name String (wildcards accepted). The unique name value of the
recipient.
NetID n/a A sample value is This property is populated for

1003BFFD9A0CFA03 . Office 365 mailboxes in hybrid
environments.
Notes info String (wildcards accepted).
ObjectCategory objectCategory Dynamic distribution groups: String Valid values use the format
(wildcards accepted). CN=
Others: Valid Active Directory <Type>,CN=Schema,CN=Configuration,DC=
<domain>
ObjectCategory values.
, where <Type> is typically Person
or Group for recipients. For
example,
CN=Person,CN=Schema,CN=Configuration,DC=contoso
.
ObjectClass objectClass Dynamic distribution groups: String Common values for recipients are:
(wildcards accepted). contact , organizationalPerson
Others: Valid Active Directory , person , top , group ,
ObjectCategory values. msExchDynamicDistributionList ,
and user .
Office physicalDeliveryOfficeName String (wildcards accepted).
OfflineAddressBook msExchUseOAB String (wildcards accepted in This property contains the offline
dynamic distribution groups). address book (OAB) that's
associated with this recipient.
OperatorNumber msExchUMOperatorNumber String (wildcards accepted).
OtherFax otherFacsimileTelephoneNumber String (wildcards accepted).
OtherHomePhone otherHomePhone String (wildcards accepted).
OtherTelephone otherTelephone String (wildcards accepted).
OWAEnabled n/a Boolean ( $true or $false )
OWAforDevicesEnabled msExchOmaAdminWirelessEnable Boolean ( $true or $false )
OWAMailboxPolicy msExchOWAPolicy String (wildcards accepted in

Pager pager String (wildcards accepted).
Phone telephoneNumber String (wildcards accepted).
PhoneProviderId msExchUMPhoneProvider String (wildcards accepted).
PhoneticCompany msDS-PhoneticCompanyName String (wildcards accepted).
PhoneticDepartment msDS-PhoneticDepartment String (wildcards accepted).
PhoneticDisplayName msDS-PhoneticDisplayName String (wildcards accepted).
PhoneticFirstName msDS-PhoneticFirstName String (wildcards accepted).
PhoneticLastName msDS-PhoneticLastName String (wildcards accepted).
PoliciesExcluded msExchPoliciesExcluded String (wildcards accepted).
PoliciesIncluded msExchPoliciesIncluded String (wildcards accepted).
PopEnabled n/a Boolean ( $true or $false )
PostalCode postalCode String (wildcards accepted).

PostOfficeBox postOfficeBox String (wildcards accepted).
PreviousRecipientTypeDetails msExchPreviousRecipientTypeDetai For valid values, see the description

ls of the RecipientTypeDetails
parameter in Get-Recipient.
PrimaryGroupId primaryGroupId Integer For domain users, the value of this

property is typically 513, which
corresponds to the Domain Users
group.
PrimarySmtpAddress n/a String (wildcards accepted).
ProhibitSendQuota mDBOverQuotaLimit Dynamic distribution groups: A

bytes.
ProhibitSendReceiveQuota mDBOverHardQuotaLimit Dynamic distribution groups: A

bytes.
ProtocolSettings protocolSettings String (wildcards accepted).
PublicFolderContacts pFContacts String (wildcards accepted in

PurportedSearchUI msExchPurportedSearchUI String (wildcards accepted).
QueryBaseDN msExchQueryBaseDN String (wildcards accepted in

RawCanonicalName canonicalName String (wildcards accepted).
RawExternalEmailAddress targetAddress String (wildcards accepted).
RawName name String (wildcards accepted).
RecipientContainer msExchDynamicDLBaseDN String (wildcards accepted). The Active Directory container or

organizational unit (OU) that holds
the recipient object.
RecipientDisplayType msExchRecipientDisplayType MailboxUser (0),

DistributionGroup (1),
PublicFolder (2),
DynamicDistributionGroup (3),
Organization (4),
PrivateDistributionList (5),
RemoteMailUser (6).
ConferenceRoomMailbox (7), or
EquipmentMailbox (8).
RecipientFilter msExchQueryFilter String (wildcards accepted).
RecipientLimits msExchRecipLimit Unlimited or an integer. This property specifies the

maximum number of recipients that
are allowed in messages sent by the
mailbox.
RecipientType n/a For valid values, see the description

of the RecipientType parameter in
Get-Recipient.
RecipientTypeDetails n/a For valid values, see the description

of the RecipientTypeDetails
RecoverableItemsQuota msExchDumpsterQuota Dynamic distribution groups: A

bytes.
RecoverableItemsWarningQuota msExchDumpsterWarningQuota Dynamic distribution groups: A

bytes.
RejectMessagesFrom unauthOrig Dynamic distribution groups: String

RejectMessagesFromDLMembers dLMemRejectPerms Dynamic distribution groups: String

RemoteAccountPolicy msExchSyncAccountsPolicyDN String (wildcards accepted in

RemotePowerShellEnabled n/a Boolean ( $true or $false )
RemoteRecipientType msExchRemoteRecipientType None (0), ProvisionMailbox (1),

ProvisionArchive (2), Migrated
(4), DeprovisionMailbox (8),
RoomMailbox (32),
SharedMailbox (96), or
TeamMailbox (128).
ReportToManagerEnabled reportToOwner Boolean ( $true or $false )
ReportToOriginatorEnabled reportToOriginator Boolean ( $true or $false )
RequireAllSendersAreAuthenticate msExchRequireAuthToSendTo Boolean ( $true or $false )

d
ResourceCapacity msExchResourceCapacity Integers.
ResourceCustom n/a String
ResourceMetaData msExchResourceMetaData String (wildcards accepted).
ResourcePropertiesDisplay msExchResourceDisplay String (wildcards accepted).
ResourceSearchProperties msExchResourceSearchProperties String (wildcards accepted).
ResourceType n/a Room (0) or Equipment (1).

RetainDeletedItemsFor garbageCollPeriod Dynamic distribution groups: A

time span: dd.hh:mm:ss where
dd = days, hh = hours, mm =
minutes, and ss = seconds.
RetentionComment msExchRetentionComment String (wildcards accepted).
RetentionPolicy n/a String
RetentionUrl msExchRetentionURL String (wildcards accepted).
RoleAssignmentPolicy msExchRBACPolicyLink String (wildcards accepted in

RulesQuota msExchMDBRulesQuota Dynamic distribution groups: A

bytes.
SamAccountName SamAccountName String (wildcards accepted in This property specifies an identifier

dynamic distribution groups). that's compatible with older
versions of Microsoft Windows
client and server operating systems
(also known as the pre-Windows
2000 user account or group name)
SafeRecipientsHash msExchSafeRecipientsHash System.Byte[] A user's safe recipients list is hashed

(SHA-256) one way before it's
stored as a binary large object in
Active Directory.
SafeSendersHash msExchSafeSendersHash System.Byte[] A user's safe senders list is hashed

Active Directory.
SCLDeleteThresholdInt msExchMessageHygieneSCLDeleteT An integer from 0 through 9.

hreshold
SCLJunkThresholdInt msExchMessageHygieneSCLJunkThr An integer from 0 through 9.

eshold
SCLQuarantineThresholdInt msExchMessageHygieneSCLQuaran An integer from 0 through 9.

tineThreshold
SCLRejectThresholdInt msExchMessageHygieneSCLRejectT An integer from 0 through 9.

hreshold
SecurityProtocol securityProtocol System.Byte[]
SendDeliveryReportsTo n/a None (0), Manager (1) or

Originator (2).
SendOofMessageToOriginatorEnab oOFReplyToOriginator Boolean ( $true or $false )

led
ServerLegacyDN msExchHomeServerName String (wildcards accepted).
ServerName n/a String
SharingPolicy msExchSharingPolicyLink String (wildcards accepted in

SimpleDisplayName displayNamePrintable String (wildcards accepted).
SingleItemrecoveryEnabled n/a Boolean ( $true or $false )
SKUAssigned n/a Boolean ( $true or $false )
SMimeCertificate userSMIMECertificate System.Byte[] This property contains the binary

encoded S/MIME certificates that
StateOrProvince st String (wildcards accepted).
StreetAddress streetAddress String (wildcards accepted).
StsRefreshTokensValidFrom msExchStsRefreshTokensValidFrom Dynamic distribution groups: A

Exchange server.
TelephoneAssistant telephoneAssistant String (wildcards accepted).
TextEncodedORAddress textEncodedORAddress String (wildcards accepted).
ThrottlingPolicy msExchThrottlingPolicyDN String (wildcards accepted in

Title title String (wildcards accepted).
UMAddresses msExchUMAddresses String (wildcards accepted).
UMCallingLineIds msExchUMCallingLineIds String (wildcards accepted).
UMDtmfMap msExchUMDtmfMap String (wildcards accepted).
UMEnabled n/a Boolean ( $true or $false ) This property specifies whether

Unified Messaging (UM) is enabled
for this mailbox.
UMEnabledFlags msExchUMEnabledFlags None (0), UMEnabled (1),

FaxEnabled (2),
TUIAccessToCalendarEnabled (4),
TUIAccessToEmailEnabled (8),
SubscriberAccessEnabled (16),
TUIAccessToAddressBookEnabled
(32),
AnonymousCallersCanLeaveMessages
(256), ASREnabled (512), or
VoiceMailAnalysisEnabled
(1024).
UMMailboxPolicy msExchUMTemplateLink String (wildcards accepted in

UMPinChecksum msExchUMPinChecksum System.Byte[]
UMRecipientDialPlanId msExchUMRecipientDialPlanLink String (wildcards accepted in

UMServerWritableFlags msExchUMServerWritableFlags None (0),

MissedCallNotificationEnabled
(1),
SMSVoiceMailNotificationEnabled
(2),
SMSMissedCallNotificationEnabled
(4), or
PinlessAccessToVoiceMailEnabled
(8).
UMSpokenName msExchUMSpokenName System.Byte[]
UnicodePassword unicodePwd System.Byte[]
UsageLocation msExchUsageLocation A valid two-letter country/region

ISO 3166 value, or the
corresponding display name (for
example, US or UnitedStates ).
For more information, see Country
Codes - ISO 3166.
UseDatabaseQuotaDefaults mDBUseDefaults Boolean ( $true or $false ) If the value of this property is

$true, the values of these
properties are ignored for the
mailbox: IssueWarningQuota,
ProhibitSendQuota,
ProhibitSendReceiveQuota, ,
CalendarLoggingQuota,
RecoverableItemsWarningQuota,
and RecoverableItemsQuota.
UserAccountControl userAccountControl For valid values, see the Remarks

section in User-Account-Control
attribute. You need to convert the
hexadecimal values to decimal.
Most of the text values won't work
as described (even if you remove
ADS_UF and all underscores).
UserPrincipalName userPrincipalName String (wildcards accepted). This property contains the user
principal name (UPN) for this
recipient (for example,
kim@contoso.com ).
VoiceMailSettings msExchUCVoiceMailSettings String (wildcards accepted). Valid values for this property are:
ExchangeHostedVoiceMail=0 ,
CsHostedVoiceMail=0 , or
CsHostedVoiceMail=1 .
WebPage wWWHomePage String (wildcards accepted).
WhenChanged whenChanged Dynamic distribution groups: A

Exchange server.
WhenChangedUTC n/a Dynamic distribution groups: A

date/time value in Coordinated
Universal Time (UTC).
WhenCreated whenCreated Dynamic distribution groups: A

Exchange server.
WhenCreatedUTC n/a Dynamic distribution groups: A

date/time value in UTC.
WhenMailboxCreated msExchWhenMailboxCreated Dynamic distribution groups: A

Exchange server.
WhenSoftDeleted msExchWhenSoftDeletedTime Dynamic distribution groups: A

Exchange server.
WindowsEmailAddress mail String (wildcards accepted).
WindowsLiveID msExchWindowsLiveID String (wildcards accepted).

Exchange 2007 was the first version of Exchange that required OPATH filters instead of LDAP filters. For more information about
converting LDAP filters to OPATH filters, see the Microsoft Exchange Team Blog article, Need help converting your LDAP filters to
OPATH?.
Exchange Online PowerShell is the administrative interface that enables you to manage your Microsoft Exchange
Online organization from the command line. For example, you can use Exchange Online PowerShell to configure
mail flow rules (also known as transport rules) and connectors. The following topics provide information about
using Exchange Online PowerShell:
To create a remote PowerShell session to your Exchange Online organization, see Connect to Exchange
Online PowerShell.
To prevent or allow connections to connect to your Exchange Online organization using remote PowerShell,
see Enable or disable access to Exchange Online PowerShell.
The following introductory video shows you how to connect to and use Exchange Online PowerShell.
Note: This video applies to Exchange Online and standalone Exchange Online Protection (EOP )
organizations. When you connect to your organization, be sure to specify the correct URL (ConnectionUri
value). The required URL is different for Exchange Online and EOP organizations.
Use Remote PowerShell in EOP
To find the permissions you need to run a specific cmdlet, or one or more parameters on the cmdlet, see
Find the permissions required to run any Exchange cmdlet.
To learn about recipient filters in Exchange Online PowerShell, see Recipient filters in Exchange
Management Shell and Exchange Online PowerShell commands.
Connect to Exchange Online PowerShell
Exchange Online PowerShell allows you to manage your Exchange Online settings from the command line. You
use Windows PowerShell on your local computer to create a remote PowerShell session to Exchange Online. It's a
simple three-step process where you enter your Office 365 credentials, provide the required connection settings,
and then import the Exchange Online cmdlets into your local Windows PowerShell session so that you can use
them.
IMPORTANT
If you want to use multi-factor authentication (MFA) to connect to Exchange Online PowerShell, you need to download and
use the Exchange Online Remote PowerShell Module. For more information, see Connect to Exchange Online PowerShell
using multi-factor authentication.
If you're a standalone Exchange Online Protection (EOP) customer (for example, you're using EOP to protect your on-
premises email environment), use the connection instructions in Connect to Exchange Online Protection PowerShell. If your
standalone EOP subscription is Exchange Enterprise CAL with Services (includes data loss prevention (DLP) and reporting
using web services), the connection instructions in this topic will work for you.

Estimated time to complete: 5 minutes
Windows 10
Windows 8.1
Windows Server 2019
Windows Server 2016
To require all PowerShell scripts that you download from the internet are signed by a trusted publisher, run
the following command in an elevated Windows PowerShell window (a Windows PowerShell window you
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Online, or Exchange Online Protection.
Connect to Exchange Online

1. On your local computer, open Windows PowerShell and run the following command.
In the Windows PowerShell Credential Request dialog box, type your work or school account and
password, and then click OK.

https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -
AllowRedirection
Notes:
For Office 365 operated by 21Vianet, use the ConnectionUri value:
https://partner.outlook.cn/PowerShell
For Office 365 Germany, use the ConnectionUri value:

https://outlook.office.de/powershell-liveid/
For Office 365 Government Community Cloud High (GCC High), use the ConnectionUri value:
https://outlook.office365.us/powershell-liveid/
If you're behind a proxy server, run this command first:

$ProxyOptions = New-PSSessionOption -ProxyAccessType <Value> , where the ProxyAccessType value is
IEConfig , WinHttpConfig , or AutoDetect .
Then, add the following parameter and value to the end of the $Session = ... command:
-SessionOption $ProxyOptions .
For more information, see New -PSSessionOption.

NOTE
wait for the sessions to expire. To disconnect the remote PowerShell session, run the following command.

After Step 3, the Exchange Online cmdlets are imported into your local Windows PowerShell session and tracked
by a progress bar. If you don't receive any errors, you connected successfully. A quick test is to run an Exchange
Online cmdlet, for example, Get-Mailbox, and see the results.
A common problem is an incorrect password. Run the three steps again and pay close attention to the user
To help prevent denial-of-service (DoS ) attacks, you're limited to three open remote PowerShell
connections to your Exchange Online organization.
The account you use to connect to Exchange Online must be enabled for remote PowerShell. For more
information, see Enable or disable access to Exchange Online PowerShell.
TCP port 80 traffic needs to be open between your local computer and Office 365. It's probably open, but
it's something to consider if your organization has a restrictive internet access policy.
If your organization uses federated authentication, and your identity provider (IDP ) and/or security token
service (STS ) isn't publicly available, you can't use a federated account to connect to Exchange Online
PowerShell. Instead, create and use a non-federated account in Office 365 to connect to Exchange Online
PowerShell.
See also
Get-Credential
New -PSSession
Import-PSSession
Remove-PSSession
Set-ExecutionPolicy
For more information about managing Office 365, see Manage Office 365.
Connect to Exchange Online PowerShell using multi-
factor authentication
If you want to use multi-factor authentication (MFA) to connect to Exchange Online PowerShell, you can't use the
instructions at Connect to Exchange Online PowerShell to use remote PowerShell to connect to Exchange Online.
MFA requires you to install the Exchange Online Remote PowerShell Module, and use the Connect-
ExoPSSession cmdlet to connect.
NOTE
The Exchange Online Remote PowerShell Module is not supported in PowerShell Core (macOS, Linux, or Windows Nano
Server). As a workaround, you can install the module on a computer that's running a supported version of Windows (physical
or virtual), and use remote desktop software to connect.

Windows 10
Windows 8.1
Windows Server 2019
Windows Server 2016
The Exchange Online Remote PowerShell Module needs to be installed on your computer:
1. In Internet Explorer or Edge, open the Exchange admin center (EAC ) for your Exchange Online
organization. For instructions, see Exchange admin center in Exchange Online.
Note: A browser that uses ClickOnce to download (like Internet Explorer or Edge) is needed to
complete the next step.
2. In the EAC, go to Hybrid > Setup and click the appropriate Configure button to download the
Exchange Online Remote PowerShell Module for multi-factor authentication.
3. In the Application Install window that opens, click Install.
Windows Remote Management (WinRM ) on your computer needs to allow basic authentication (it's
enabled by default). To verify that basic authentication is enabled, run this command in a Command
Prompt:
winrm get winrm/config/client/auth
If you don't see the value Basic = true , you need to run this command to enable basic authentication for
WinRM:
winrm set winrm/config/client/auth @{Basic="true"}
If basic authentication is disabled, you'll get this error when you try to connect:
The WinRM client cannot process the request. Basic authentication is currently disabled in the client
configuration. Change the client configuration and try the request again.
When you use the Exchange Online Remote PowerShell Module, your session will end after one hour, which
can be problematic for long-running scripts or processes. To avoid this issue, use Trusted IPs to bypass MFA
for connections from your intranet. Trusted IPs allow you to connect to Exchange Online PowerShell from
your intranet using the old instructions at Connect to Exchange Online PowerShell. Also, if you have servers
in a datacenter, be sure to add their public IP addresses to Trusted IPs as described here.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Online or Exchange Online Protection.
Connect to Exchange Online PowerShell by using MFA

1. On your local computer, open the Exchange Online Remote PowerShell Module ( Microsoft
Corporation > Microsoft Exchange Online Remote PowerShell Module).
2. The command that you need to run uses the following syntax:
Connect-EXOPSSession [-UserPrincipalName -ConnectionUri <ConnectionUri> -AzureADAuthorizationEndPointUri

<AzureADUri> -DelegatedOrganization <String>]
<UPN> is your Office 365 work or school account.

The <ConnectionUri> and <AzureADUri> values depend on the nature of your Office 365
organization as described in the following table:
CONNECTIONURI PARAMETER AZUREADAUTHORIZATIONENDPOIN

OFFICE 365 OFFERING VALUE TURI PARAMETER VALUE
Office 365 Not used Not used
Office 365 Germany https://outlook.office.de/PowerShell-

https://login.microsoftonline.de/common
LiveID
Office 365 GCC High https://outlook.office365.us/powershell-

https://login.microsoftonline.us/common
liveid
Office 365 DoD https://webmail.apps.mil/powershell-

https://login.microsoftonline.us/common
liveid
This example connects to Exchange Online in Office 365 using the account chris@contoso.com.
Connect-EXOPSSession -UserPrincipalName chris@contoso.com
This example connects to Exchange Online in Office 365 Germany using the account lukas@fabrikam.com.
Connect-EXOPSSession -UserPrincipalName lukas@fabrikam.com -ConnectionUri

https://outlook.office.de/PowerShell-LiveID -AzureADAuthorizationEndPointUri
This example connects to Exchange Online to manage another tenant
Connect-ExoPSSession -UserPrincipalName lukas@fabrikam.com -ConnectionUri

https://outlook.office.de/PowerShell-LiveID -AzureADAuthorizationEndPointUri
3. In the sign-in window that opens, enter your password, and then click Sign in.
A verification code is generated and delivered based on the verification response option that's configured
for your account (for example, a text message or the Azure Authenticator app on your mobile phone).
4. In the verification window that opens, enter the verification code, and then click Sign in.
NOTE
Be sure to disconnect the remote PowerShell session when you're finished. If you close the Exchange Online Remote
PowerShell Module window without disconnecting the session, you could use up all the remote PowerShell sessions available
to you, and you'll need to wait for the sessions to expire. To disconnect all currently open PowerShell sessions in the current
window, run the following command:
Get-PSSession | Remove-PSSession
After Step 4, the Exchange Online cmdlets are imported into your Exchange Online Remote PowerShell Module
session and tracked by a progress bar. If you don't receive any errors, you connected successfully. A quick test is to
run an Exchange Online cmdlet, for example, Get-Mailbox, and see the results.
To help prevent denial-of-service (DoS ) attacks, you're limited to three open remote PowerShell connections
to your Exchange Online organization.
The account you use to connect to Exchange Online must be enabled for remote PowerShell. For more
information, see Enable or disable access to Exchange Online PowerShell.
it's something to consider if your organization has a restrictive Internet access policy.
Find the permissions required to run any Exchange
cmdlet
You can use PowerShell to find the permissions required to run any Exchange or Exchange Online cmdlet. This
procedure shows the role-based access control (RBAC ) management roles and role groups that give you access to
a specified cmdlet—even if your organization has custom roles, custom role groups, or custom role assignments.

Estimated time to complete this procedure: less than 5 minutes.
You can only use PowerShell to perform this procedure.
Basically, you need to be an administrator to complete this procedure. Specifically, you need access to the
Get-ManagementRole and Get-ManagementRoleAssignment cmdlets. By default, access to these
cmdlets is granted by the View -Only Configuration or Role Management roles, which are assigned to the
View -Only Organization Management and Organization Management role groups.
The procedures in this topic don't work in the Office 365 Security & Compliance Center. For more
information about permissions in the Security & Compliance Center, see Permissions in Office 365
Compliance Center.
The procedures in this topic don't work in Exchange Online Protection (EOP ). For more information about
permissions in EOP, see Feature permissions in EOP.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server or Exchange Online.
Use PowerShell to find the permissions required to run a cmdlet

1. Open the PowerShell environment where you want to run the cmdlet.
To learn how to use Windows PowerShell to connect to Exchange Online, see Connect to Exchange
Online PowerShell.
To learn how to open the Exchange Management Shell in your on-premises Exchange organization,
see Open the Exchange Management Shell.
2. Run the following command to identify the cmdlet and, optionally, one or more parameters on the cmdlet.
Be sure to replace <Cmdlet> and optionally, <Parameter1>,<Parameter2>,... with the actual cmdlet and
parameter names you are interested in. If you specify multiple parameters separated by commas, only the
roles that include all of the parameters are returned.
$Perms = Get-ManagementRole -Cmdlet <Cmdlet> [-CmdletParameters <Parameter1>,<Parameter2>,...]

$Perms | foreach {Get-ManagementRoleAssignment -Role $_.Name -Delegating $false | Format-Table -Auto
Role,RoleAssigneeType,RoleAssigneeName}
Interpreting the results

The results contain the following information:
Role: Indicates the role that gives access to the cmdlet or the combination of cmdlet and parameters. Note
that role names that begin with "My" are user roles that allow regular users to operate on objects they own
(for example, their own mailbox or their distribution groups).
RoleAssigneeType and RoleAssigneeName: These values are inter-related. RoleAssigneeType is the
type of object that has the role assigned to it, and RoleAssigneeName is the name of the object.
RoleAssigneeType can be a role group, role assignment policy, security group, or user. Typically,
administrator roles are assigned to role groups.
Troubleshooting
What if there are no results?
Verify that you entered the cmdlet and parameter names correctly.
You might have entered too many parameters, and all of the parameters on the cmdlet aren't defined in a
single role. Try specifying only the cmdlet name in Step 2, and run Step 3 to verify that the cmdlet is
available in your environment. Then, add parameters one at a time to Step 2 before running Step 3.
These possible causes have the same solution:
You might have entered a cmdlet or parameters that are defined in a role that isn't assigned to
anyone by default.
You might have entered a cmdlet or parameter that isn't available in your environment. For example,
when you enter an Exchange Online cmdlet or parameters in an on-premises Exchange 2016
environment.
Run the following command to find the role that contains the cmdlet or parameters. Be sure to replace
<Cmdlet> and optionally, <Parameter1>,<Parameter2>,... with the actual cmdlet and parameter names you
are interested in. Note that you can use wildcard characters (*) in the cmdlet and parameter names (for
example, *-Mailbox* ).
Get-ManagementRoleEntry -Identity *\<Cmdlet> [-Parameters <Parameter1>,<Parameter2>,... ]
If the command returns an error saying the object couldn't be found, the cmdlet or parameters aren't
available in your environment.
If the command returns one or more entries for Name, Role, and Parameters, the cmdlet (or
parameters on the cmdlet) is available in your environment, but the required role isn't assigned to
anyone. To see all roles that aren't assigned to anyone, run the following command:
$na = Get-ManagementRole ; $na | foreach {If ((Get-ManagementRoleAssignment -Role $_.Name -

Delegating $false) -eq $null) {$_.Name}}
Related procedures
Management role scopes define where cmdlets can operate (in particular, write scopes).
To include scope information in Step 2, substitute the following command:
$Perms | foreach {Get-ManagementRoleAssignment -Role $_.Name -Delegating $false | Format-List

Role,RoleAssigneeType,RoleAssigneeName,*Scope*}
To see all roles assigned to a specific user, run the following command:
Get-ManagementRoleAssignment -RoleAssignee <UserIdentity> -Delegating $false | Format-Table -Auto

For example:
Get-ManagementRoleAssignment -RoleAssignee julia@contoso.com -Delegating $false | Format-Table -Auto

To see all users who are assigned a specific role, run the following command:
Get-ManagementRoleAssignment -Role "<Role name>" -GetEffectiveUsers -Delegating $false | Where-Object

{$_.EffectiveUserName -ne "All Group Members"} | Format-Table -Auto
For example:
Get-ManagementRoleAssignment -Role "Mailbox Import Export" -GetEffectiveUsers -Delegating $false |

Where-Object {$_.EffectiveUserName -ne "All Group Members"} | Format-Table -Auto
To see the members of a specific role group, run the following command:
Get-RoleGroupMember "<Role group name>"
For example:
Get-RoleGroupMember "Organization Management"

Enable or disable access to Exchange Online
PowerShell
Exchange Online PowerShell enables you to manage your Exchange Online organization from the command line.
By default, all accounts you create in Office 365 are allowed to use Exchange Online PowerShell. Administrators
can use Exchange Online PowerShell to enable or disable a user's ability to connect to Exchange Online
PowerShell. Note that access to Exchange Online PowerShell doesn't give users extra administrative powers in
your organization. A user's capabilities in Exchange Online PowerShell are still defined by role based access
control (RBAC ) and the roles that are assigned to them.

Estimated time to complete each procedure: less than 5 minutes
Office 365 global admins have access to Exchange Online PowerShell, and can use the procedures in this
topic to configure Exchange Online PowerShell access for other users. For more information about
permissions in Exchange Online, see Feature Permissions in Exchange Online.
You can only use Exchange Online PowerShell to perform this procedure. To learn how to use Windows
PowerShell to connect to Exchange Online, see Connect to Exchange Online PowerShell.
For detailed information about OPath filter syntax in Exchange Online, see Additional OPATH syntax
information.
TIP
Enable or disable access to Exchange Online PowerShell for a user

This example disables access to Exchange Online PowerShell for the user david@contoso.com.
Set-User -Identity david@contoso.com -RemotePowerShellEnabled $false
This example enables access to Exchange Online PowerShell for the user david@contoso.com.
Set-User -Identity david@contoso.com -RemotePowerShellEnabled $true
Disable access to Exchange Online PowerShell for many users

To prevent access to Exchange Online PowerShell for a specific group of existing users, you have the following
options:
Filter users based on an existing attribute: This method assumes that the target user accounts all share
a unique filterable attribute. Some attributes, such as Title, Department, address information, and telephone
number, are visible only when you use the Get-User cmdlet. Other attributes, such as CustomAttribute1-
15, are visible only when you use the Get-Mailbox cmdlet.
Use a list of specific users: After you generate the list of specific users, you can use that list to disable
their access to Exchange Online PowerShell.
Filter users based on an existing attribute
To disable access to Exchange Online PowerShell for any number of users based on an existing attribute, use the
following syntax:
$<VariableName> = <Get-Mailbox | Get-User> -ResultSize unlimited -Filter <Filter>
$<VariableName> | foreach {Set-User -Identity $_ -RemotePowerShellEnabled $false}
This example removes access to Exchange Online PowerShell for all users whose Title attribute contains the value
"Sales Associate".
$DSA = Get-User -ResultSize unlimited -Filter "(RecipientType -eq 'UserMailbox') -and (Title -like '*Sales
Associate*')"
$DSA | foreach {Set-User -Identity $_ -RemotePowerShellEnabled $false}
Use a list of specific users

To disable access to Exchange Online PowerShell for a list of specific users, use the following syntax:
$<VariableName> = Get-Content <text file>
$<VariableName> | foreach {Set-User -Identity $_ -RemotePowerShellEnabled $false}
This example uses the text file C:\My Documents\NoPowerShell.txt to identify the users by their accounts. The text
file must contain one account on each line as follows:
akol@contoso.com
tjohnston@contoso.com
kakers@contoso.com
After you populate the text file with the user accounts you want to update, run the following commands:
$NPS = Get-Content "C:\My Documents\NoPowerShell.txt"
$NPS | foreach {Set-User -Identity $_.MicrosoftOnlineServicesID -RemotePowerShellEnabled $false}
View the Exchange Online PowerShell access for users

To view the Exchange Online PowerShell access status for a specific user, use the following syntax:
Get-User -Identity <UserIdentity> | Format-List RemotePowerShellEnabled
This example displays the Exchange Online PowerShell access status of the user named Sarah Jones.
Get-User -Identity "Sarah Jones" | Format-List RemotePowerShellEnabled
To display the Exchange Online PowerShell access status for all users, run the following command:
Get-User -ResultSize unlimited | Format-Table -Auto Name,DisplayName,RemotePowerShellEnabled
To display only those users who don't have access to Exchange Online PowerShell, run the following command:
Get-User -ResultSize unlimited -Filter 'RemotePowerShellEnabled -eq $false'
To display only those users who have access to Exchange Online PowerShell, run the following command:
Get-User -ResultSize unlimited -Filter 'RemotePowerShellEnabled -eq $true'

You can use several Exchange Management Shell and Exchange Online PowerShell commands to filter a set of
recipients. You can create the following types of filters in an Exchange command:
Precanned filters
Older versions of Exchange used LDAP filtering syntax to create custom address lists, global address lists (GALs),
email address policies, and distribution groups. In Exchange Server 2007 and later versions, OPATH filtering
syntax replaced LDAP filtering syntax.
Precanned filters
A precanned filter is a commonly used Exchange filter that you can use to meet a variety of recipient-filtering
criteria for creating dynamic distribution groups, email address policies, address lists, or GALs. With precanned
filters, you can use either the Exchange PowerShell or the Exchange admin center (EAC ). Using precanned filters,
you can do the following:
Determine the scope of recipients.
Add conditional filtering based on properties such as company, department, and state or region.
Add custom attributes for recipients. For more information, see Custom Attributes.
The following parameters are considered precanned filters:
IncludedRecipients
ConditionalCompany
ConditionalDepartment
ConditionalStateOrProvince
ConditionalCustomAttribute1 to ConditionalCustomAttribute15.
Precanned filters are available for the following cmdlets:
New -AddressList
Set-AddressList
Precanned filter example
This example describes using precanned filters in the Exchange Management Shell to create a dynamic
distribution group. The syntax in this example is similar but not identical to the syntax you would use to create an
email address policy, address list, or GAL. When creating a precanned filter, you should ask the following
questions:
From which organizational unit (OU ) do you want to include recipients? (This question corresponds to the
RecipientContainer parameter.)
NOTE
Selecting the OU for this purpose applies only when creating dynamic distribution groups, and not when creating email
address policies, address lists, or GALs.
What type of recipients do you want to include? (This question corresponds to the IncludedRecipients
parameter.)
What additional conditions do you want to include in the filter? (This question corresponds to the
ConditionalCompany, ConditionalDepartment, ConditionalStateOrProvince, and
ConditionalCustomAttribute parameters.)
This example creates the dynamic distribution group Contoso Finance for user mailboxes in the OU
Contoso.com/Users and specifies the condition to include only recipients who have the Department attribute
defined as Finance and the Company attribute defined as Contoso.
New-DynamicDistributionGroup -Name "Contoso Finance" -OrganizationalUnit Contoso.com/Users -RecipientContainer

Contoso.com/Users -IncludedRecipients MailboxUsers -ConditionalDepartment "Finance" -ConditionalCompany
"Contoso"
This example displays the properties of this new dynamic distribution group.
Get-DynamicDistributionGroup -Identity "Contoso Finance" | Format-List Recipient*,Included*

If precanned filters don't meet your needs for creating or modifying dynamic distribution groups, email address
policies, and address lists, you can create a custom filter by using the RecipientFilter parameter.
The recipient filter parameter is available for the following cmdlets:
New -AddressList
Set-AddressList
For more information about the filterable properties you can use with the RecipientFilter parameter, see Filterable
properties for the RecipientFilter parameter.
Custom filter example
The following example uses the RecipientFilter parameter to create a dynamic distribution group. The syntax in
this example is similar but not identical to the syntax you use to create an email address policy, address list, or
GAL.
This example uses custom filters to create a dynamic distribution group for user mailboxes that have the
Company attribute defined as Contoso and the Office attribute defined as North Building.
New-DynamicDistributionGroup -Name AllContosoNorth -OrganizationalUnit contoso.com/Users -RecipientFilter "

((RecipientType -eq 'UserMailbox') -and (Company -eq 'Contoso') -and (Office -eq 'North Building'))"

You can use the Filter parameter to filter the results of a command to specify which objects to retrieve. For
example, instead of retrieving all users or groups, you can specify a set of users or groups by using a filter string.
This type of filter doesn't modify any configuration or attributes of objects. It only modifies the set of objects that
the command returns.
Using the Filter parameter to modify command results is known as server-side filtering. Server-side filtering
submits the command and the filter to the server for processing. We also support client-side filtering, in which the
command retrieves all objects from the server and then applies the filter in the local console window. To perform
client-side filtering, use the Where-Object cmdlet. For more information about server-side and client-side
filtering, see "How to Filter Data" in Working with Command Output.
To find the filterable properties for cmdlets that have the Filter parameter, you can run the Get command against
an object and format the output by pipelining the Format-List parameter. Most of the returned values will be
available for use in the Filter parameter. The following example returns a detailed list for the mailbox Ayla.
Get-Mailbox -Identity Ayla | Format-List
The Filter parameter is available for the following recipient cmdlets:

Get-CASMailbox
Get-Contact
Get-Group
Get-Mailbox
Get-MailContact
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-UMMailbox
Get-User
Get-UnifiedGroup
For more information about the filterable properties you can use with the Filter parameter, see Filterable
properties for the Filter parameter.
Example
This example uses the Filter parameter to return information about users whose title contains the word
"manager".
Get-User -Filter "Title -like 'Manager*'"

You can use the ContentFilter parameter to select specific message content to export when using the New -
MailboxExportRequest cmdlet. If the command finds a message that contains the match to the content filter, it
exports the message to a .pst file.
ContentFilter parameter example
This example creates an export request that searches Ayla's mailbox for messages where the body contains the
phrase "company prospectus". If that phrase is found, the command exports all messages with that phrase to a
.pst file.
New-MailboxExportRequest -Mailbox Ayla -ContentFilter "Body -like 'company prospectus*'"
For more information about the filterable properties that you can use with the ContentFilter parameter, see
Filterable properties for the ContentFilter parameter.
Additional OPATH syntax information

When creating your own custom OPath filters, consider the following items:
Use the following syntax to identify the types of values that you're searching for:
Text values: Enclose the text in single quotation marks (for example, 'Value' or
'Value with spaces' ). Or, you can enclose a text value in double quotation marks, but that limits the
characters you can use to enclose the whole OPath filter.
Variables: Enclose variables that need to be expanded in single quotation marks (for example,
'$User' ). If the variable value itself contains single quotation marks, you need to identify (escape)
the single quotation marks to expand the variable correctly. For example, instead of '$User' , use
'$($User -Replace "'","''")' .
Integer values: You don't need to enclose integers (for example, 500 ). You can often enclose
integers in single quotation marks or double quotation marks, but that limits the characters you can
use to enclose the whole OPath filter.
System values: Don't enclose system values (for example, $true , $false , or $null ). To enclose
the whole OPath filter in double quotation marks, you need to escape the dollar sign in system value
(for example, `$true ).
You need to enclose the whole OPath filter in double quotation marks " or " single quotation marks ' '.
Although any OPath filter object is technically a string and not a script block, you can still use braces { }, but
only if the filter doesn't contain variables that require expansion. The characters that you can use to enclose
the whole OPath filter depend on types of values that you're searching for and the characters you used (or
didn't use) to enclose those values:
Text values: Depends on how you enclosed the text to search for:
Text enclosed in single quotation marks: Enclose the whole OPath filter in double
quotation marks or braces.
Text enclosed in double quotation marks: Enclose the whole OPath filter in braces.
Variables: Enclose the whole OPath filter in double quotation marks (for example,
"Name -eq '$User'" ).
Integer values: Depends on how you enclosed (or didn't enclose) the integer to search for:
Integer not enclosed: Enclose the whole OPath filter in double quotation marks, single
quotation marks, or braces (for example "CountryCode -eq 840" ).
Integer enclosed in single quotation marks: Enclose the whole OPath filter in double
quotation marks or braces "CountryCode -eq '840'" .
Integer enclosed in double quotation marks: Enclose the whole OPath filter in braces (for
example {CountryCode -eq "840"} ).
System values: Enclose the whole OPath filter in single quotation marks or braces (for example
'HiddenFromAddressListsEnabled -eq $true' ). If you escape the dollar sign system value, you can also
enclose the whole OPath filter in double quotation marks (for example,
"HiddenFromAddressListsEnabled -eq `$true" ).
The compatibility of search criteria and the valid characters that you can use to enclose the whole OPath
filter are summarized in the following table:
OPATH FILTER ENCLOSED OPATH FILTER ENCLOSED

IN DOUBLE QUOTATION IN SINGLE QUOTATION OPATH FILTER ENCLOSED
SEARCH VALUE MARKS MARKS IN BRACES
'Text'
"Text"
'$Variable'
500
'500'
"500"
$true
`$true
Include the hyphen before all operators. The most common operators include:
-and
-or
-not
-eq (equals)
-ne (not equal)
-lt (less than)
-gt (greater than)
-like (string comparison)
-notlike (string comparison)
Many filterable properties accept wildcard characters. If you use a wildcard character, use the -like operator
instead of the -eq operator. The -like operator is used to find pattern matches in rich types (for example,
strings) whereas the -eq operator is used to find an exact match.
For more information about operators you can use, see:
about_Logical_Operators
about_Comparison_Operators
Recipient filter documentation

The following table contains links to topics that will help you learn more about the filterable properties that you
can use with Exchange recipient commands.
TOPIC DESCRIPTION
Filterable properties for the RecipientFilter parameter Learn more about the filterable properties that are available
for the RecipientFilter parameter.
Filterable properties for the Filter parameter Learn more about the filterable properties that are available
You use the Filter parameter to create OPATH filters based on the properties of user and group objects in Exchange Server and Exchange Online. The Filter parameter is
available on these recipient cmdlets:
Get-CASMailbox
Get-Contact
Get-Group
Get-LinkedUser
Get-Mailbox
Get-MailContact
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-UMMailbox
Get-User
Get-UnifiedGroup
For more information, see Recipient filters in Exchange PowerShell commands.
NOTE
The Filter parameter is also available on other cmdlets (for example, Get-MailboxStatistics, Get-Queue, and Get-Message). However, the property values that are accepted by the Filter
parameter on these cmdlets aren't similar to the user and group properties that are described in this topic.
Filterable properties
The properties that have been confirmed to work with the Filter parameter in user and group cmdlets are described in the following table.
Notes:
Properties that are only used in one type of environment: Microsoft Office 365, on-premises Exchange, or hybrid. The property might exist on recipient objects
in all environments, but the value is only meaningful (a value other than blank or None ) in one type of environment.
Properties that are present, but correspond to features that are no longer used in Exchange 2016 or later.
Not all recipient properties have a corresponding Active Directory property. The LDAP display name value in the table is "n/a" for these properties, which indicates that
the property is calculated (likely by Exchange).
Enclose the whole OPath filter in double quotation marks " ". If the filter contains system values (for example, $true , $false , or $null ), use single quotation marks ' '
instead. Although this parameter is a string (not a system block), you can also use braces { }, but only if the filter doesn't contain variables. For more information, see
Additional OPATH syntax information.

AcceptMessagesOnlyFrom authOrig Get-DistributionGroup String or $null This filter requires the distinguished
Get-MailUser "AcceptMessagesOnlyFrom -eq
'CN=Yuudai
Get-RemoteMailbox Uchida,CN=Users,DC=contoso,DC=com'"
Get-UnifiedGroup or
"AcceptMessagesOnlyFrom -eq
Gruber'"
.
Format-List
.
specified value.
AcceptMessagesOnlyFromDLMemb dLMemSubmitPerms Get-DistributionGroup String or $null This filter requires the distinguished
ers Get-DynamicDistributionGroup name or canonical distinguished
Get-UnifiedGroup "AcceptMessagesOnlyFromDLMembers -eq
'CN=Marketing
. or
Get-Mailbox -Filter
"AcceptMessagesOnlyFromDLMembers
-eq 'contoso.com/Users/Marketing
Department'"
.
the group, replace
Format-List
or
Format-List
.
specified value.
ActiveSyncAllowedDeviceIDs msExchMobileAllowedDeviceIds Get-CASMailbox String (wildcards accepted) or A device ID is a text string that
this command:
List
.
you can use it in the filter. For
example,
like '*text1') -or
eq 'text2'"
.
ActiveSyncBlockedDeviceIDs msExchMobileBlockedDeviceIds Get-CASMailbox String (wildcards accepted) or A device ID is a text string that
this command:
List
.
you can use it in a filter. For
example,
like '*text1') -or
eq 'text2'"
.
ActiveSyncEnabled n/a Get-CASMailbox Boolean ( $true or $false ) For example,

'ActiveSyncEnable -eq $false'
.
ActiveSyncMailboxPolicy msExchMobileMailboxPolicyLink Get-CASMailbox String or $null This filter requires the distinguished
Get-Recipient name of the ActiveSync mailbox
policy. For example,
Get-CASMailbox -Filter "ActiveSyncMailboxPolicy -eq
'CN=Default,CN=Mobile Mailbox Policies,CN=Contoso
.
names of ActiveSync mailbox
policies by running this command:
Get-MobileDeviceMailboxPolicy
| Format-List
.
of the default ActiveSync mailbox
policy (named Default) to a
property is blank ( $null ).
ActiveSyncSuppressReadReceipt n/a Get-CASMailbox Boolean ( $true or $false ) For example,

'ActiveSyncSuppressReadReceipt
-eq $true'
.
AddressBookPolicy msExchAddressBookPolicyLink Get-Mailbox String or $null This filter requires the distinguished
Get-Recipient name of the address book policy.
For example,
Get-Mailbox -Filter "AddressBookPolicy -eq 'CN=Contoso
ABP,CN=AddressBook Mailbox Policies,CN=Contoso
.
names of address book policies by
Get-AddressBookPolicy |
Format-List
.
AddressListMembership showInAddressBook Get-DistributionGroup String or $null This filter requires the distinguished
Get-DynamicDistributionGroup name of the address list. For
Get-Mailbox example,
Get-MailContact Get-MailContact -Filter "AddressListMembership -eq
Get-MailPublicFolder 'CN=All Contacts,CN=All Address Lists,CN=Address Lists
Get-MailUser Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com'"
Get-Recipient .
Get-RemoteMailbox You can find the distinguished
Get-UnifiedGroup names of address lists by running
this command:
Get-AddressList | Format-List
.
AdminDisplayName adminDisplayName Get-SecurityPrincipal String (wildcards accepted) or For example,

$null Get-SecurityPrincipal -Filter
'AdminDisplayName -ne $null'
| Format-Table -Auto
Name,AdminDisplayName
.
AdministrativeUnits msExchAdministrativeUnitLink Get-Contact String or $null For example,

Get-DynamicDistributionGroup 'AdministrativeUnits -ne
$null'
Get-Group
Get-LinkedUser .
Get-Mailbox
Get-MailContact
Get-MailUser
Get-RemoteMailbox
Get-User
Get-UnifiedGroup
AggregatedMailboxGuids msExchAlternateMailboxes Get-Mailbox String or $null For example,

Get-RemoteMailbox 'AggregatedMailboxGuids -ne
$null'
.
Alias mailNickname Get-DistributionGroup String (wildcards accepted) For example,

Get-DynamicDistributionGroup Get-Recipient -Filter "Alias
Get-Mailbox -like '*smith'"
Get-MailContact .
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-UnifiedGroup
AllowUMCallsFromNonUsers msExchUMListInDirectorySearch Get-Contact None (0) or SearchEnabled (1) For example,

Get-UMMailbox "AllowUMCallsFromNonUsers -ne
'SearchEnabled'"
Get-User
.
ArbitrationMailbox msExchArbitrationMailbox Get-DistributionGroup String or $null This filter requires the distinguished
Get-DynamicDistributionGroup name of the arbitration mailbox.
Get-Mailbox For example,
Get-MailContact Get-DistributionGroup -Filter
Get-MailPublicFolder "ArbitrationMailbox -eq
'CN=SystemMailbox"1f05a927-2e8f-4cbb-9039-
Get-MailUser 2cfb8b95e486",CN=Users,DC=contoso,DC=com'"
Get-RemoteMailbox .
names of arbitration mailboxes by
Get-Mailbox -Arbitration |
Format-List
.
ArchiveDatabase msExchArchiveDatabaseLink Get-Mailbox String or $null This filter requires the distinguished
Get-MailUser name of the archive mailbox
Get-RemoteMailbox Get-Mailbox -Filter "ArchiveMailbox -eq 'CN=MBX
.
.
ArchiveDomain msExchArchiveAddress Get-Mailbox String (wildcards accepted) or This property is used in on-
$null premises Exchange environments
to identify the Office 365
organization that holds the archive
mailbox. For example,
Get-Mailbox -Filter
"ArchiveDomain -like
'*contoso.onmicrosoft.com'"
.
ArchiveGuid msExchArchiveGUID Get-Mailbox String or $null This filter requires the GUID of the
Get-MailUser archive mailbox. For example,
Get-RemoteMailbox "ArchiveMailbox -eq
'6476f55e-e5eb-4462-a095-
f2cb585d648d'"
.
command:
Format-Table -Auto
Name,ArchiveGUID
.
ArchiveName msExchArchiveName Get-Mailbox String (wildcards accepted) or This filter requires the name of the
Get-MailUser $null archive mailbox. For example,
"ArchiveName -like 'In-Place
Archive*'"
.
You can find the names of archive
command:
Format-Table -Auto
Name,ArchiveName
.
ArchiveQuota msExchArchiveQuota Get-Mailbox A byte quantified size value (for You can only use the Filter
Get-Mailbox -Filter
"ArchiveQuota -eq
'Unlimited'"
or
Get-Mailbox -Filter
"ArchiveQuota -ne
'Unlimited'"
.
Get-Mailbox | where
"$_.ArchiveQuota -<Operator>
'<Size>'"
. For example,
Get-Mailbox | where
"$_.ArchiveQuota -gt '85GB'"
.
ArchiveRelease msExchArchiveRelease Get-Mailbox None , E14 , E15 , or $null . For example,

Get-Recipient 'ArchiveRelease -ne $null'
Get-RemoteMailbox .
Get-User
ArchiveState n/a Get-Mailbox None (0), Local (1), For example,

Get-Recipient HostedProvisioned (2), Get-Recipient -Filter
Get-RemoteMailbox "ArchiveState -eq
HostedPending (3), or 'HostedProvisioned'"
OnPremise (4). .
ArchiveStatus msExchArchiveStatus Get-Mailbox None (0) or Active (1). For example,

Get-Recipient "ArchiveStatus -eq 'Active'"
Get-RemoteMailbox .
ArchiveWarningQuota msExchArchiveWarnQuota Get-Mailbox A byte quantified size value (for You can only use the Filter
Get-Mailbox -Filter
"ArchiveWarningQuota -eq
'Unlimited'"
or
Get-Mailbox -Filter
"ArchiveWarningQuota -ne
'Unlimited'"
.
Get-Mailbox | where
"$_.ArchiveWarningQuota -
. For example,
Get-Mailbox | where
"$_.ArchiveWarningQuota -gt
'85GB'"
.
AssistantName msExchAssistantName Get-Contact String (wildcards accepted) or For example,

Get-User "AssistantName -like
'Julia*'"
.
AuditEnabled msExchMailboxAuditEnable Get-Mailbox Boolean ( $true or $false ) For example,

Get-Mailbox -Filter
'AuditEnabled -eq $true'
.
AuditLogAgeLimit msExchMailboxAuditLogAgeLimit Get-Mailbox A time span value: dd.hh:mm:ss You can't use the Filter parameter
Get-UnifiedGroup where dd = days, hh = hours, mm to look for time span values for this
= minutes, and ss = seconds. property. Instead, use this syntax:
Get-Mailbox | where
"$_.AuditLogAgeLimit -
. For example,
Get-Mailbox | where
"$_.AuditLogAgeLimit -gt
'60.00:00:00'"
.
BlockedSendersHash msExchBlockedSendersHash Get-Recipient Blank ( $null ) or a hashed value. Realistically, you can only use this
'BlockedSendersHash -ne
$null'.
c c Get-Contact String (wildcards accepted) or This filter requires the ISO 3166-1
Get-LinkedUser $null two-letter country code for the
Get-Recipient user (for example, S for the
Get-User used together with the co and
countryCode properties to define
the user's country in Active
Directory.
For example,
Get-User -Filter "c -eq 'US'" .
CalendarLoggingQuota msExchCalendarLoggingQuota Get-Mailbox A byte quantified size value (for You can only use the Filter
example, 300MB or 1.5GB ), or parameter to look for the value
Unlimited . Unqualified values are Unlimited for this property. For
Get-Mailbox -Filter
"CalendarLoggingQuota -eq
'Unlimited'"
or
Get-Mailbox -Filter
"CalendarLoggingQuota -ne
'Unlimited'"
.
Get-Mailbox | where
"$_.CalendarLoggingQuota -
. For example,
Get-Mailbox | where
"$_.CalendarLoggingQuota -gt
'10GB'"
.
CalendarRepairDisabled msExchCalendarRepairDisabled Get-Mailbox Boolean ( $true or $false ) For example,

Get-Mailbox -Filter
'CalendarRepairDisabled -eq
$true'
.
CertificateSubject n/a Get-LinkedUser String or $null The X509 certificate that's

Get-User published for the user account
(visible on the Published
Certificates tab in Active Directory
For example,
Get-User -Filter "CertificateSubject -eq 'X509:
C=US,O=InternetCA,CN=APublicCertificateAuthority<S>C=US
Smith
')
City l Get-Contact String (wildcards accepted) or For example,

Get-LinkedUser $null Get-User -Filter "City -eq
Get-Recipient 'Redmond'"
Get-User .
Company company Get-Contact String (wildcards accepted) or For example,

Get-LinkedUser $null Get-User -Filter "Company -
Get-Recipient like 'Contoso*'"
Get-User .
ComplianceTagHoldApplied n/a Get-Mailbox Boolean ( $true or $false ) For example,

'ComplianceTagHoldApplied -eq
$true'
.
ConsumerNetID n/a Get-LinkedUser String or $null For example,

'ConsumerNetID -ne $null'
.
CountryCode countryCode Get-Contact Integer This filter requires the ISO 3166-1
Get-LinkedUser three-digit country code for the
Get-Recipient user (for example, 840 for the
Get-User used together with the c and co
properties to define the user's
country in Active Directory.
For example,
Get-User -Filter "countryCode
-eq 796"
.
CountryOrRegion co Get-Contact String This filter requires the ISO 3166-1

Get-LinkedUser country name for the user (for
Get-Recipient example, United States ). You
Get-SecurityPrincipal can select an available value in
Get-User Active Directory Users and
Computers ( Address tab >
Country/region field), or the
Exchange admin center (user
properties > Contact information
tab > Country/Region field).
When you select a user's country in
Active Directory Users and
Computers or the EAC, the
corresponding values for the co
and countryCode properties are
automatically configured.
For example,
Get-User -Filter
"CountryOrRegion -like
'United*'"
.
CustomAttribute1 to extensionAttribute1 to Get-DistributionGroup String (wildcards accepted) or For example,

CustomAttribute15 extensionAttribute15 Get-DynamicDistributionGroup $null Get-Recipient -Filter
Get-Mailbox "CustomAttribute8 -like
'*audited*'"
Get-MailContact
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-UnifiedGroup
Database homeMDB Get-Mailbox String This filter requires the distinguished

Get-Recipient name of the mailbox database. For
example,
Get-Mailbox -Filter "Database -eq 'CN=MBX
.
.
DefaultPublicFolderMailbox msExchPublicFolderMailbox Get-Mailbox String or $null This filter requires the distinguished
name of the public folder mailbox.
For example,
Get-Mailbox -Filter
"DefaultPublicFolderMailbox -eq 'CN=PF
Mailbox01,CN=Users,DC=contoso,DC=com'"
or
Get-Mailbox -Filter
"DefaultPublicFolderMailbox -
eq 'contoso.com/Users/PF
Mailbox01'"
.
public folder mailboxes, run this
command:
Get-Mailbox -PublicFolder |
Format-List
.
DeletedItemFlags deletedItemFlags Get-Mailbox DatabaseDefault (0), For example,

Get-SecurityPrincipal RetainUntilBackupOrCustomPeriod Get-Mailbox -Filter
"DeletedItemFlags -ne
(3), or RetainForCustomPeriod 'DatabaseDefault'"
(5). .
DeliverToMailboxAndForward deliverAndRedirect Get-Mailbox Boolean ( $true or $false ) For example,

Get-MailUser 'DeliverToMailboxAndForward -
eq $true'
.
Department department Get-Contact String (wildcards accepted) or For example,

Get-Recipient "Department -like
'Engineering*'"
Get-User
.
DirectReports directReports Get-Contact String or $null This filter requires the distinguished
Get-User name of the direct report. For
example,
Get-User -Filter "DirectReports -eq
'CN=Angela
or
Get-User -Filter
"DirectReports -eq
Gruber'"
.
direct report, replace
Format-List
.
specified value.
DisabledArchiveDatabase msExchDisabledArchiveDatabaseLi Get-Mailbox String or $null This filter requires the distinguished
nk Get-MailUser name of the disabled archive
Get-RemoteMailbox mailbox database. For example,
Get-Mailbox -Filter "DisabledArchiveDatabase -eq 'CN=MBX
.
.
DisabledArchiveGuid msExchDisabledArchiveDatabaseG Get-Mailbox String or $null This filter requires the GUID of the
UID Get-MailUser disabled archive mailbox. For
Get-Mailbox -Filter
"DisabledArchiveGuid -eq
'6476f55e-e5eb-4462-a095-
f2cb585d648d'"
.
command:
Format-Table -Auto
Name,ArchiveGUID
.
DisplayName displayName Get-CASMailbox String (wildcards accepted) For example,

Get-DistributionGroup "DisplayName -like 'Julia*'"
Get-Group
Get-LinkedUser
Get-Mailbox
Get-MailContact
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-UMMailbox
Get-User
Get-UnifiedGroup
DistinguishedName distinguishedName Get-CASMailbox String This filter requires the distinguished

Get-Contact name of the recipient. For example,
Get-DistributionGroup Get-Mailbox -Filter
Get-DynamicDistributionGroup "DistinguishedName -eq 'CN=Basho
Kato,CN=Users,DC=contoso,DC=com'"
Get-Group
Get-LinkedUser .
Get-Mailbox You can find the distinguished
Get-MailContact names of recipients by running this
Get-MailPublicFolder command:
Get-MailUser Name,RecipientType,DistinguishedName
Get-Recipient .
Get-RemoteMailbox
Get-UMMMailbox
Get-User
Get-UnifiedGroup
EcpEnabled n/a Get-CASMailbox Boolean ( $true or $false ) For example,

'EcpEnabled -eq $false'
.
EmailAddresses proxyAddresses Get-CASMailbox String (wildcards accepted) For example,

Get-DynamicDistributionGroup "EmailAddresses -like
'*marketing*'"
Get-Mailbox
Get-MailContact .
Get-MailPublicFolder When you use a complete email
Get-MailUser address, you don't need to account
Get-Recipient for the smtp: prefix. If you use
Get-RemoteMailbox wildcards, you do. For example, if
Get-UMMailbox "EmailAddresses -eq
Get-UnifiedGroup
returns a match,
'lila*'"
'*lila*'"
or
'smtp:lila*'"
specified value.
EmailAddressPolicyEnabled n/a Get-DistributionGroup Boolean ( $true or $false ) For example,

Get-Mailbox 'EmailAddressPolicyEnabled -
eq $false'
Get-MailContact
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-UnifiedGroup
EntryId msExchPublicFolderEntryId Get-MailPublicFolder String (wildcards accepted) For example,

"EntryId -like '*60000'"
.
You can find the entry IDs of mail-
enabled public folders by running
this command:
Get-MailPublicFolder |
Format-List Name,EntryId
.
EwsApplicationAccessPolicy msExchEwsApplicationAccessPolicy Get-CASMailbox EnforceAllowList , For example,

EnforceBlockList . or $null Get-CASMailbox -Filter
'EwsApplicationAccessPolicy -
ne $null'
.
EwsEnabled msExchEwsEnabled Get-CASMailbox 0 (disabled), 1 (enabled) or $null . For example,

"EwsEnabled -eq 1"
.
ExchangeGuid msExchMailboxGuid Get-Mailbox String For example,

Get-Recipient "ExchangeGuid -eq 'c80a753d-
bd4a-4e19-804a-6344d833ecd8'"
Get-RemoteMailbox
Get-UnifiedGroup .
To find the Exchange GUID of a
recipient, replace
Format-List Name,ExchangeGuid
.
Note that an object's Exchange
GUID value is different than its
GUID value. Also, the Exchange
GUID value for non-mailboxes (mail
contacts, mail users, distribution
groups, dynamic distribution
groups, mail-enabled security
groups, and mail-enabled public
folders) is
00000000-0000-0000-0000-
000000000000
.
ExchangeUserAccountControl msExchUserAccountControl Get-Mailbox None (0) or AccountDisabled (2) For example,

Get-RemoteMailbox "ExchangeUserAccountControl -
eq 'AccountDisabled'"
.
ExchangeVersion msExchVersion Get-CASMailbox Integer This property contains the earliest

Get-Contact version of Exchange that you can
Get-DistributionGroup use to manage the recipient. The
Get-DynamicDistributionGroup property values that you see are
Get-Group different than the values that you
Get-LinkedUser need to use in the filter. To see the
Get-Mailbox ExchangeVersion property values,
Get-MailContact run this command:
Get-MailPublicFolder Get-Recipient | Format-Table
Get-MailUser Name,RecipientType,ExchangeVersion
Get-Recipient .
Get-RemoteMailbox For the Exchange 2010 value
Get-SecurityPrincipal 0.10 (14.0.100.0) , use the
Get-UMMMailbox value 44220983382016 in the
Get-User filter.
For the Exchange 2013 or
Exchange 2016 value
0.20 (15.0.0.0) , use the value
88218628259840 in the filter.
For example,
"ExchangeVersion -lt
88218628259840"
.
ExpansionServer msExchExpansionServerName Get-DistributionGroup String (wildcards accepted) or For example,

Get-DynamicDistributionGroup $null Get-Recipient -Filter
Get-Recipient "ExpansionServer -like
'*Mailbox01'"
.
For an exact match, you need to
use the ExchangeLegacyDN value
of the server. For example,
Get-Recipient -Filter "ExpansionServer -eq '/o=Contoso
Corporation/ou=Exchange Administrative Group
You can find the
ExchangeLegacyDN value by
Get-ExchangeServer | Format-
List Name,ExchangeLegacyDN
.
ExtensionCustomAttribute1 to msExchExtensionCustomAttribute1 Get-DistributionGroup String (wildcards accepted) or For example,

ExtensionCustomAttribute5 to Get-DynamicDistributionGroup $null Get-Recipient -Filter
msExchExtensionCustomAttribute5 Get-Mailbox "ExtensionCustomAttribute8 -
like '*audited*'"
Get-MailContact
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-UnifiedGroup
ExternalDirectoryObjectId msExchExternalDirectoryObjectId Get-DistributionGroup String or $null For example,

Get-LinkedUser 'ExternalDirectoryObjectId -
ne $null'
Get-Mailbox
Get-MailContact .
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-User
Get-UnifiedGroup
ExternalEmailAddress targetAddress Get-MailContact String (wildcards accepted) or For example,

Get-MailPublicFolder $null Get-Recipient -Filter
Get-MailUser "ExternalEmailAddress -like
'*@fabrikam.com'"
Get-Recipient
.
"ExternalEmailAddress -eq
returns a match,
'lila*'"
'*lila*'"
or
'smtp:lila*'"
ExternalOofOptions msExchExternalOOFOptions Get-Mailbox External (0) or InternalOnly For example,

(1) Get-Mailbox -Filter
"ExternalOofOptions -eq
'External'"
.
Fax facsimileTelephoneNumber Get-Contact String (wildcards accepted) or For example,

Get-LinkedUser $null Get-User -Filter "Fax -like
Get-User '206*'"
.
FirstName givenName Get-Contact String (wildcards accepted) or For example,

Get-LinkedUser $null Get-User -Filter "FirstName -
Get-Recipient like 'Chris*'"
Get-User .
ForwardingAddress altRecipient Get-Mailbox String or $null This filter requires the distinguished
Get-MailPublicFolder name or canonical distinguished
Get-MailUser name of the forwarding recipient.
Get-Mailbox -Filter
"ForwardingAddress -eq 'CN=Angela
or
Get-Mailbox -Filter
"ForwardingAddress -eq
Gruber'"
.
forwarding recipient, replace
Format-List
.
ForwardingSmtpAddress msExchGenericForwardingAddress Get-Mailbox String (wildcards accepted) or For example,

'*@fabrikam.com'"
.
"ForwardingSmtpAddress -eq
returns a match,
'lila*'"
'*lila*'"
or
'smtp:lila*'"
GeneratedOfflineAddressBooks msExchOABGeneratingMailboxBL Get-Mailbox String or $null This property is only meaningful on

arbitration mailboxes, so you need
to use the Arbitration switch in the
filter command. Also, This filter
requires the distinguished name of
the offline address book. For
example,
Get-Mailbox -Arbitration -Filter
"GeneratedOfflineAddressBooks -eq 'CN=OAB 1,CN=Offline
Address Lists,CN=Address Lists Container,CN=Contoso
.
Format-List
.
specified value.
GrantSendOnBehalfTo publicDelegates Get-DistributionGroup String or $null This filter requires the distinguished
Get-Mailbox name of the mail-enabled security
Get-MailContact principal (mailbox, mail user, or
Get-MailPublicFolder mail-enabled security group). For
Get-UnifiedGroup "GrantSendOnBehalfTo -eq 'CN=Angela
or
Get-Mailbox -Filter
"GrantSendOnBehalfTo -eq
Gruber'"
.
command:
Format-List
.
specified value.
GroupMemberCount n/a Get-UnifiedGroup Integer For example,

"GroupMemberCount -gt 100"
.
GroupExternalMemberCount n/a Get-UnifiedGroup Integer For example,

"GroupExternalMemberCount -gt
0"
.
GroupType groupType Get-DistributionGroup None (0), (2),

Global Distribution groups have the value
Get-Group DomainLocal (4), BuiltinLocal Universal , and mail-enabled
Get-UnifiedGroup (5), Universal (8), or security groups have the value
SecurityEnabled (-2147483648). Universal, SecurityEnabled .
"GroupType -eq
'Universal,SecurityEnabled'"
"GroupType -eq
'SecurityEnabled,Universal'"
.
Guid objectGuid Get-CASMailbox String For example,

Get-Contact Get-Recipient -Filter "Guid -
Get-DistributionGroup eq '8a68c198-be28-4a30-83e9-
bffb760c65ba'"
Get-Group .
Get-LinkedUser You can find the GUIDs of
Get-Mailbox recipients by running this
Get-MailContact command:
Get-MailPublicFolder Name,RecipientType,Guid
Get-MailUser .
Get-Recipient Note that an object's GUID value is
Get-RemoteMailbox different than its Exchange GUID
Get-SecurityPrincipal value.
Get-UMMMailbox
Get-User
Get-UnifiedGroup
HasActiveSyncDevicePartnership n/a Get-CASMailbox Boolean ( $true or $false ) For example,

Get-Recipient Get-Recipient -Filter
'HasActiveSyncDevicePartnership
-eq $true'
.
HiddenFromAddressListsEnabled msExchHideFromAddressLists Get-DistributionGroup Boolean ( $true or $false ) For example,

Get-Mailbox 'HiddenFromAddressListsEnabled
-eq $true'
Get-MailContact
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-UnifiedGroup
HiddenGroupMembershipEnabled hideDLMembership Get-UnifiedGroup Boolean ( $true or $false ) For example,

'HiddenGroupMembershipEnabled
-eq $true'
.
HomePhone homePhone Get-Contact String (wildcards accepted) or For example,

Get-LinkedUser $null Get-User -Filter "HomePhone -
.
Id distinguishedName Get-CASMailbox String This filter requires the distinguished

Get-DistributionGroup name of the recipient. For example,
Get-DynamicDistributionGroup Get-Mailbox -Filter "Id -eq
Get-Group 'CN=Angela
Get-LinkedUser
Get-Mailbox or
Get-Mailbox -Filter "Id -eq
Get-MailContact 'contoso.com/Users/Angela
Get-MailPublicFolder Gruber'"
Get-MailUser .
Get-Recipient To find the distinguished name of a
Get-RemoteMailbox recipient, replace
Get-UMMMailbox <RecipientIdentity> with the
Get-User name, alias, or email address of the
Get-SecurityPrincipal recipient, and run this command:
Get-UnifiedGroup Get-Recipient -Identity "
Format-List
.
IgnoreMissingFolderLink n/a Get-MailPublicFolder Boolean ( $true or $false ) For example,

'IgnoreMissingFolderLink -eq
$true'
.
ImapEnabled n/a Get-CASMailbox Boolean ( $true or $false ) For example,

'ImapEnabled -eq $false'
.
ImmutableId msExchGenericImmutableId Get-Mailbox String or $null For example,

Get-RemoteMailbox 'ImmutableId -ne $null'
.
IncludeInGarbageCollection n/a Get-Mailbox Boolean ( $true or $false ) For example,

Get-Mailbox -Filter
'IncludeInGarbageCollection -
eq $true'
.
Initials initials Get-Contact String (wildcards accepted) or For example,

Get-LinkedUser $null Get-User -Filter "Initials -
Get-User like 'B.'"
.
InPlaceHolds msExchUserHoldPolicies Get-Mailbox String This filter requires the

Get-MailUser InPlaceHoldIdentity value of the
Get-RemoteMailbox mailbox search. For example,
Get-Mailbox -Filter "InPlaceHolds -
eq
.
command:
Table
.
specified value.
InPlaceHoldsRaw n/a Get-LinkedUser String This filter requires the

Get-User InPlaceHoldIdentity value of the
mailbox search. For example,
Get-Mailbox -Filter
"InPlaceHoldsRaw -eq
.
command:
Table
.
specified value.
IsDirSynced msExchIsMSODirsynced Get-Contact Boolean ( $true or $false ) For example,

Get-DistributionGroup Get-User -Filter 'IsDirSynced
Get-Group -eq $true'
Get-LinkedUser .
Get-Mailbox
Get-MailContact
Get-MailUser
Get-RemoteMailbox
Get-User
Get-UnifiedGroup
IsExcludedFromServingHierarchy n/a Get-Mailbox Boolean ( $true or $false ) For example,

Get-Mailbox -Filter
'IsExcludedFromServingHierarchy
-eq $true'
.
IsHierarchyReady n/a Get-Mailbox Boolean ( $true or $false ) For example,

Get-Mailbox -Filter
'IsHierarchyReady -eq $false'
.
IsHierarchySyncEnabled n/a Get-Mailbox Boolean ( $true or $false ) For example,

Get-Mailbox -Filter
'IsHierarchySyncEnabled -eq
$false'
.
IsInactiveMailbox n/a Get-Mailbox Boolean ( $true or $false ) For example,

Get-Mailbox -Filter
'IsInactiveMailbox -eq
$false'
.
IsLinked n/a Get-LinkedUser Boolean ( $true or $false ) For example,

Get-Mailbox Get-Mailbox -Filter 'IsLinked
Get-User -eq $true'
.
IsMailboxEnabled n/a Get-Mailbox Boolean ( $true or $false ) For example,

Get-Mailbox -Filter
'IsMailboxEnabled -eq $false'
.
IsResource n/a Get-Mailbox Boolean ( $true or $false ) For example,

Get-Mailbox -Filter
'IsResource -eq $true'
.
IsSecurityPrincipal n/a Get-LinkedUser Boolean ( $true or $false ) For example,

'IsSecurityPrincipal -eq
$false'
.
IsShared n/a Get-Mailbox Boolean ( $true or $false ) For example,

Get-Mailbox -Filter 'IsShared
-eq $true'
.
IsSoftDeletedByDisable n/a Get-LinkedUser Boolean ( $true or $false ) For example,

Get-MailUser 'IsSoftDeletedByDisable -eq
$true'
Get-RemoteMailbox
Get-User .
IsSoftDeletedByRemove n/a Get-LinkedUser Boolean ( $true or $false ) For example,

Get-MailUser 'IsSoftDeletedByRemove -eq
$true'
Get-RemoteMailbox
Get-User .
IssueWarningQuota mDBStorageQuota Get-Mailbox A byte quantified size value (for You can only use the Filter
Get-Mailbox -Filter
"IssueWarningQuota -eq
'Unlimited'"
or
Get-Mailbox -Filter
"IssueWarningQuota -ne
'Unlimited'"
.
Get-Mailbox | where
"$_.IssueWarningQuota -
<Operator> '<Size>'
". For example,
Get-Mailbox | where
"$_.IssueWarningQuota -lt
'50GB'"
.
JournalArchiveAddress n/a Get-Mailbox String This property uses an SMTP email

Get-MailUser address. For example,
"JournalArchiveAddress -eq
'michelle@contoso.com'"
.
LanguagesRaw msExchUserCulture Get-Mailbox String (wildcards accepted) or This property is named Languages
$null in the properties of a mailbox, and
it contains the language preference
for the mailbox in the format
subculture code>
Get-Mailbox -Filter
"LanguagesRaw -eq 'en-US,es-
MX'"
Get-Mailbox -Filter
"LanguagesRaw -eq 'es-MX,en-
US'"
.
For single values, this multivalued
property will return a match if the
property contains the specified
value.
LastExchangeChangedTime msExchLastExchangeChangedTime Get-DistributionGroup A date/time value or $null For example,

Get-DynamicDistributionGroup Get-Mailbox -Filter
Get-Mailbox 'LastExchangeChangedTime -ne
$null'
Get-MailContact
Get-MailUser
Get-RemoteMailbox
Get-UnifiedGroup
LegacyExchangeDN legacyExchangeDN Get-CASMailbox String (wildcards accepted) For example,

Get-DynamicDistributionGroup "LegacyExchangeDN -like '*-
Osca'"
Get-LinkedUser
Get-Mailbox .
Get-MailContact You can find LegacyExchangeDN
Get-MailPublicFolder values for users by running this
Get-MailUser command:
Get-User | Format-List
Get-RemoteMailbox Name,LegacyExchangeDN
Get-UMMailbox
Get-User
Get-UnifiedGroup
LitigationHoldDate msExchLitigationHoldDate Get-Mailbox A date/time value or $null For example,

Get-RemoteMailbox "LitigationHoldDate -gt
'8/13/2017'"
.
LitigationHoldEnabled n/a Get-Mailbox Boolean ( $true or $false ) For example,

Get-Recipient 'LitigationHoldEnabled -eq
$true'
Get-RemoteMailbox
.
LitigationHoldOwner msExchLitigationHoldOwner Get-Mailbox String (wildcards accepted) or This property uses the user
Get-MailUser $null principal name of the litigation hold
Get-RemoteMailbox owner. For example,
Get-Mailbox -Filter
"LitigationHoldOwner -eq
'agruber@contoso.com'"
.
LastName sn Get-Contact String (wildcards accepted) or For example,

Get-LinkedUser $null Get-User -Filter "LastName -
Get-Recipient like 'Martin*'"
Get-User .
MailboxContainerGUID msExchMailboxContainerGuid Get-Mailbox String or $null For example,

Get-RemoteMailbox 'MailboxContainerGUID -ne
$null'
.
MailboxMoveBatchName msExchMailboxMoveBatchName Get-Mailbox String (wildcards accepted) or This property includes the name of
Get-MailUser $null the migration batch. For example,
Get-RemoteMailbox "MailboxMoveBatchName -like
'*LocalMove 01*'"
.
You can find the names of
migration batches by running the
Get-MigrationBatch command.
Note that migration batches that
you create in the Exchange admin
center use the naming convention
MigrationService:
<MigrationBatchName>
.
MailboxMoveFlags msExchMailboxMoveFlags Get-Mailbox For valid values, see the description For example,
Get-MailUser of the Flags parameter inGet- Get-Mailbox -Filter
Get-Recipient MoveRequest. "MailboxMoveFlags -ne 'None'"
Get-RemoteMailbox .
'IntraOrg,Pull'"
'Pull,IntraOrg'"
.
MailboxMoveRemoteHostName msExchMailboxMoveRemoteHostN Get-Mailbox String or $null For example,

ame Get-MailUser Get-Mailbox -Filter
Get-Recipient 'MailboxMoveRemoteHostName -
ne $null'
Get-RemoteMailbox
.
MailboxMoveSourceMDB msExchMailboxMoveSourceMDBLin Get-Mailbox String or $null This filter requires the distinguished
k Get-MailUser name of the source mailbox
Get-RemoteMailbox Get-Mailbox -Filter "MailboxMoveSourceMDB -eq 'CN=MBX
.
.
MailboxMoveStatus msExchMailboxMoveStatus Get-Mailbox For valid values, see the description For example,
Get-MailUser of the MoveStatus parameter Get-Mailbox -Filter
Get-Recipient inGet-MoveRequest. "MailboxMoveStatus -eq
'Completed'"
Get-RemoteMailbox
.
MailboxMoveTargetMDB msExchMailboxMoveTargetMDBLin Get-Mailbox String or $null This filter requires the distinguished
k Get-MailUser name of the target mailbox
Get-RemoteMailbox Get-Mailbox -Filter "MailboxMoveTargetMDB -eq 'CN=MBX
.
.
MailboxPlan msExchParentPlanLink Get-Mailbox String or $null Mailbox plans correspond to Office

enroll your domain.
For example,
Get-Mailbox -Filter
'MailboxPlan -ne $null'
.
MailboxRelease msExchMailboxRelease Get-Mailbox None , E14 , E15 , or $null . For example,

Get-Recipient 'MailboxRelease -ne $null'
Get-RemoteMailbox .
Get-User
MailTipTranslations msExchSenderHintTranslations Get-DistributionGroup String (wildcards accepted) or When you use this property in a
Get-DynamicDistributionGroup $null filter, you need to account for the
Get-Mailbox leading and trailing HTML tags. For
Get-MailContact example,
Get-MailUser "MailTipTranslations -like
'*is not monitored.*'"
Get-RemoteMailbox
Get-UnifiedGroup .
ManagedBy managedBy Get-DistributionGroup String or $null This filter requires the distinguished
Get-Group name of the group owner (a mail-
Get-Recipient enabled security principal, which is
Get-UnifiedGroup a mailbox, mail user, or mail-
enabled security group). For
example,
Get-Mailbox -Filter "ManagedBy -eq
'CN=Angela
or
Get-Mailbox -Filter
"ManagedBy -eq
Gruber'"
.
command:
Format-List
.
specified value.
ManagedFolderMailboxPolicy msExchMailboxTemplateLink Get-Mailbox String or $null Managed folder mailbox policies

Get-Recipient aren't available in Exchange 2013
or later.
For example,
Get-Mailbox -Filter
'ManagedFolderMailboxPolicy -
eq $null'
.
name of the managed folder
mailbox policy. For example,
Get-Mailbox -Filter "ManagedFolderMailboxPolicy -eq
'CN=MFM Inbox Policy,CN=ELC Mailbox Policies,CN=Contoso
.
names of managed folder mailbox
policies on Exchange 2010 servers
by running this command:
Get-
ManagedFolderMailboxPolicy |
Format-List
.
Manager manager Get-Contact String or $null This filter requires the distinguished
Get-Recipient name of the manager (a mailbox or
Get-User mail user). For example,
Get-User -Filter "Manager -eq
'CN=Angela
or
Get-Mailbox -Filter "Manager
-eq 'contoso.com/Users/Angela
Gruber'"
.
manager, replace
Format-List
Name,DistinguishedName.
MAPIEnabled n/a Get-CASMailbox Boolean ( $true or $false ) For example,

'MAPIEnabled -eq $false'
.
MasterAccountSid msExchMasterAccountSid Get-Mailbox String or $null For example,

Get-LinkedUser Get-Mailbox -Filter
Get-Recipient 'MasterAccountSid -ne $null'
Get-User This value is blank ( $null ) for
mailboxes with associated user
accounts, and S-1-5-10 (Self) for
mailboxes without associated user
accounts (for example, shared
mailboxes, resource mailboxes,
discovery search mailboxes,
arbitration mailboxes, and public
folder mailboxes).
MaxBlockedSenders msExchMaxBlockedSenders Get-Mailbox Integer or $null For example,

Get-Mailbox -Filter
"MaxBlockedSenders -gt 0"
.
MaxReceiveSize delivContLength Get-DistributionGroup A byte quantified size value (for You can only use the Filter
Get-MailUser "MaxReceiveSize -eq
'Unlimited'"
Get-RemoteMailbox
Get-UnifiedGroup or
Get-Mailbox -Filter
"MaxReceiveSize -ne
'Unlimited'"
.
Get-Mailbox | where
. For example,
Get-Mailbox | where
"$_.MaxReceiveSize -gt
'50GB'"
.
MaxSafeSenders msExchMaxSafeSenders Get-Mailbox Integer or $null For example,

Get-Mailbox -Filter
"MaxSafeSenders -gt 0"
.
MaxSendSize submissionContLength Get-DistributionGroup A byte quantified size value (for You can only use the Filter
Get-MailUser "MaxSendSize -eq 'Unlimited'"
Get-RemoteMailbox or
Get-UnifiedGroup Get-Mailbox -Filter
"MaxSendSize -ne 'Unlimited'"
.
Get-Mailbox | where
. For example,
Get-Mailbox | where
"$_.MaxSendSize -gt '50GB'"
.
MemberDepartRestriction msExchGroupDepartRestriction Get-DistributionGroup Closed (0), Open (1), or For example,

"MemberDepartRestriction -eq
'ApprovalRequired'"
.
MemberJoinRestriction msExchGroupDepartRestriction Get-DistributionGroup Closed (0), Open (1), or For example,

"MemberJoinRestriction -eq
'ApprovalRequired'"
.
MemberOfGroup memberOf Get-CASMailbox String or $null This filter requires the distinguished
Get-DistributionGroup name of the distribution group or
Get-DynamicDistributionGroup mail-enabled security group. For
Get-Group example,
Get-LinkedUser Get-User -Filter "MemberOfGroup -eq
Get-Mailbox 'CN=Marketing
Get-MailContact
Get-MailPublicFolder or
Get-User -Filter
Get-MailUser "MemberOfGroup -eq
Get-Recipient 'contoso.com/Users/Marketing
Get-RemoteMailbox Group'"
Get-UMMMailbox To find the distinguished name of a
Get-User group, replace <GroupIdentity>
address of the group, and run this
command:
Format-List
.
specified value.
Members member Get-DistributionGroup String or $null This filter requires the distinguished
Get-Group name or canonical distinguished
Get-Recipient name of the group member. For
Get-SecurityPrincipal example,
Get-Group -Filter "Members -eq
'CN=Angela
or
Get-User -Filter "Members -eq
Gruber'"
.
group member, replace
group member, and run this
command:
Format-List
.
specified value.
MobilePhone mobile Get-Contact String (wildcards accepted) or For example,

Get-LinkedUser $null Get-User -Filter "MobilePhone
Get-User -like '*5555'"
.
ModeratedBy msExchModeratedByLink Get-DistributionGroup String This filter requires the distinguished

Get-Mailbox name of the group moderator (a
Get-MailContact mail-enabled security principal,
Get-MailPublicFolder which is a mailbox, mail-user, or
Get-MailUser mail-enabled security group). For
Get-UnifiedGroup Get-DistributionGroup -Filter
"ModeratedBy -eq 'CN=Angela
or
"ModeratedBy -eq
Gruber'"
.
command:
Format-List
.
specified value.
ModerationEnabled msExchEnableModeration Get-DistributionGroup Boolean ( $true or $false ) For example,

Get-Mailbox 'ModerationEnabled -eq $true'
Get-MailContact .
Get-MailUser
Get-RemoteMailbox
Get-UnifiedGroup
Name name Get-CASMailbox String (wildcards accepted) For example,

Get-Contact Get-User -Filter "Name -like
Get-DistributionGroup 'Laura*'"
Get-Group
Get-LinkedUser
Get-Mailbox
Get-MailContact
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-UMMailbox
Get-User
Get-UnifiedGroup
NetID n/a Get-LinkedUser String or $null This property is populated for

Get-Mailbox Office 365 mailboxes in hybrid
Get-User environments. A sample value is
1003BFFD9A0CFA03 .
For example,
Get-User -Filter 'NetId -ne
$null'
.
Notes info Get-Contact String (wildcards accepted) or For example,

Get-DynamicDistributionGroup $null Get-User -Filter "Notes -like
Get-Group '*Events Team*'"
Get-LinkedUser .
Get-Recipient
Get-User
Get-UnifiedGroup
ObjectCategory objectCategory Get-CASMailbox String This filter requires the canonical

Get-Contact distinguished name of the object.
Get-DistributionGroup The value uses the syntax
Get-DynamicDistributionGroup <domain>/Configuration/Schema/<Type>
Get-Group .
Get-LinkedUser Valid <Type> values are: Person
Get-Mailbox for mailboxes, mail users, and mail
Get-MailContact contacts, Group for distribution
Get-MailPublicFolder groups, mail-enabled security
Get-MailUser groups and Office 365 groups,
Get-Recipient ms-Exch-Public-Folder for mail-
Get-RemoteMailbox enabled public folders, and
Get-SecurityPrincipal ms-Exch-Dynamic-Distribution-
Get-UMMailbox List
Get-User for dynamic distribution groups.
Get-UnifiedGroup For example,
Get-Recipient -Filter "ObjectCategory -eq
'contoso.com/Configuration/Schema/Group'"
.
ObjectClass objectClass Get-CASMailbox String The value of this property is

Get-Contact top, person,
Get-DistributionGroup organizationalPerson, user
Get-DynamicDistributionGroup for mailboxes and mail users,
Get-Group top, person,
organizationalPerson, contact
Get-LinkedUser
Get-Mailbox for mail contacts, top, group for
Get-MailContact distribution groups, mail-enabled
Get-MailPublicFolder security groups and Office 365
Get-MailUser groups,
Get-Recipient msExchDynamicDistributionList
Get-RemoteMailbox for dynamic distribution groups
Get-SecurityPrincipal and top, publicFolder for mail-
Get-UMMailbox enabled public folders
Get-User For example,
Get-UnifiedGroup Get-Recipient -Filter
"ObjectClass -eq 'Contact'"
.
specified value.
Office physicalDeliveryOfficeName Get-Contact String (wildcards accepted) or For example,

Get-LinkedUser $null Get-User -Filter "Office -
Get-Mailbox like '22*'"
Get-Recipient .
Get-User
OfflineAddressBook msExchUseOAB Get-Mailbox String or $null This filter requires the distinguished
name of the offline address book.
For example,
Get-Mailbox -Arbitration -Filter "OfflineAddressBook -eq
'CN=OAB 1,CN=Offline Address Lists,CN=Address Lists
Format-List
.
OnPremisesObjectId n/a Get-MailPublicFolder String or $null For example,

'OnPremisesObjectId -ne
$null'
.
OperatorNumber msExchUMOperatorNumber Get-UMMailbox String (wildcards accepted) or For example,

"OperatorNumber -eq 5"
.
OtherFax otherFacsimileTelephoneNumber Get-Contact String (wildcards accepted) or For example,

Get-LinkedUser $null Get-User -Filter "OtherFax -
.
OtherHomePhone otherHomePhone Get-Contact String (wildcards accepted) or For example,

Get-User "OtherHomePhone -like '206*'"
.
OtherTelephone otherTelephone Get-Contact String (wildcards accepted) or For example,

Get-User "OtherTelephone -like '206*'"
.
OWAEnabled n/a Get-CASMailbox Boolean ( $true or $false ) The filter operates backwards. For
example,
'OWAEnabled -eq $true'
OWAEnabled property is False ,
and
'OWAEnabled -eq $false'
OWAEnabled property is True
OWAforDevicesEnabled msExchOmaAdminWirelessEnable Get-CASMailbox Boolean ( $true or $false ) For example,

'OWAForDevicesEnabled -eq
$true'
.
OWAMailboxPolicy msExchOWAPolicy Get-CASMailbox String or $null This filter requires the distinguished
Get-Recipient name of the Outlook on the web
mailbox policy (formerly known as
an Outlook Web App mailbox
policy). For example,
Get-CASMailbox -Filter "OWAMailboxPolicy -eq
'CN=Default,CN=OWA Mailbox Policies,CN=Contoso
Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com
'".
names of Outlook on the web
mailbox policies by running this
command:
Get-OwaMailboxPolicy |
Format-List
.
Pager pager Get-Contact String (wildcards accepted) or For example,

Get-LinkedUser $null Get-User -Filter "Pager -like
Get-User '206*'"
.
PersistedCapabilities n/a Get-Mailbox String or $null Typically, the value of this property
Get-MailUser something other than $null
Get-RemoteMailbox (blank) for Office 365 accounts and
mailboxes. For more information
about the valid property values,
seeCapability enumeration.
For example,
Get-Mailbox -Filter
'PersistedCapabilities -ne
$null'
.
specified value.
Phone telephoneNumber Get-Contact String (wildcards accepted) or For example,

Get-LinkedUser $null Get-User -Filter "Phone -like
Get-Recipient '206*'"
Get-User .
PhoneProviderId msExchUMPhoneProvider Get-UMMailbox String (wildcards accepted) or For example,

"PhoneProviderId -like
'*206*'"
.
PhoneticDisplayName msDS-PhoneticDisplayName Get-Contact String (wildcards accepted) or For example,

Get-DynamicDistributionGroup $null Get-User -Filter
Get-Group "PhoneticDisplayName -like
'*Lila*'"
Get-LinkedUser
Get-User
PoliciesExcluded msExchPoliciesExcluded Get-DistributionGroup String or $null For example,

Get-Mailbox 'PoliciesExcluded -ne $null'
Get-MailContact .
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-UnifiedGroup
PoliciesIncluded msExchPoliciesIncluded Get-DistributionGroup String or $null For example,

Get-Mailbox 'PoliciesIncluded -eq $null'
Get-MailContact .
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-UnifiedGroup
PopEnabled n/a Get-CASMailbox Boolean ( $true or $false ) For example,

'POPEnabled -eq $false'
.
PostalCode postalCode Get-Contact String (wildcards accepted) or For example,

Get-Recipient "PostalCode -eq 90210"
Get-User .
PostOfficeBox postOfficeBox Get-Contact String (wildcards accepted) or For example,

Get-User "PostOfficeBox -like '*555*'"
.
PreviousRecipientTypeDetails msExchPreviousRecipientTypeDetai Get-LinkedUser String or $null For valid values, see the description
ls Get-User of the RecipientTypeDetails
parameter inGet-Recipient.
For example,
Get-User -Filter
'PreviousRecipientTypeDetails
-ne $null'
.
PrimarySmtpAddress n/a Get-CASMailbox String (wildcards accepted) For example,

Get-DynamicDistributionGroup "PrimarySMTPAddress -like
'vasil*'"
Get-Mailbox
Get-MailContact .
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-UMMailbox
Get-UnifiedGroup
ProhibitSendQuota mDBOverQuotaLimit Get-Mailbox A byte quantified size value (for You can only use the Filter
Get-Mailbox -Filter
"ProhibitSendQuota -eq
'Unlimited'"
or
Get-Mailbox -Filter
"ProhibitSendQuota -ne
'Unlimited'"
.
Get-Mailbox | where
"$_.ProhibitSendQuota -
. For example,
Get-Mailbox | where
"$_.ProhibitSendQuota -lt
'70GB'"
.
ProhibitSendReceiveQuota mDBOverHardQuotaLimit Get-Mailbox A byte quantified size value (for You can only use the Filter
Get-Mailbox -Filter
"ProhibitSendReceiveQuota -eq
'Unlimited'"
or
Get-Mailbox -Filter
"ProhibitSendReceiveQuota -ne
'Unlimited'"
.
Get-Mailbox | where
-<Operator> '<Size>'"
. For example,
Get-Mailbox | where
-lt '70GB'"
.
ProtocolSettings protocolSettings Get-Mailbox String (wildcards accepted) or The default value of this property
Get-MailUser $null on mailboxes is
Get-RemoteMailbox RemotePowerShell§1 . This
property is populated with
additional values when you use
Set-CASMailbox to disable
protocols (for example, POP3 or
IMAP4).
For example,
Get-Mailbox -Filter
"ProtocolSettings -like
'*POP3*'"
.
PublicFolderContacts pFContacts Get-MailPublicFolder String or $null This property is displayed as

Contacts in the results of the
command
Get-MailPublicFolder -
Identity
<PublicFolderIdentity> |
Format-List
, but you need to use the property
name PublicFolderContacts in the
filter.
name of the public folder contact.
For example,
'CN=Angela
or
Gruber'"
.
public folder contact, replace
Format-List
.
specified value.
QueryBaseDN msExchQueryBaseDN Get-Mailbox String or $null This property was used in Exchange
2007 global address list
segregation to specify a location in
Active Directory. This feature was
replaced by address book policies
in Exchange 2010 Service Pack 2,
so the value of this property
should always be blank ( $null ).
For example,
Get-Mailbox -Filter
'QueryBaseDN -ne $null'
.
RecipientContainer msExchDynamicDLBaseDN Get-DynamicDistributionGroup String or $null This filter requires the distinguished
name of the organizational unit or
container in Active Directory. For
example,
eq
'CN=Users,DC=contoso,DC=com'"
or
eq 'contoso.com/Users'"
To find the distinguished names or
canonical distinguished names of
organizational units and containers
in Active Directory, run this
command:
Get-OrganizationalUnit -
IncludeContainers | Format-
List
Name,DistinguishedName,ID
.
RecipientLimits msExchRecipLimit Get-Mailbox Integer or Unlimited For example,

Get-RemoteMailbox "RecipientLimits -ne
'Unlimited'"
.
RecipientType n/a Get-Contact DynamicDistributionGroup , For example,

Get-DistributionGroup MailContact , Get-Recipient -Filter
Get-DynamicDistributionGroup "RecipientType -eq
MailNonUniversalGroup , 'MailContact'"
Get-Group MailUniversalDistributionGroup
Get-LinkedUser .
, MailUniversalSecurityGroup ,
Get-Mailbox
MailUser , PublicFolder or
Get-MailContact
UserMailbox
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-User
Get-UnifiedGroup
RecipientTypeDetails n/a Get-Contact String For valid values, see the description
Get-DistributionGroup of the RecipientTypeDetails
Get-DynamicDistributionGroup parameter in Get-Recipient.
Get-Group For example,
Get-LinkedUser Get-Recipient -Filter
Get-Mailbox "RecipientTypeDetails -eq
'SharedMailbox'"
Get-MailContact
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-User
Get-UnifiedGroup
RecoverableItemsQuota msExchDumpsterQuota Get-Mailbox A byte quantified size value (for You can only use the Filter
Get-Mailbox -Filter
"RecoverableItemsQuota -eq
'Unlimited'"
or
Get-Mailbox -Filter
"RecoverableItemsQuota -ne
'Unlimited'"
.
Get-Mailbox | where
"$_.RecoverableItemsQuota -
<Operator> '<Size>'
. For example,
Get-Mailbox | where
"$_.RecoverableItemsQuota -gt
'35GB'"
.
RecoverableItemsWarningQuota msExchDumpsterWarningQuota Get-Mailbox A byte quantified size value (for You can only use the Filter
Get-Mailbox -Filter
-eq 'Unlimited'"
or
Get-Mailbox -Filter
-ne 'Unlimited'"
.
Get-Mailbox | where
-<Operator> '<Size>'
". For example,
Get-Mailbox | where
-gt '25GB'"
.
RejectMessagesFrom unauthOrig Get-DistributionGroup String or $null This filter requires the distinguished
Get-MailUser "RejectMessagesFrom -eq 'CN=Yuudai
Uchida,CN=Users,DC=contoso,DC=com'"
Get-RemoteMailbox
Get-UnifiedGroup or
"RejectMessagesFrom -eq
Gruber'"
.
Format-List
.
specified value.
RejectMessagesFromDLMembers dLMemRejectPerms Get-DistributionGroup String or $null This filter requires the distinguished
Get-UnifiedGroup "RejectMessagesFromDLMembers -eq
'CN=Marketing
or
Get-Mailbox -Filter
"RejectMessagesFromDLMembers
-eq
'contoso.com/Users/Marketing
Department'"
.
the group, replace
Format-List
or
Format-List
.
specified value.
RemoteAccountPolicy msExchSyncAccountsPolicyDN Get-Mailbox String or $null This filter requires the distinguished
name of the remote account policy.
For example,
Get-Mailbox -Filter "RemoteAccountPolicy -eq 'CN=Contoso
Remote Account Policy,CN=Remote Accounts Policies
.
RemotePowerShellEnabled n/a Get-User Boolean ( $true or $false ) For example,

Get-User -Filter
'RemotePowerShellEnabled -eq
$false'
.
RemoteRecipientType msExchRemoteRecipientType Get-Mailbox None (0), ProvisionMailbox (1), For example,

Get-RemoteMailbox ProvisionArchive (2), Get-RemoteMailbox -Filter
"RemoteRecipientType -eq
Migrated (4), 'ProvisionMailbox'"
DeprovisionMailbox (8), .
RoomMailbox (32),
SharedMailbox (96),
TeamMailbox (128), or $null .
ReportToManagerEnabled reportToOwner Get-DistributionGroup Boolean ( $true or $false ) For example,

Get-UnifiedGroup 'ReportToManagerEnabled -eq
$true'
.
ReportToOriginatorEnabled reportToOriginator Get-DistributionGroup Boolean ( $true or $false ) For example,

Get-UnifiedGroup 'ReportToOriginatorEnabled -
eq $false'
.
RequireAllSendersAreAuthenticate msExchRequireAuthToSendTo Get-DistributionGroup Boolean ( $true or $false ) This property is displayed as

d Get-DynamicDistributionGroup RequireSenderAuthenticationEn
Get-Mailbox abled in the results of the
Get-MailContact command
Get-MailPublicFolder Get-<RecipientType> -Identity
Get-MailUser <RecipientIdentity> | Format-
List
Get-RemoteMailbox
Get-SecurityPrincipal , but you need to use the property
name
RequireAllSendersAreAuthentica
ted in the filter. For example,
'RequireAllSendersAreAuthenticated
-eq $false'
.
ResourceBehaviorOptions n/a Get-UnifiedGroup AllowOnlyMembersToPost , For example,

CalendarMemberReadOnly , Get-UnifiedGroup -Filter
"ResourceBehaviorOptions -eq
ConnectorsEnabled , 'CalendarMemberReadOnly'"
HideGroupInOutlook ,
NotebookForLearningCommunitiesEnabled
, ReportToOriginator ,
SharePointReadonlyForMembers ,
SubscriptionEnabled ,
SubscribeMembersToCalendarEvents
,
SubscribeMembersToCalendarEventsDisabled
, SubscribeNewGroupMembers ,
WelcomeEmailDisabled ,
WelcomeEmailEnabled , or $null
ResourceCapacity msExchResourceCapacity Get-Mailbox Integer or $null For example,

Get-Mailbox -Filter
"ResourceCapacity -gt 15"
ResourceCustom n/a Get-Mailbox String or $null You create custom resource

properties by using the Set-
ResourceConfig cmdlet. For
example,
Set-ResourceConfig -
ResourcePropertySchema
Room/Whiteboard,Equipment/Van
. After you create the properties,
you can assign them to room or
equipment mailboxes. For example,
Set-Mailbox -Identity
"Conference Room 1" -
ResourceCustom Whiteboard
.
When you search for values, use
the custom resource property
that's assigned to the room or
equipment mailbox. For example,
Get-Mailbox -Filter
"ResourceCustom -eq
'Whiteboard'"
.
ResourceProvisioningOptions n/a Get-UnifiedGroup Team or $null For example,

"ResourceProvisioningOptions
-eq 'Team'"
ResourceType n/a Get-Mailbox Room (0), Equipment (1), or For example,

Get-Recipient $null Get-Mailbox -Filter
"ResourceType -eq
'Equipment'"
RetainDeletedItemsFor garbageCollPeriod Get-Mailbox A time span value: dd.hh:mm:ss You can't use the Filter parameter
Get-MailUser where dd = days, hh = hours, mm to look for time span values for this
Get-RemoteMailbox = minutes, and ss = seconds. property. Instead, use this syntax:
Get-Mailbox | where
"$_.RetainDeletedItemsFor -
. For example,
Get-Mailbox | where
"$_.RetainDeletedItemsFor -gt
'14.00:00:00'"
.
RetentionComment msExchRetentionComment Get-Mailbox String (wildcards accepted) or For example,

Get-MailUser $null Get-Mailbox -Filter
Get-RemoteMailbox "RetentionComment -like '*7
years*'"
RetentionPolicy n/a Get-Mailbox String or $null This filter requires the distinguished
Get-Recipient name of the retention policy. For
example,
Get-Mailbox -Filter "RetentionPolicy -eq 'CN=Default MRM
Policy,CN=Retention Policies Container,CN=Contoso
.
retention policies, run this
command:
Get-RetentionPolicy | Format-
.
RetentionUrl msExchRetentionURL Get-Mailbox String (wildcards accepted) or For example,

Get-MailUser $null Get-Mailbox -Filter "RetentionUrl
Get-RemoteMailbox -like
'https://intranet.contoso.com/*'"
RoleAssignmentPolicy msExchRBACPolicyLink Get-Mailbox String (wildcards accepted) or This filter requires the distinguished
$null name of the role assignment policy
in Exchange Online. For example,
Get-Mailbox -Filter "RoleAssignmentPolicy -eq 'CN=Default
Policy,CN=Policies,CN=RBAC,CN=Configuration,CN=contoso.onm
.
role assignment policies in
Exchange Online, run this
command:
Get-RoleAssignmentPolicy |
Format-List
.
RulesQuota msExchMDBRulesQuota Get-Mailbox A byte quantified size value (for You can't use the Filter parameter
example, 50B or 128KB ). to look for size values of this
Unqualified values are treated as property. Instead, use this syntax:
bytes. Get-Mailbox | where
"$_.RulesQuota -<Operator>
'<Size>'"
. For example,
Get-Mailbox | where
"$_.RulesQuota -lt '256KB'"
.
SafeRecipientsHash msExchSafeRecipientsHash Get-Recipient Blank ( $null ) or a hashed value. Realistically, you can only use this
'SafeRecipientsHash -ne
$null'.
SafeSendersHash msExchSafeSendersHash Get-Recipient Blank ( $null ) or a hashed value. Realistically, you can only use this
'SafeSendersHash -ne $null'.
SamAccountName SamAccountName Get-CASMailbox String (wildcards accepted) or For example,

Get-DistributionGroup $null Get-Recipient -Filter
Get-Group "SamAccountName -like
'*laura*'"
Get-LinkedUser
Get-Mailbox
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-UMMailbox
Get-User
SCLDeleteThresholdInt msExchMessageHygieneSCLDeleteT Get-Mailbox -2147483648 (SCL value 0), - This property is displayed as
hreshold 2147483647 (SCL value 1), - SCLDeleteThreshold in the results
List
2147483643 (SCL value 5), -
2147483641 (SCL value 7), - name SCLDeleteThresholdInt in
Get-Mailbox -Filter
2147483639 (SCL value 9) or "SCLDeleteThresholdInt -ge -
$null 2147483640"
.
SCLJunkThresholdInt msExchMessageHygieneSCLJunkTh Get-Mailbox -2147483648 (SCL value 0), - This property is displayed as
reshold 2147483647 (SCL value 1), - SCLJunkThreshold in the results
List
2147483643 (SCL value 5), -
2147483641 (SCL value 7), - name SCLJunkThresholdInt in the
2147483640 (SCL value 8), - filter. For example,
Get-Mailbox -Filter
2147483639 (SCL value 9) or "SCLJunkThresholdInt -ge -
$null 2147483645"
.
SCLQuarantineThresholdInt msExchMessageHygieneSCLQuaran Get-Mailbox -2147483648 (SCL value 0), - This property is displayed as
tineThreshold 2147483647 (SCL value 1), - SCLQuarantineThreshold in the
2147483646 (SCL value 2), - results of the command
List
2147483643 (SCL value 5), -
2147483641 (SCL value 7), - name
2147483640 (SCL value 8), - SCLQuarantineThresholdInt in
2147483639 (SCL value 9) or the filter. For example,
Get-Mailbox -Filter
$null "SCLQuarantineThresholdInt -
ge -2147483643"
.
SCLRejectThresholdInt msExchMessageHygieneSCLRejectT Get-Mailbox -2147483648 (SCL value 0), - This property is displayed as
hreshold 2147483647 (SCL value 1), - SCLRejectThreshold in the results
List
2147483643 (SCL value 5), -
2147483641 (SCL value 7), - name SCLRejectThresholdInt in
Get-Mailbox -Filter
2147483639 (SCL value 9) or "SCLRejectThresholdInt -ge -
$null 2147483641"
.
SendOofMessageToOriginatorEnab oOFReplyToOriginator Get-DistributionGroup Boolean ( $true or $false ) For example,

led Get-DynamicDistributionGroup Get-DistributionGroup -Filter
Get-UnifiedGroup 'SendOofMessageToOriginatorEnabled
-eq $true'
.
ServerLegacyDN msExchHomeServerName Get-CASMailbox String (wildcards accepted) or For example,

Get-Recipient "ServerLegacyDN -like
'*Mailbox01'"
Get-UMMailbox
.
This is an example of a complete
ServerLegacyDN value:
/o=Contoso Corporation/ou=Exchange Administrative Group
.
ServerName n/a Get-CASMailbox String or $null For example,

Get-Mailbox Get-Recipient -Filter
Get-Recipient "ServerName -eq 'Mailbox01'"
Get-UMMailbox .
SharingPolicy msExchSharingPolicyLink Get-Mailbox String or $null This filter requires the distinguished
Get-Recipient name of the sharing policy. For
example,
Get-Mailbox -Filter "SharingPolicy -eq 'CN=Custom Sharing
Policy,CN=Federation,CN=Contoso Corporation,CN=Microsoft
.
sharing policies, run this command:
Get-SharingPolicy | Format-
.
of the default sharing policy
(named Default Sharing Policy) to a
SharingPolicy property is blank (
$null ).
Sid objectSid Get-Group String For example,

Get-LinkedUser Get-User -Filter "Sid -eq 's-
Get-SecurityPrincipal 1-5-21-3628364307-1600040346-
819251021-2603'"
Get-User
.
SidHistory SIDHistory Get-Group String or $null For example,

Get-LinkedUser Get-User -Filter "SidHistory
Get-User -eq 's-1-5-21-3628364307-
1600040346-819251021-2603'"
.
SimpleDisplayName displayNamePrintable Get-Contact String (wildcards accepted) or For example,

Get-DistributionGroup $null Get-User -Filter
Get-DynamicDistributionGroup "SimpleDisplayName -like
'*lila*'"
Get-Group
Get-LinkedUser .
Get-Mailbox
Get-MailContact
Get-MailUser
Get-RemoteMailbox
Get-User
SingleItemrecoveryEnabled n/a Get-Mailbox Boolean ( $true or $false ) For example,

Get-RemoteMailbox 'SingleItemRecoveryEnabled -
eq $true'
.
SKUAssigned n/a Get-LinkedUser Boolean ( $true or $false ) or For example,

Get-Mailbox $null . Get-User -Filter 'SKUAssigned
Get-MailUser -eq $true'
Get-Recipient .
Get-User
SourceAnchor n/a Get-Mailbox String (wildcards accepted) or For example,

'SourceAnchor -ne $null'
.
StateOrProvince st Get-Contact String (wildcards accepted) or For example,

Get-Recipient "StateOrProvince -like
'*Carolina'"
Get-User
.
StreetAddress streetAddress Get-Contact String (wildcards accepted) or For example,

Get-User "StreetAddress -like '*36th
Ave NE*'"
.
StsRefreshTokensValidFrom msExchStsRefreshTokensValidFrom Get-LinkedUser A date/time value or $null For example,

Get-MailUser "StsRefreshTokensValidFrom -
gt '8/1/2017'"
Get-RemoteMailbox
Get-User .
TelephoneAssistant telephoneAssistant Get-Contact String (wildcards accepted) or For example,

Get-User "TelephoneAssistant -like
'206*'"
.
ThrottlingPolicy msExchThrottlingPolicyDN Get-Mailbox String or $null This filter requires the distinguished
name of the throttling policy. For
example,
Get-Mailbox -Filter "ThrottlingPolicy -eq 'CN=Custom
Throttling Policy,CN=Global Settings,CN=Contoso
.
throttling policies, run this
command:
Get-ThrottlingPolicy |
Format-List
.
Title title Get-Contact String (wildcards accepted) or For example,

Get-LinkedUser $null Get-User -Filter "Title -eq
Get-Recipient 'Dr.'"
Get-User .
UMAddresses msExchUMAddresses Get-UMMailbox String (wildcards accepted) or For example,

'UMAddresses -ne $null'
.
UMCallingLineIds msExchUMCallingLineIds Get-Contact String (wildcards accepted) or For example,

Get-User "UMCallingLineIds -like
'123*'"
.
specified value.
UMDtmfMap msExchUMDtmfMap Get-Contact String (wildcards accepted) or For example,

Get-DynamicDistributionGroup "UMDtmfMap -like '*26297*'"
Get-LinkedUser .
Get-Mailbox Although this is a multivalued
Get-MailContact property, the filter will return a
Get-MailPublicFolder match if the property contains the
Get-MailUser specified value.
Get-RemoteMailbox
Get-UMMailbox
Get-User
UMEnabled n/a Get-Mailbox Boolean ( $true or $false ) For example,

Get-UMMailbox 'UMEnabled -eq $true'
.
UMMailboxPolicy msExchUMTemplateLink Get-Recipient String or $null This filter requires the distinguished
Get-UMMailbox name of the UM mailbox policy. For
example,
Default Policy,CN=UM Mailbox Policies,CN=Contoso
.
UM mailbox policies, run this
command:
Get-UMMailboxPolicy | Format-
.
UMRecipientDialPlanId msExchUMRecipientDialPlanLink Get-Recipient String or $null This filter requires the distinguished
name of the UM dial plan. For
example,
Dial Plan,CN=UM DialPlan Container,CN=Contoso
.
UM dial plans, run this command:
Get-UMDialPlan | Format-List
.
UpgradeRequest n/a Get-User None (0), TenantUpgrade (1), For example,

PrestageUpgrade (2), Get-User -Filter
"UpgradeRequest -ne 'None'"
CancelPrestageUpgrade (3),
PilotUpgrade (4), or .
TenantUpgradeDryRun (5),
UpgradeStatus n/a Get-User None (0), NotStarted (1), For example,

InProgress (2), Warning (3), Get-User -Filter
"UpgradeStatus -ne 'None'"
Error (4), Cancelled (5),
Complete (6), or ForceComplete
.
(7).
UsageLocation msExchUsageLocation Get-Mailbox String or $null This filter requires the ISO 3166-1
Get-MailUser country name (for example,
Get-Recipient United States ), or two-letter
country code (for example US ) for
the user in Office 365. For more
ISO 3166.
For example,
'UsageLocation -ne $null'
.
UseDatabaseQuotaDefaults mDBUseDefaults Get-Mailbox Boolean ( $true or $false ) For example,

Get-Mailbox -Filter
'UseDatabaseQuotaDefaults -eq
$false'
.
UserAccountControl userAccountControl Get-LinkedUser AccountDisabled , For example,

Get-User DoNotExpirePassword , or Get-User -Filter
NormalAccount 'NormalAccount'"
.
Get-User -Filter
'AccountDisabled,NormalAccount'"
Get-User -Filter
'NormalAccount,AccountDisabled'"
.
UserPrincipalName userPrincipalName Get-LinkedUser String (wildcards accepted) For example,

Get-MailUser "UserPrincipalName -like
'julia@*'"
Get-RemoteMailbox
Get-User .
VoiceMailSettings msExchUCVoiceMailSettings Get-Contact String or $null For example,

Get-User 'VoiceMailSettings -ne $null'
.
WebPage wWWHomePage Get-Contact String (wildcards accepted) or For example,

Get-LinkedUser $null Get-User -Filter "WebPage -like
Get-User 'https://intranet.contoso.com/*'"
.
WhenChanged WhenChanged Get-CASMailbox A date/time value For example,

Get-DistributionGroup "WhenChanged -gt '8/1/2017
2:00:00 PM'"
Get-Group .
Get-LinkedUser
Get-Mailbox
Get-MailContact
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-UMMailbox
Get-User
Get-UnifiedGroup
WhenChangedUTC n/a Get-CASMailbox A date/time value in Coordinated For example,

Get-DistributionGroup "WhenChangedUTC -gt '8/1/2017
2:00:00 PM'"
Get-Group .
Get-LinkedUser
Get-Mailbox
Get-MailContact
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-UMMailbox
Get-User
Get-UnifiedGroup
WhenCreated whenCreated Get-CASMailbox A date/time value For example,

Get-DistributionGroup "WhenCreated -gt '8/1/2017
2:00:00 PM'"
Get-Group .
Get-LinkedUser
Get-Mailbox
Get-MailContact
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-UMMailbox
Get-User
Get-UnifiedGroup
WhenCreatedUTC n/a Get-CASMailbox A date/time value in Coordinated For example,

Get-DistributionGroup "WhenCreatedUTC -gt '8/1/2017
2:00:00 PM'"
Get-Group .
Get-LinkedUser
Get-Mailbox
Get-MailContact
Get-MailUser
Get-Recipient
Get-RemoteMailbox
Get-UMMailbox
Get-User
Get-UnifiedGroup
WhenMailboxCreated msExchWhenMailboxCreated Get-Mailbox A date/time value For example,

Get-Recipient "WhenMailboxCreated -gt
'8/1/2017 2:00:00 PM'"
Get-RemoteMailbox
.
WhenSoftDeleted msExchWhenSoftDeletedTime Get-LinkedUser A date/time value This filter requires the SoftDeleted
Get-Mailbox switch in the command for
Get-MailUser mailboxes.
Get-User Get-Mailbox -SoftDeleted -
Get-UnifiedGroup Filter "WhenSoftDeleted -gt
'8/1/2017 2:00:00 PM'"
.
WindowsEmailAddress mail Get-Contact String (wildcards accepted) or For example,

Get-DynamicDistributionGroup "WindowsEmailAddress -like
'*@fabrikam.com'"
Get-Group
Get-LinkedUser .
Get-Mailbox
Get-MailContact
Get-MailUser
Get-RemoteMailbox
Get-User
WindowsLiveID msExchWindowsLiveID Get-LinkedUser String (wildcards accepted) or For example,

Get-MailUser "WindowsEmailAddress -like
'*@fabrikam.onmicrosoft.com'"
Get-Recipient
Get-User .

Exchange 2007 was the first version of Exchange that required OPATH filters instead of LDAP filters. For more information about converting LDAP filters to OPATH filters, see
the Microsoft Exchange Team Blog article, Need help converting your LDAP filters to OPATH?.
You use the RecipientFilter parameter to create OPATH filters based on the properties of recipient objects in Exchange Server 2016 or later,
and Exchange Online. The RecipientFilter parameter is available in the following cmdlets:
New-AddressList and Set-AddressList
New-DynamicDistributionGroup and Set-DynamicDistributionGroup
New-EmailAddressPolicy and Set-EmailAddressPolicy
New-GlobalAddressList and Set-GlobalAddressList
Filterable recipient properties

The recipient properties that have been confirmed to work with the RecipientFilter parameter in all cmdlets are described in the following
table.
Notes:
Properties that are only used in one type of environment: Microsoft Office 365, on-premises Exchange, or hybrid. The
property might exist on recipient objects in all environments, but the value is only meaningful (a value other than blank or
None ) in one type of environment.
Properties that are present, but correspond to features that are no longer used in Exchange.
You can't use properties from other Active Directory schema extensions with the RecipientFilter parameter.
Not all recipient properties have a corresponding Active Directory property. The LDAP display name value in the table is "n/a" for
these properties, which indicates that the property is calculated (likely by Exchange).
Enclose the whole OPath filter in double quotation marks " ". If the filter contains system values (for example, $true , $false , or
$null ), use single quotation marks ' ' instead. Although this parameter is a string (not a system block), you can also use braces { },
but only if the filter doesn't contain variables. For more information, see Additional OPATH syntax information.
You typically use the object's name for properties that require a valid object value (for example, a mailbox, a distribution group, or
an email address policy, but the property might also accept the object's distinguished name (DN ) or globally unique identifier
(GUID ). To find the object's DN or GUID, use the Get- cmdlet that corresponds to the object's type (for example,
Get-EmailAddressPolicy | Format-List Name,DistinguishedName,GUID ).
The Value column in the table describes the acceptable values for the filter, not necessarily for the property itself. For example, a
property might obviously contain a date or numeric value, but when you use that property in a filter, it might be treated like a text
string (no value check, and wildcards are supported).
AcceptMessagesOnlyFrom authOrig Dynamic distribution groups: String

AcceptMessagesOnlyFromDLMemb dLMemSubmitPerms Dynamic distribution groups: String

ers (wildcards accepted).
ActiveSyncAllowedDeviceIDs msExchMobileAllowedDeviceIds String (wildcards accepted).
ActiveSyncBlockedDeviceIDs msExchMobileBlockedDeviceIds String (wildcards accepted).
ActiveSyncEnabled n/a Boolean ( $true or $false )

ActiveSyncMailboxPolicy msExchMobileMailboxPolicyLink String (wildcards accepted in The default Exchange ActiveSync

dynamic distribution groups). mailbox policy is named Default.
ActiveSyncSuppressReadReceipt n/a Boolean ( $true or $false )
AddressBookPolicy msExchAddressBookPolicyLink String (wildcards accepted in

AddressListMembership showInAddressBook String (wildcards accepted in

AdminDisplayName adminDisplayName String (wildcards accepted).
AdministrativeUnits msExchAdministrativeUnitLink String (wildcards accepted in

AggregatedMailboxGuids msExchAlternateMailboxes String (wildcards accepted).
Alias mailNickname String (wildcards accepted). This property contains the

recipient's Exchange alias (also
known as the mail nickname). This
value identifies the recipient as a
mail-enabled object, and shouldn't
be confused with multiple email
addresses for the same recipient
(also known as proxy addresses). A
recipient can have only one Alias
value.
AllowUMCallsFromNonUsers msExchUMListInDirectorySearch None (0) or SearchEnabled (1)
ArbitrationMailbox msExchArbitrationMailbox String (wildcards accepted in

ArchiveDatabase msExchArchiveDatabaseLink String
ArchiveDomain msExchArchiveAddress String (wildcards accepted).
ArchiveGuid msExchArchiveGUID String (wildcards accepted).
ArchiveName msExchArchiveName String (wildcards accepted).
ArchiveQuota msExchArchiveQuota Dynamic distribution groups: A

bytes.
ArchiveWarningQuota msExchArchiveWarnQuota Dynamic distribution groups: A

bytes.
ArchiveRelease msExchArchiveRelease String (wildcards accepted).
ArchiveState n/a None (0), Local (1),

HostedProvisioned (2),
HostedPending (3), or
OnPremise (4).
ArchiveStatus msExchArchiveStatus None (0) or Active (1).

AssistantName msExchAssistantName String (wildcards accepted). The name of the recipient's

assistant.
AuditEnabled msExchMailboxAuditEnable Boolean ( $true or $false )
AuditLogAgeLimit msExchMailboxAuditLogAgeLimit Dynamic distribution groups: String The value of this property is a time
(wildcards accepted). span: dd.hh:mm:ss where dd =
Others: Blank or non-blank. days, hh = hours, mm = minutes,
and ss = seconds.
AuthenticationPolicy msExchAuthPolicyLink String (wildcards accepted in

C C String (wildcards accepted). This property contains the two-

from International Organization for
Standardization (ISO) 3166. For
more information, see Country
Codes - ISO 3166.
CalendarLoggingQuota msExchCalendarLoggingQuota Dynamic distribution groups:

Unlimited or a byte quantified
size value (for example, 300MB or
1.5GB ). Unqualified values are
treated as bytes.
Others: Unlimited , or blank/non-
blank.
CalendarRepairDisabled msExchCalendarRepairDisabled Boolean ( $true or $false )
Certificate userCertificate System.Byte[] This property contains the DER-

encoded X509v3 certificates that
CertificateSubject n/a X509: The X509 certificate that's

X500Issuer<S>X500Subject published for the user account
(for example, (visible on the Published
X509: Certificates tab in Active Directory
C=US,O=InternetCA,CN=APublicCertificateAuthority<S>C=US,O=Fabrikam,OU=Sales,CN=
Smith
)
City l String (wildcards accepted). The recipient's city.
Co Co String (wildcards accepted). The name of the recipient's country

or region. You can locate valid Co
values on the Address tab in the
recipient's properties in Active
Directory Users and Computers.
CommonName cn String (wildcards accepted).
ComplianceTagHoldApplied n/a Boolean ( $true or $false )
Company company String (wildcards accepted). The recipient's company name.
CountryOrRegion c String (wildcards accepted). This property contains the two-

from ISO 3166. For more
ISO 3166.
CustomAttribute1 to extensionAttribute1 to String (wildcards accepted). These properties contain custom

CustomAttribute15 extensionAttribute15 attributes that you can add to a
recipient.
Database homeMDB String (wildcards accepted). The identity of the user's mailbox
database.
Department department String (wildcards accepted). The recipient's department.
DataEncryptionPolicy msExchDataEncryptionPolicyLink String (wildcards accepted in

DefaultPublicFolderMailbox msExchPublicFolderMailbox String (wildcards accepted in

DeletedItemFlags deletedItemFlags DatabaseDefault (0),

RetainUntilBackupOrCustomPeriod
(3), or RetainForCustomPeriod
(5).
DeliverToMailboxAndForward deliverAndRedirect Boolean ( $true or $false )
Description description String (wildcards accepted).
DirectReports directReports String (wildcards accepted in

DisabledArchiveDatabase msExchDisabledArchiveDatabaseLi String (wildcards accepted).

nk
DisabledArchiveGuid msExchDisabledArchiveDatabaseG String (wildcards accepted).

UID
DisplayName displayName String (wildcards accepted).
DistinguishedName distinguishedName String (wildcards accepted).
EcpEnabled n/a Boolean ( $true or $false )
ElcExpirationSuspensionEndDate msExchELCExpirySuspensionEnd Dynamic distribution groups: A This property contains a date-time

Exchange server.
ElcExpirationSuspensionStartDate msExchELCExpirySuspensionStart Dynamic distribution groups: A This property contains a date-time

Exchange server.
ElcMailboxFlags msExchELCMailboxFlags None (0), ExpirationSuspended

(1), ElcV2 (2),
DisableCalendarLogging (4),
LitigationHold (8),
SingleItemRecovery (16),
ValidArchiveDatabase (32),
(128),
EnableSiteMailboxMessageDedup
(256), ElcProcessingDisabled
(512), or ComplianceTagHold
(1024).
EmailAddresses proxyAddresses String (wildcards accepted). This property contains the

recipient's email addresses (the
primary email address and all proxy
addresses).
EmailAddressPolicyEnabled n/a Boolean ( $true or $false )

EntryId msExchPublicFolderEntryId String (wildcards accepted).
EwsApplicationAccessPolicy msExchEwsApplicationAccessPolicy EnforceAllowList or

EnforceBlockList .
EwsEnabled msExchEwsEnabled Integer
ExchangeGuid msExchMailboxGuid String (wildcards accepted).
ExchangeUserAccountControl msExchUserAccountControl For valid values, see

ADS_USER_FLAG_ENUM
enumeration. The integer values
will work as described. Most of the
text values won't work as described
(even if you remove ADS_UF and
all underscores).
ExchangeVersion msExchVersion Dynamic distribution groups: String

Others: ExchangeObjectVersion
values.
ExpansionServer msExchExpansionServerName String (wildcards accepted).
ExtensionCustomAttribute1 to msExchExtensionCustomAttribute1 String (wildcards accepted).

ExtensionCustomAttribute5 to
msExchExtensionCustomAttribute5
ExternalDirectoryObjectId msExchExternalDirectoryObjectId String (wildcards accepted).
ExternalEmailAddress targetAddress String (wildcards accepted). This property contains the external
email address for mail contacts and
mail users.
ExternalOofOptions msExchExternalOOFOptions External (0) or InternalOnly

(1).
Fax facsimileTelephoneNumber String (wildcards accepted).
FirstName givenName String (wildcards accepted). The recipient's first name.
ForwardingAddress altRecipient String (wildcards accepted).
ForwardingSmtpAddress msExchGenericForwardingAddress String (wildcards accepted).
GeneratedOfflineAddressBooks msExchOABGeneratingMailboxBL String (wildcards accepted in

GrantSendOnBehalfTo publicDelegates String (wildcards accepted in

GroupType groupType None (0), (2),

Global
DomainLocal (4), BuiltinLocal
(5), Universal (8), or
SecurityEnabled (-2147483648).
Guid objectGuid String (wildcards accepted).
HasActiveSyncDevicePartnership n/a Boolean ( $true or $false )

HiddenFromAddressListsEnabled msExchHideFromAddressLists Boolean ( $true or $false ) This property specifies whether the
recipient is visible in the global
address list or other address lists.
HiddenGroupMembershipEnabled hideDLMembership Boolean ( $true or $false )
HomeMTA homeMTA String (wildcards accepted in

HomePhone homePhone String (wildcards accepted).
Id distinguishedName String (wildcards accepted in

ImapEnabled n/a Boolean ( $true or $false )
ImmutableId msExchGenericImmutableId String (wildcards accepted).
IncludedRecipients n/a None (0), MailboxUsers (1),

Resources (2), MailContacts
(4), MailGroups (8), MailUsers
(16), or AllRecipients (-1).
IncludeInGarbageCollection n/a Boolean ( $true or $false )
Initials initials String (wildcards accepted).
InPlaceHolds msExchUserHoldPolicies String
InPlaceHoldsRaw n/a String
InternetEncoding internetEncoding Integer For valid values, see the Remarks

section in the topic, Encoding Class.
IsDirSynced msExchIsMSODirsynced Boolean ( $true or $false )
IsExcludedFromServingHierarchy n/a Boolean ( $true or $false )
IsHierarchyReady n/a Boolean ( $true or $false )
IsHierarchySyncEnabled n/a Boolean ( $true or $false )
IsInactiveMailbox n/a Boolean ( $true or $false )
IsMailboxEnabled n/a Boolean ( $true or $false ) This property specifies whether the
user is mailbox-enabled.
IsSecurityPrincipal n/a Boolean ( $true or $false )
IsSoftDeletedByDisable n/a Boolean ( $true or $false )
IsSoftDeletedByRemove n/a Boolean ( $true or $false )
IssueWarningQuota mDBStorageQuota Dynamic distribution groups: A

bytes.
JournalArchiveAddress n/a An SMTP email address (for

example, julia@contoso.com ).
LanguagesRaw msExchUserCulture String (wildcards accepted). This property contains the

language preference for this
mailbox in the format
subculture code>
LastExchangeChangedTime msExchLastExchangeChangedTime Dynamic distribution groups: A

Exchange server.
LastName sn String (wildcards accepted).
LdapRecipientFilter msExchDynamicDLFilter String (wildcards accepted).
LegacyExchangeDN legacyExchangeDN String (wildcards accepted).
LitigationHoldDate msExchLitigationHoldDate Dynamic distribution groups: A

Exchange server.
LitigationHoldEnabled n/a Boolean ( $true or $false )
LitigationHoldOwner msExchLitigationHoldOwner String (wildcards accepted).
LocaleID localeID Integer For valid values, Microsoft Locale

ID Values.
MailboxMoveBatchName msExchMailboxMoveBatchName String (wildcards accepted).
MailboxMoveFlags msExchMailboxMoveFlags For valid values, see the description

of the Flags parameter inGet-
MoveRequest.
MailboxMoveRemoteHostName msExchMailboxMoveRemoteHostN String (wildcards accepted).

ame
MailboxMoveSourceMDB msExchMailboxMoveSourceMDBLin String (wildcards accepted in

MailboxMoveStatus msExchMailboxMoveStatus For valid values, see the description

of the MoveStatus parameter
inGet-MoveRequest.
MailboxMoveTargetMDB msExchMailboxMoveTargetMDBLin String (wildcards accepted in

MailboxPlan msExchParentPlanLink String (wildcards accepted). Mailbox plans correspond to Office

enroll your domain.
MailboxRelease msExchMailboxRelease String (wildcards accepted).
MailTipTranslations msExchSenderHintTranslations String (wildcards accepted).
ManagedBy managedBy String (wildcards accepted in This property identifies the security
dynamic distribution groups). principal that's the manager of the
group.
Manager manager String (wildcards accepted in The recipient's manager.

MAPIEnabled n/a Boolean ( $true or $false )
MapiRecipient mAPIRecipient Boolean ( $true or $false )
MaxBlockedSenders msExchMaxBlockedSenders Unlimited or an integer.
MaxSafeSenders msExchMaxSafeSenders Unlimited or an integer.
MaxReceiveSize delivContLength Dynamic distribution groups: A

example, 50MB ). Unqualified
values are treated as bytes.
MaxSendSize submissionContLength Dynamic distribution groups: A

example, 50MB ). Unqualified
values are treated as bytes.
MemberDepartRestriction msExchGroupDepartRestriction Closed (0), Open (1), or

MemberJoinRestriction msExchGroupDepartRestriction Closed (0), Open (1), or

MemberOfGroup memberOf String (wildcards accepted in

Members member String (wildcards accepted in

MessageHygieneFlags msExchMessageHygieneFlags None (0) or AntispamBypass (1).
MobileAdminExtendedSettings msExchOmaAdminExtendedSetting String (wildcards accepted).

s
MobileMailboxFlags msExchMobileMailboxFlags None (0),

HasDevicePartnership (1), or
ActiveSyncSuppressReadReceipt (2).
MobileFeaturesEnabled msExchOmaAdminWirelessEnable None (0), AirSyncDisabled (4),

or MowaDisabled (8).
MobilePhone mobile String (wildcards accepted).
ModeratedBy msExchModeratedByLink String (wildcards accepted in

ModerationEnabled msExchEnableModeration Boolean ( $true or $false )
Name name String (wildcards accepted). The unique name value of the
recipient.
NetID n/a A sample value is This property is populated for

1003BFFD9A0CFA03 . Office 365 mailboxes in hybrid
environments.
Notes info String (wildcards accepted).

ObjectCategory objectCategory Dynamic distribution groups: String Valid values use the format
(wildcards accepted). CN=
Others: Valid Active Directory <Type>,CN=Schema,CN=Configuration,DC=
<domain>
ObjectCategory values.
, where <Type> is typically
Person or Group for recipients.
For example,
CN=Person,CN=Schema,CN=Configuration,DC=contoso
.
ObjectClass objectClass Dynamic distribution groups: String Common values for recipients are:
(wildcards accepted). contact ,
Others: Valid Active Directory organizationalPerson , person ,
ObjectCategory values. top , group ,
msExchDynamicDistributionList ,
and user .
Office physicalDeliveryOfficeName String (wildcards accepted).
OfflineAddressBook msExchUseOAB String (wildcards accepted in This property contains the offline
dynamic distribution groups). address book (OAB) that's
associated with this recipient.
OperatorNumber msExchUMOperatorNumber String (wildcards accepted).
OtherFax otherFacsimileTelephoneNumber String (wildcards accepted).
OtherHomePhone otherHomePhone String (wildcards accepted).
OtherTelephone otherTelephone String (wildcards accepted).
OWAEnabled n/a Boolean ( $true or $false )
OWAforDevicesEnabled msExchOmaAdminWirelessEnable Boolean ( $true or $false )
OWAMailboxPolicy msExchOWAPolicy String (wildcards accepted in

Pager pager String (wildcards accepted).
Phone telephoneNumber String (wildcards accepted).
PhoneProviderId msExchUMPhoneProvider String (wildcards accepted).
PhoneticCompany msDS-PhoneticCompanyName String (wildcards accepted).
PhoneticDepartment msDS-PhoneticDepartment String (wildcards accepted).
PhoneticDisplayName msDS-PhoneticDisplayName String (wildcards accepted).
PhoneticFirstName msDS-PhoneticFirstName String (wildcards accepted).
PhoneticLastName msDS-PhoneticLastName String (wildcards accepted).
PoliciesExcluded msExchPoliciesExcluded String (wildcards accepted).
PoliciesIncluded msExchPoliciesIncluded String (wildcards accepted).
PopEnabled n/a Boolean ( $true or $false )
PostalCode postalCode String (wildcards accepted).
PostOfficeBox postOfficeBox String (wildcards accepted).

PreviousRecipientTypeDetails msExchPreviousRecipientTypeDetai For valid values, see the description

ls of the RecipientTypeDetails
PrimaryGroupId primaryGroupId Integer For domain users, the value of this

property is typically 513, which
corresponds to the Domain Users
group.
PrimarySmtpAddress n/a String (wildcards accepted).
ProhibitSendQuota mDBOverQuotaLimit Dynamic distribution groups: A

bytes.
ProhibitSendReceiveQuota mDBOverHardQuotaLimit Dynamic distribution groups: A

bytes.
ProtocolSettings protocolSettings String (wildcards accepted).
PublicFolderContacts pFContacts String (wildcards accepted in

PurportedSearchUI msExchPurportedSearchUI String (wildcards accepted).
QueryBaseDN msExchQueryBaseDN String (wildcards accepted in

RawCanonicalName canonicalName String (wildcards accepted).
RawExternalEmailAddress targetAddress String (wildcards accepted).
RawName name String (wildcards accepted).
RecipientContainer msExchDynamicDLBaseDN String (wildcards accepted). The Active Directory container or

organizational unit (OU) that holds
the recipient object.
RecipientDisplayType msExchRecipientDisplayType MailboxUser (0),

DistributionGroup (1),
PublicFolder (2),
DynamicDistributionGroup (3),
Organization (4),
PrivateDistributionList (5),
RemoteMailUser (6).
ConferenceRoomMailbox (7), or
EquipmentMailbox (8).
RecipientFilter msExchQueryFilter String (wildcards accepted).
RecipientLimits msExchRecipLimit Unlimited or an integer. This property specifies the

maximum number of recipients
that are allowed in messages sent
by the mailbox.
RecipientType n/a For valid values, see the description

of the RecipientType parameter in
Get-Recipient.
RecipientTypeDetails n/a For valid values, see the description

of the RecipientTypeDetails
RecoverableItemsQuota msExchDumpsterQuota Dynamic distribution groups: A

bytes.
RecoverableItemsWarningQuota msExchDumpsterWarningQuota Dynamic distribution groups: A

bytes.
RejectMessagesFrom unauthOrig Dynamic distribution groups: String

RejectMessagesFromDLMembers dLMemRejectPerms Dynamic distribution groups: String

RemoteAccountPolicy msExchSyncAccountsPolicyDN String (wildcards accepted in

RemotePowerShellEnabled n/a Boolean ( $true or $false )
RemoteRecipientType msExchRemoteRecipientType None (0), ProvisionMailbox (1),

ProvisionArchive (2),
Migrated (4),
DeprovisionMailbox (8),
RoomMailbox (32),
SharedMailbox (96), or
TeamMailbox (128).
ReportToManagerEnabled reportToOwner Boolean ( $true or $false )
ReportToOriginatorEnabled reportToOriginator Boolean ( $true or $false )
RequireAllSendersAreAuthenticate msExchRequireAuthToSendTo Boolean ( $true or $false )

d
ResourceCapacity msExchResourceCapacity Integers.
ResourceCustom n/a String
ResourceMetaData msExchResourceMetaData String (wildcards accepted).
ResourcePropertiesDisplay msExchResourceDisplay String (wildcards accepted).
ResourceSearchProperties msExchResourceSearchProperties String (wildcards accepted).
ResourceType n/a Room (0) or Equipment (1).
RetainDeletedItemsFor garbageCollPeriod Dynamic distribution groups: A

time span: dd.hh:mm:ss where
dd = days, hh = hours, mm =
minutes, and ss = seconds.
RetentionComment msExchRetentionComment String (wildcards accepted).
RetentionPolicy n/a String
RetentionUrl msExchRetentionURL String (wildcards accepted).
RoleAssignmentPolicy msExchRBACPolicyLink String (wildcards accepted in

RulesQuota msExchMDBRulesQuota Dynamic distribution groups: A

bytes.
SamAccountName SamAccountName String (wildcards accepted in This property specifies an identifier

dynamic distribution groups). that's compatible with older
versions of Microsoft Windows
client and server operating systems
(also known as the pre-Windows
2000 user account or group name)
SafeRecipientsHash msExchSafeRecipientsHash System.Byte[] A user's safe recipients list is

hashed (SHA-256) one way before
it's stored as a binary large object
in Active Directory.
SafeSendersHash msExchSafeSendersHash System.Byte[] A user's safe senders list is hashed

Active Directory.
SCLDeleteThresholdInt msExchMessageHygieneSCLDeleteT An integer from 0 through 9.

hreshold
SCLJunkThresholdInt msExchMessageHygieneSCLJunkTh An integer from 0 through 9.

reshold
SCLQuarantineThresholdInt msExchMessageHygieneSCLQuaran An integer from 0 through 9.

tineThreshold
SCLRejectThresholdInt msExchMessageHygieneSCLRejectT An integer from 0 through 9.

hreshold
SecurityProtocol securityProtocol System.Byte[]
SendDeliveryReportsTo n/a None (0), Manager (1) or

Originator (2).
SendOofMessageToOriginatorEnab oOFReplyToOriginator Boolean ( $true or $false )

led
ServerLegacyDN msExchHomeServerName String (wildcards accepted).
ServerName n/a String
SharingPolicy msExchSharingPolicyLink String (wildcards accepted in

SimpleDisplayName displayNamePrintable String (wildcards accepted).
SingleItemrecoveryEnabled n/a Boolean ( $true or $false )
SKUAssigned n/a Boolean ( $true or $false )

SMimeCertificate userSMIMECertificate System.Byte[] This property contains the binary

encoded S/MIME certificates that
StateOrProvince st String (wildcards accepted).
StreetAddress streetAddress String (wildcards accepted).
StsRefreshTokensValidFrom msExchStsRefreshTokensValidFrom Dynamic distribution groups: A

Exchange server.
TelephoneAssistant telephoneAssistant String (wildcards accepted).
TextEncodedORAddress textEncodedORAddress String (wildcards accepted).
ThrottlingPolicy msExchThrottlingPolicyDN String (wildcards accepted in

Title title String (wildcards accepted).
UMAddresses msExchUMAddresses String (wildcards accepted).
UMCallingLineIds msExchUMCallingLineIds String (wildcards accepted).
UMDtmfMap msExchUMDtmfMap String (wildcards accepted).
UMEnabled n/a Boolean ( $true or $false ) This property specifies whether

Unified Messaging (UM) is enabled
for this mailbox.
UMEnabledFlags msExchUMEnabledFlags None (0), UMEnabled (1),

FaxEnabled (2),
TUIAccessToCalendarEnabled (4),
TUIAccessToEmailEnabled (8),
SubscriberAccessEnabled (16),
TUIAccessToAddressBookEnabled
(32),
AnonymousCallersCanLeaveMessages
(256), ASREnabled (512), or
VoiceMailAnalysisEnabled
(1024).
UMMailboxPolicy msExchUMTemplateLink String (wildcards accepted in

UMPinChecksum msExchUMPinChecksum System.Byte[]
UMRecipientDialPlanId msExchUMRecipientDialPlanLink String (wildcards accepted in

UMServerWritableFlags msExchUMServerWritableFlags None (0),

MissedCallNotificationEnabled
(1),
SMSVoiceMailNotificationEnabled
(2),
SMSMissedCallNotificationEnabled
(4), or
PinlessAccessToVoiceMailEnabled
(8).
UMSpokenName msExchUMSpokenName System.Byte[]

UnicodePassword unicodePwd System.Byte[]
UsageLocation msExchUsageLocation A valid two-letter country/region

ISO 3166 value, or the
corresponding display name (for
example, US or UnitedStates ).
For more information, see Country
Codes - ISO 3166.
UseDatabaseQuotaDefaults mDBUseDefaults Boolean ( $true or $false ) If the value of this property is

$true, the values of these
properties are ignored for the
mailbox: IssueWarningQuota,
ProhibitSendQuota,
ProhibitSendReceiveQuota, ,
CalendarLoggingQuota,
RecoverableItemsWarningQuota,
and RecoverableItemsQuota.
UserAccountControl userAccountControl For valid values, see the Remarks

section in User-Account-Control
attribute. You need to convert the
hexadecimal values to decimal.
Most of the text values won't work
as described (even if you remove
ADS_UF and all underscores).
UserPrincipalName userPrincipalName String (wildcards accepted). This property contains the user
principal name (UPN) for this
recipient (for example,
kim@contoso.com ).
VoiceMailSettings msExchUCVoiceMailSettings String (wildcards accepted). Valid values for this property are:
CsHostedVoiceMail=0 , or
CsHostedVoiceMail=1 .
WebPage wWWHomePage String (wildcards accepted).
WhenChanged whenChanged Dynamic distribution groups: A

Exchange server.
WhenChangedUTC n/a Dynamic distribution groups: A

date/time value in Coordinated
Universal Time (UTC).
WhenCreated whenCreated Dynamic distribution groups: A

Exchange server.
WhenCreatedUTC n/a Dynamic distribution groups: A

date/time value in UTC.
WhenMailboxCreated msExchWhenMailboxCreated Dynamic distribution groups: A

Exchange server.
WhenSoftDeleted msExchWhenSoftDeletedTime Dynamic distribution groups: A

Exchange server.
WindowsEmailAddress mail String (wildcards accepted).
WindowsLiveID msExchWindowsLiveID String (wildcards accepted).

Exchange 2007 was the first version of Exchange that required OPATH filters instead of LDAP filters. For more information about
converting LDAP filters to OPATH filters, see the Microsoft Exchange Team Blog article, Need help converting your LDAP filters to
OPATH?.
Use the Exchange Online PowerShell V2 module
The Exchange Online PowerShell V2 module (abbreviated as the EXO V2 module) enables admins to connect to
their Exchange Online environment in Office 365 to retrieve data, create new objects, update existing objects,
remove objects as well as configure Exchange Online & its features.
What's new in the EXO V2 module?

The Exchange Online PowerShell V2 module contains a small set of new cmdlets that are optimized for bulk data
retrieval scenarios (think: thousands and thousands of objects). It also contains the 700 or more older remote
PowerShell cmdlets baked into the same module. Note that after you install the EXO V2 module from the
PowerShell Gallery, you only see new cmdlets in the module. You'll see the older remote PowerShell cmdlets after
you create a session to connect to your Exchange Online environment. All the cmdlets in the V2 module use
Modern auth for authentication. You can't use Basic auth in the EXO V2 module.
The new cmdlets in the EXO V2 module are meant to replace their older, less efficient equivalents. However, the
original cmdlets are still available in the EXO V2 module for backwards compatibility.
The new cmdlets in the EXO V2 module are listed in the following table:
NEW CMDLET IN THE EXO V2 MODULE OLDER RELATED CMDLET
Connect-ExchangeOnline Connect-EXOPSSession
or
New-PSSession
Get-EXOMailbox Get-Mailbox
Get-EXORecipient Get-Recipient
Get-EXOCASMailbox Get-CASMailbox
Get-EXOMailboxPermission Get-MailboxPermission
Get-EXORecipientPermission Get-RecipientPermission
Get-EXOMailboxStatistics Get-MailboxStatistics
Get-EXOMailboxFolderStatistics Get-MailboxFolderStatistics
Get-EXOMailboxFolderPermission Get-MailboxFolderPermission
Get-EXOMobileDeviceStatistics Get-MobileDeviceStatistics
Install and maintain the Exchange Online PowerShell V2 module

You can download the EXO V2 module from the PowerShell gallery here.
Windows 10
Windows 8.1
Windows Server 2019
Windows Server 2016
*For older versions of Windows, you need to install the Microsoft.NET Framework 4.5 or later and then an
updated version of the Windows Management Framework: 3.0, 4.0, or 5.1 (only one). For more information,
see Installing the .NET Framework, Windows Management Framework 3.0, Windows Management
Framework 4.0, and Windows Management Framework 5.1.
Install the EXO V2 module
To install the EXO V2 module for the first time, run the following commands:
1. On your local computer, run the following command from an elevated Windows PowerShell session (a
Windows PowerShell window you open by selecting Run as administrator):
Install-Module PowershellGet -Force
2. Windows PowerShell needs to be configured to run scripts, and by default, it isn't. To require all PowerShell
scripts that you download from the internet are signed by a trusted publisher, run the following command in
an elevated Windows PowerShell window:
Notes:
You need to configure this setting only once on your computer.
If you don't do this step, you'll receive the following error when you try to connect:
Files cannot be loaded because running scripts is disabled on this system. Provide a valid
certificate with which to sign the files.
3. From an elevated Windows PowerShell session and run the following command:
Install-Module -Name ExchangeOnlineManagement
Enter Y to accept the license agreement.

Update the EXO V2 module
If the EXO V2 module is already installed on your computer, you can run the following commands to see the
version that's currently installed and update it if necessary.
1. To see the version of the EXO V2 module that's currently installed, run the following commands:
Import-Module ExchangeOnlineManagement; Get-Module ExchangeOnlineManagement
2. Run the following command to update the EXO V2 module to latest version that's available in the
PowerShell Gallery:
Update-Module -Name ExchangeOnlineManagement
Enter Y to accept the license agreement.

3. To confirm that the update was successful, run the following commands:
Import-Module ExchangeOnlineManagement; Get-Module ExchangeOnlineManagement
Uninstall the EXO V2 module

To uninstall the module, run the following command:
Remove-Module ExchangeOnlineManagement
TIP
Connect to Exchange Online using the EXO V2 module

NOTE
If your account uses multi-factor authentication (MFA), don't follow the instructions in this section;
1. On your local computer, open a Windows PowerShell window and run the following command:
Note:
Get-Credential doesn't work for MFA enabled accounts. For using MFA enabled-accounts, remove the
Credential parameter from below command instruction.
Connect-ExchangeOnline -Credential $UserCredential
For detailed syntax and parameter information, see Connect-ExchangeOnline.
What's new in the EXO V2 module?

Properties and property sets
The output of traditional Exchange Online cmdlets returns all possible object properties, including many properties
that are often blank, or aren't even required in many scenarios. Returning a large number of blank and
unnecessary properties causes degraded performance (more server computation and added network load). The
full complement of properties are rarely required in the cmdlet output.
The EXO V2 module cmdlets have categorized output properties. Instead of giving all properties equal importance
and returning them in all scenarios, we've categorized specific related properties into property sets. Simply put,
these property sets are buckets of two or more related properties on the cmdlet.
Property sets are controlled by the following parameters on the EXO V2 module cmdlets:
PropertySets: This parameter accepts one or more available property set names separated by commas.
This example returns the properties that are available in the Archive and Custom property sets:
Get-EXOMailbox -PropertySets Archive,Custom
Properties: This parameter accepts one or more property names separated by commas.
This example returns the specified properties:
Get-EXOMailbox -Properties LitigationHoldEnabled,AuditEnabled
Note: Cmdlets that only return a small number of output properties don't have the PropertySet or
Properties parameters.
You can use PropertySets and Properties in the same command. For example:
Get-EXOMailbox -Properties IsMailboxEnabled,SamAccountName -PropertySets Delivery
Get-EXOCASMailbox -Properties EwsEnabled, MAPIBlockOutlookNonCachedMode -PropertySets ActiveSync
We've also included a Minimum property set (or minset) in the available property sets that includes a bare
minimum set of properties for the cmdlet output.
If you don't use the PropertySets or Properties parameters, you automatically get the properties that are
included in the Minimum property set.
If you use the PropertySets or Properties parameters, you you only get the specified properties.
Either way, the cmdlet output will contain far fewer properties, and the time it takes to return those results will be
much faster.
This example returns the properties in the Minimum property set for the first ten mailboxes.
Get-EXOMailbox -ResultSize 10
In contrast, the same Get-Mailbox cmdlet would return at least 230 properties for the same ten mailboxes.
For details about the property sets that are available in EXO V2 module cmdlets, see Property sets in Exchange
Online PowerShell V2 cmdlets or the individual EXO V2 module cmdlet reference topics.
EXO cmdlets also provide a way to retreive all properties for an object by using the ProperySets parameter with
the value All .
The following example returns all properties for the 10 mailboxes:
Get-EXOMailbox -ResultSize 10 -PropertySets All
NOTE
We highly discourage using the PropertySets parameter with the value All because it slows down the cmdlet and reduces
reliability. Always use the PropertySets and Properties parameters to retreive only the requires properties.
Property sets in Exchange Online PowerShell V2
cmdlets
This topic describes the property sets that are available in the new cmdlets in the Exchange Online PowerShell V2
module. For more information about property sets, see Properties and property sets.
Get-EXOCasMailbox property sets

The available property sets for the Get-EXOCasMailbox cmdlet and the properties they contain are described in
the following table:
PropertySet Properties
Minimum ActiveSyncEnabled
DisplayName
ECPEnabled
EmailAddresses
EwsEnabled
ExchangeVersion
Guid
Identity
ImapEnabled
MAPIEnabled
Name
OWAEnabled
OrganizationId
PopEnabled
PrimarySmtpAddress
ServerLegacyDN
ActiveSync ActiveSyncAllowedDeviceIDs
ActiveSyncBlockedDeviceIDs
ActiveSyncEnabled
ActiveSyncMailboxPolicyIsDefaulted
ActiveSyncSuppressReadReceipt
ExternalDirectoryObjectId
Guid
HasActiveSyncDevicePartnership
Identity
Name
OrganizationId
Ews EwsAllowMacOutlook
EwsAllowOutlook
EwsEnabled
Guid
Identity
Name
OrganizationId
Imap ExternalDirectoryObjectId
Guid
Identity
ImapEnableExactRFC822Size
ImapEnabled
ImapForceICalForCalendarRetrievalOption
ImapMessagesRetrievalMimeFormat
ImapSuppressReadReceipt
ImapUseProtocolDefaults
Name
OrganizationId
Mapi ExternalDirectoryObjectId
Guid
Identity
MAPIBlockOutlookExternalConnectivity
MAPIBlockOutlookNonCachedMode
MAPIBlockOutlookRpcHttp
MAPIBlockOutlookVersions
MAPIEnabled
MapiHttpEnabled
Name
OrganizationId
Pop ExternalDirectoryObjectId
Guid
Identity
Name
OrganizationId
PopEnableExactRFC822Size
PopEnabled
PopMessagesRetrievalMimeFormat
PopSuppressReadReceipt
PopUseProtocolDefaults
ProtocolSettings ExternalDirectoryObjectId
ExternalImapSettings
ExternalPopSettings
ExternalSmtpSettings
Guid
Identity
InternalImapSettings
InternalPopSettings
InternalSmtpSettings
Name
OrganizationId
Note: The following Get-CasMailbox parameters aren't available on Get-EXOCasMailbox:

ActiveSyncDebugLogging
IgnoreDefaultScope
ReadIsOptimizedForAccessibility
SortBy
For more information, see:
Get-EXOCASMailbox
Get-CASMailbox
Get-EXOMailbox property sets

The available property sets for the Get-EXOMailbox cmdlet and the properties they contain are described in the
following table:
Minimum Alias
DisplayName
DistinguishedName
EmailAddresses
ExchangeVersion
Guid
Id
Name
OrganizationId
PrimarySmtpAddress
RecipientType
RecipientTypeDetails
UserPrincipalName
AddressList AddressBookPolicy
AddressListMembership
GeneratedOfflineAddressBooks
HiddenFromAddressListsEnabled
OfflineAddressBook
Archive ArchiveDatabase
ArchiveDomain
ArchiveGuid
ArchiveName
ArchiveQuota
ArchiveRelease
ArchiveState
ArchiveStatus
ArchiveWarningQuota
AutoExpandingArchiveEnabled
DisabledArchiveDatabase
DisabledArchiveGuid
JournalArchiveAddress
Audit AuditAdmin
AuditDelegate
AuditEnabled
AuditLogAgeLimit
AuditOwner
DefaultAuditSet
Custom CustomAttribute1
CustomAttribute2
CustomAttribute3
CustomAttribute4
CustomAttribute5
CustomAttribute6
CustomAttribute7
CustomAttribute8
CustomAttribute9
CustomAttribute10
CustomAttribute11
CustomAttribute12
CustomAttribute13
CustomAttribute14
CustomAttribute15
ExtensionCustomAttribute1
Delivery AcceptMessagesOnlyFrom
AcceptMessagesOnlyFromDLMembers
AcceptMessagesOnlyFromSendersOrMembers
DeliverToMailboxAndForward
DowngradeHighPriorityMessagesEnabled
ForwardingAddress
ForwardingSmtpAddress
GrantSendOnBehalfTo
MaxBlockedSenders
MaxReceiveSize
MaxSafeSenders
MaxSendSize
MessageCopyForSendOnBehalfEnabled
MessageCopyForSentAsEnabled
MessageRecallProcessingEnabled
MessageTrackingReadStatusEnabled
RecipientLimits
RejectMessagesFrom
RejectMessagesFromDLMembers
RejectMessagesFromSendersOrMembers
RulesQuota
Hold ComplianceTagHoldApplied
DelayHoldApplied
InPlaceHolds
InactiveMailboxRetireTime
LitigationHoldDate
LitigationHoldDuration
LitigationHoldEnabled
LitigationHoldOwner
Moderation BypassModerationFromSendersOrMembers
ModeratedBy
ModerationEnabled
SendModerationNotifications
Move ExternalDirectoryObjectId
MailboxMoveBatchName
MailboxMoveFlags
MailboxMoveRemoteHostName
MailboxMoveSourceMDB
MailboxMoveStatus
MailboxMoveTargetMDB
Policy AddressBookPolicy
DataEncryptionPolicy
EmailAddressPolicyEnabled
ManagedFolderMailboxPolicy
PoliciesExcluded
PoliciesIncluded
RemoteAccountPolicy
RetentionPolicy
RetentionUrl
RoleAssignmentPolicy
SharingPolicy
ThrottlingPolicy
PublicFolder DefaultPublicFolderMailbox
EffectivePublicFolderMailbox
IsExcludedFromServingHierarchy
IsHierarchyReady
IsHierarchySyncEnabled
IsRootPublicFolderMailbox
Quota ArchiveQuota
ArchiveWarningQuota
CalendarLoggingQuota
IssueWarningQuota
ProhibitSendQuota
ProhibitSendReceiveQuota
RecoverableItemsQuota
RecoverableItemsWarningQuota
RulesQuota
UseDatabaseQuotaDefaults
Resource ExternalDirectoryObjectId
IsResource
ResourceCapacity
ResourceCustom
ResourceType
RoomMailboxAccountEnabled
Retention EndDateForRetentionHold
OrphanSoftDeleteTrackingTime
RetainDeletedItemsFor
RetainDeletedItemsUntilBackup
RetentionComment
RetentionHoldEnabled
RetentionPolicy
RetentionUrl
SingleItemRecoveryEnabled
StartDateForRetentionHold
UseDatabaseRetentionDefaults
SCL AntispamBypassEnabled
SCLDeleteEnabled
SCLDeleteThreshold
SCLJunkEnabled
SCLJunkThreshold
SCLQuarantineEnabled
SCLQuarantineThreshold
SCLRejectEnabled
SCLRejectThreshold
SoftDelete ExternalDirectoryObjectId
IncludeInGarbageCollection
IsInactiveMailbox
IsSoftDeletedByDisable
IsSoftDeletedByRemove
WhenSoftDeleted
StatisticsSeed ArchiveDatabaseGuid
DatabaseGuid
ExchangeGuid
Note: The following Get-Mailbox parameters aren't available on Get-EXOMailbox:

Async
GroupMailbox
Migration
PublicFolder
SortBy
Get-EXOMailbox
Get-Mailbox
Get-EXORecipient property sets

The available property sets for the Get-EXORecipient cmdlet and the properties they contain are described in the
following table:
Minimum ExchangeVersion
ExternalDirectoryObjectID
Name
OrganizationId
RecipientType
RecipientTypeDetails
Archive ArchiveDatabase
ArchiveGuid
ArchiveRelease
ArchiveState
ArchiveStatus
Custom CustomAttribute1
CustomAttribute2
CustomAttribute3
CustomAttribute4
CustomAttribute5
CustomAttribute6
CustomAttribute7
CustomAttribute8
CustomAttribute9
CustomAttribute10
CustomAttribute11
CustomAttribute12
CustomAttribute13
CustomAttribute14
CustomAttribute15
MailboxMove MailboxMoveBatchName
MailboxMoveFlags
MailboxMoveRemoteHostName
MailboxMoveSourceMDB
MailboxMoveStatus
MailboxMoveTargetMDB
Policy ActiveSyncMailboxPolicy
ActiveSyncMailboxPolicyIsDefaulted
AddressBookPolicy
EmailAddressPolicyEnabled
ManagedFolderMailboxPolicy
OwaMailboxPolicy
PoliciesExcluded
PoliciesIncluded
RetentionPolicy
SharingPolicy
UMMailboxPolicy
Note: The following Get-Recipient parameters aren't available on Get-EXORecipient:

SortBy
Get-EXORecipient
Get-Recipient
Get-EXOMailboxStatistics property sets
The available property sets for the Get-EXOMailboxStatistics cmdlet and the properties they contain are
described in the following table:
Minimum DeletedItemCount
DisplayName
ItemCount
MailboxGuid
TotalDeletedItemSize
TotalItemSize
All AssociatedItemCount
AttachmentTableAvailableSize
AttachmentTableTotalSize
DatabaseIssueWarningQuota
DatabaseName
DatabaseProhibitSendQuota
DatabaseProhibitSendReceiveQuota
DeletedItemCount
DisconnectDate
DisconnectReason
DisplayName
DumpsterMessagesPerFolderCountReceiveQuota
DumpsterMessagesPerFolderCountWarningQuota
ExternalDirectoryOrganizationId
FastIsEnabled
FolderHierarchyChildrenCountReceiveQuota
FolderHierarchyChildrenCountWarningQuota
FolderHierarchyDepthReceiveQuota
FolderHierarchyDepthWarningQuota
FoldersCountReceiveQuota
FoldersCountWarningQuota
IsAbandonedMoveDestination
IsArchiveMailbox
IsDatabaseCopyActive
IsHighDensityShard
IsMoveDestination
IsQuarantined
ItemCount
LastLoggedOnUserAccount
LastLogoffTime
LastLogonTime
LegacyDN
MailboxGuid
MailboxMessagesPerFolderCountReceiveQuota
MailboxMessagesPerFolderCountWarningQuota
MailboxType
MailboxTypeDetail
MessageTableAvailableSize
MessageTableTotalSize
NamedPropertiesCountQuota
NeedsToMove
OtherTablesAvailableSize
OtherTablesTotalSize
OwnerADGuid
QuarantineClients
QuarantineDescription
QuarantineEnd
QuarantineFileVersion
QuarantineLastCrash
ResourceUsageRollingAvgDatabaseReads
ResourceUsageRollingAvgRop
ResourceUsageRollingClientTypes
ServerName
StorageLimitStatus
SystemMessageCount
SystemMessageSize
SystemMessageSizeShutoffQuota
SystemMessageSizeWarningQuota
TotalDeletedItemSize
TotalItemSize

Get-EXOMailboxStatistics
Get-MailboxStatistics
Security & Compliance Center PowerShell is the administrative interface that enables you to manage your Office
365 Security & Compliance Center settings from the command line. For example, you can use Security &
Compliance Center PowerShell to perform Compliance Searches and configure access to the Security &
Compliance Center. The following topics provide information about using Security & Compliance Center
PowerShell:
To create a remote PowerShell session to the Security & Compliance Center, see Connect to Office 365
Security & Compliance Center PowerShell. Note that the connection instructions are different from
Exchange Online or Exchange Online Protection (the ConnectionUri value is different).
A cmdlet is a lightweight command that is imported into your local Windows PowerShell session. Note that
some cmdlets are available only in the Security & Compliance Center. Other cmdlets have the same names
and functionality as those in Exchange Online, but they are also available in the Security & Compliance
Center.
Connect to Office 365 Security & Compliance Center
PowerShell
Office 365 Security & Compliance Center PowerShell allows you to manage your Office 365 Security &
Compliance Center settings from the command line. You use Windows PowerShell on your local computer to
create a remote PowerShell session to the Security & Compliance Center. It's a simple three-step process where
you enter your Office 365 credentials, provide the required connection settings, and then import the Security &
Compliance Center cmdlets into your local Windows PowerShell session so that you can use them.
NOTE
The procedures in this topic won't work if:
• Your account uses multi-factor authentication (MFA).
• Your organization uses federated authentication.
• A location condition in an Azure Active Directory conditional access policy restricts your access to trusted IPs.
In these scenarions, you need to download and use the Exchange Online Remote PowerShell Module to connect to Security
& Compliance Center PowerShell. For instructions, see Connect to Office 365 Security & Compliance Center PowerShell using
multi-factor authentication.
Some features in the Security & Compliance Center (for example, mailbox archiving) link to existing functionality in the
Exchange admin center (EAC). To use PowerShell with these features, you need to connect to Exchange Online PowerShell
instead of Security & Compliance Center PowerShell. For instructions, see Connect to Exchange Online PowerShell.
For more information about the Security & Compliance Center, see Office 365 Security & Compliance Center.

Office 365 global admins have access to the Security & Compliance Center, but everyone else needs to
have their access configured for them. For details, see Give users access to the Office 365 Security &
Compliance Center.
Windows 10
Windows 8.1
Windows Server 2019
Windows Server 2016
To require all PowerShell scripts that you download from the internet are signed by a trusted publisher, run
the following command in an elevated Windows PowerShell window (a Windows PowerShell window you
Connect to the Security & Compliance Center

1. On your local computer, open Windows PowerShell and run the following command:
In the Windows PowerShell Credential Request dialog box that appears, type your work or school
account and password, and then click OK.

https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -
Authentication Basic -AllowRedirection
Notes:
https://ps.compliance.protection.outlook.de/powershell-liveid/ .
For Office 365 Government Community Cloud High (GCC High), use the ConnectionUri value:
https://ps.compliance.protection.office365.us/powershell-liveid/ .
If you want to connect to Security & Compliance Center PowerShell in the same window as an active
Exchange Online PowerShell connection, you need to add the Prefix parameter and value (for
example, -Prefix "CC" ) to the end of this command to prevent cmdlet name collisions (both
environments share some cmdlets with the same names).
NOTE
wait for the sessions to expire. To disconnect the remote PowerShell session, run the following command:

After Step 3, the Security & Compliance Center cmdlets are imported into your local Windows PowerShell session
as tracked by a progress bar. If you don't receive any errors, you connected successfully. A quick test is to run a
Security & Compliance Center cmdlet, for example, Get-RetentionCompliancePolicy, and see the results.
Verify that your account has permission to access the Security & Compliance Center. For details, see Give
users access to the Office 365 Security & Compliance Center.
to the Security & Compliance Center.
The New-PSSession command (Step 2) might fail to connect if your client IP address changes during the
connection request. This can happen if your organization uses a source network address translation (SNAT)
pool that contains multiple IP addresses. The connection error looks like this:
The request for the Windows Remote Shell with ShellId <ID> failed because the shell was not found on the
server. Possible causes are: the specified ShellId is incorrect or the shell no longer exists on the
server. Provide the correct ShellId or create a new shell and retry the operation.
To fix the issue, use an SNAT pool that contains a single IP address, or force the use of a specific IP address
for connections to the Security & Compliance Center PowerShell endpoint.
See also
Get-Credential
New -PSSession
Import-PSSession
Remove-PSSession
Set-ExecutionPolicy
Connect to Office 365 Security & Compliance Center
PowerShell using multi-factor authentication
If your account uses multi-factor authentication (MFA) or federated authentication, you can't use the instructions at
Connect to Office 365 Security & Compliance Center PowerShell to use remote PowerShell to connect to the
Office 365 Security & Compliance Center. Instead, you need to install the Exchange Online Remote PowerShell
Module, and use the Connect-IPPSSession cmdlet to connect to Security & Compliance Center PowerShell.
NOTE
• Delegated Access Permission (DAP) partners can't use the procedures in this topic to connect to their customer tenant
organizations in Security & Compliance Center PowerShell. MFA and the Exchange Online Remote PowerShell Module don't
work with delegated authentication.
• The Exchange Online Remote PowerShell Module is not supported in PowerShell Core (macOS, Linux, or Windows Nano
Server). As a workaround, you can install the module on a computer that's running a supported version of Windows (physical
or virtual), and use remote desktop software to connect.

Windows 10
Windows 8.1
Windows Server 2019
Windows Server 2016
The Exchange Online Remote PowerShell Module needs to be installed on your computer. If your installed
version of the Exchange Online Remote PowerShell Module doesn't have the Connect-IPPSSession
cmdlet, you need to install the latest version of the module:
1. In Internet Explorer or Edge, open the Exchange admin center (EAC ) for your Exchange Online
organization. For instructions, see Exchange admin center in Exchange Online.
Note: Internet Explorer or Edge is required because the download in the next step uses ClickOnce, so
Google Chrome or Mozilla Firefox won't work.
2. In the EAC, go to Hybrid > Setup and click the appropriate Configure button to download the
Exchange Online Remote PowerShell Module for multi-factor authentication.
3. In the Application Install window that opens, click Install.
Windows Remote Management (WinRM ) on your computer needs to allow basic authentication (it's
enabled by default). To verify that basic authentication is enabled, run this command in a Command
Prompt:
winrm get winrm/config/client/auth
If you don't see the value Basic = true , you need to run this command from an elevated Command
Prompt (a Command Prompt window you open by selecting Run as administrator) to enable basic
authentication for WinRM:
winrm set winrm/config/client/auth @{Basic="true"}
If basic authentication is disabled, you'll get this error when you try to connect:
The WinRM client cannot process the request. Basic authentication is currently disabled in the client
configuration. Change the client configuration and try the request again.
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
Connect to Security & Compliance Center PowerShell by using MFA or

federated authentication
1. On your local computer, open the Exchange Online Remote PowerShell Module (Microsoft
Corporation > Microsoft Exchange Online Remote PowerShell Module).
2. The command that you need to run uses the following syntax:
Connect-IPPSSession -UserPrincipalName <UPN> [-ConnectionUri <ConnectionUri> -

AzureADAuthorizationEndPointUri <AzureADUri>]
<UPN> is your Office 365 work or school account.

The <ConnectionUri> and <AzureADUri> values depend on the location of your Office 365
organization as described in the following table:
AZUREADAUTHORIZATIONENDPOINTU
OFFICE 365 OFFERING CONNECTIONURI PARAMETER VALUE RI PARAMETER VALUE
Office 365 Not used Not used
Office 365 Germany https://ps.compliance.protection.outlook.de/PowerShell-

LiveID
This example connects to the Security & Compliance Center in Office 365 using the account
chris@contoso.com.
Connect-IPPSSession -UserPrincipalName chris@contoso.com
This example connects to the Security & Compliance Center in Office 365 Germany using the account
lukas@fabrikam.com.
Connect-IPPSSession -UserPrincipalName lukas@fabrikam.com -ConnectionUri

https://ps.compliance.protection.outlook.de/PowerShell-LiveID -AzureADAuthorizationEndPointUri
3. In the sign-in window that opens, enter your password, and then click Sign in.
For MFA, a verification code is generated and delivered based on the verification response option that's
configured for your account (for example, a text message or the Azure Authenticator app on your mobile
phone).
4. (MFA only): In the verification window that opens, enter the verification code, and then click Sign in.
5. (Optional): If you want to connect to an Exchange Online PowerShell module session in the same window,
you need to run
$EXOSession=New-ExoPSSession -UserPrincipalName <UPN> [-ConnectionUri <ConnectionUri> -

AzureADAuthorizationEndPointUri <AzureADUri>]
and then import the Exchange Online session into the current one using an specific prefix
Import-PSSession $EXOSession -Prefix EXO

After you sign in, the Security & Compliance Center cmdlets are imported into your Exchange Online Remote
PowerShell Module session and tracked by a progress bar. If you don't receive any errors, you connected
successfully. A quick test is to run an Security & Compliance Center cmdlet, for example, Get-
RetentionCompliancePolicy, and see the results.
to the Security & Compliance Center.
The account you use to connect to the Security & Compliance Center must be enabled for remote
PowerShell. For more information, see Enable or disable access to Exchange Online PowerShell.
The Connect-IPPSSession command (Step 2) might fail to connect if your client IP address changes
during the connection request. This can happen if your organization uses a source network address
translation (SNAT) pool that contains multiple IP addresses. The connection error looks like this:
for connections to the Security & Compliance PowerShell endpoint.
Exchange Online Protection PowerShell is the administrative interface that enables you to manage your Exchange
Online Protection (EOP ) organization from the command line. For example, you can use Exchange Online
Protection PowerShell to configure mail flow rules (also known as transport rules) and connectors.
NOTE
Exchange Online Protection PowerShell is only used in standalone EOP organizations (for example, you have a standalone
EOP subscription to protect your on-premises email environment). If you have an Office 365 subscription that includes EOP
(E3, E5, etc.), you don't use Exchange Online Protection PowerShell; the same features are available in Exchange Online
PowerShell.
The following topics provide information about using Exchange Online Protection PowerShell:
To create a remote PowerShell session to your standalone Exchange Online Protection organization, see
Connect to Exchange Online Protection PowerShell.
For a sample script that lets admins who manage multiple tenants (companies) apply configuration settings
to their tenants, see Sample script for applying EOP settings to multiple tenants.
The following introductory video shows you how to connect to and use Exchange Online Protection
PowerShell.
Note: This video applies to Exchange Online and standalone EOP organizations. When you connect to your
organization, be sure to specify the correct URL (ConnectionUri value). The required URL is different for
Exchange Online and standalone EOP organizations.
Use Remote PowerShell in EOP
Connect to Exchange Online Protection PowerShell
Exchange Online Protection PowerShell allows you to manage your Exchange Online Protection organization
from the command line. You use Windows PowerShell on your local computer to create a remote PowerShell
session to Exchange Online Protection. It's a simple three-step process where you enter your Office 365
credentials, provide the required connection settings, and then import the Exchange Online Protection cmdlets
into your local Windows PowerShell session so that you can use them.

Exchange Online Protection PowerShell is only used in standalone EOP organizations (for example, you
have a standalone EOP subscription to protect your on-premises email environment). If you have an Office
365 subscription that includes EOP (E3, E5, etc.), you don't use Exchange Online Protection PowerShell; the
same features are available in Exchange Online PowerShell.
Windows 10
Windows 8.1
Windows Server 2019
Windows Server 2016
Windows PowerShell needs to be configured to run scripts, and by default, it isn't. You'll get the
following error when you try to connect:
Files cannot be loaded because running scripts is disabled on this system. Provide a valid
certificate with which to sign the files.
To require all scripts that you download from the internet are signed by a trusted publisher, run the
following command in an elevated Windows PowerShell window (a Windows PowerShell window
you open by selecting Run as administrator):
TIP
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange
Online Protection.
Connect to Exchange Online Protection

1. On your local computer, open Windows PowerShell and run the following command:

https://ps.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic
-AllowRedirection
Notes:
https://ps.protection.outlook.de/powershell-liveid/
For Exchange Online Protection subscriptions that are Exchange Enterprise CAL with Services
(includes data loss prevention (DLP ) and reporting using web services), use the ConnectionUri value:
https://outlook.office365.com/powershell-liveid/
NOTE
Be sure to disconnect the remote PowerShell session when you're finished. If you close the Windows PowerShell
window without disconnecting the session, you could use up all the remote PowerShell sessions available to you, and
you'll need to wait for the sessions to expire. To disconnect the remote PowerShell session, run the following
command:

After Step 3, the Exchange Online Protection cmdlets are imported into your local Windows PowerShell session
and tracked by a progress bar. If you don't receive any errors, you connected successfully. A quick test is to run an
Exchange Online Protection cmdlet, for example, Get-TransportRule, and see the results.
To help prevent denial-of-service (DoS ) attacks, you're limited to three open remote PowerShell
connections to your Exchange Online Protection organization.
The account you use to connect to Exchange Online Protection PowerShell must be represented as a mail
user in EOP (created manually or by directory synchronization). If the account is not visible in the Exchange
admin center (EAC ) as a mail user at Recipients > Contacts, you'll receive the following error when you
try to connect:
Import-PSSession : Running the Get-Command command in a remote session reported the following error:
Processing data for a remote command failed with the following error message: The request for the
Windows Remote Shell with ShellId <GUID> failed because the shell was not found on the server. Possible
causes are: the specified ShellId is incorrect or the shell no longer exists on the server. Provide the
correct ShellId or create a new shell and retry the operation.
The New-PSSession command (Step 2) might fail to connect if your client IP address changes during the
connection request. This can happen if your organization uses a source network address translation (SNAT)
pool that contains multiple IP addresses. The connection error looks like this:
for connections to the Exchange Online Protection PowerShell endpoint.
See also
Get-Credential
New -PSSession
Import-PSSession
Remove-PSSession
Set-ExecutionPolicy

Exchange PowerShell - 08th Nov 2019

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Exchange PowerShell - 08th Nov 2019

Hochgeladen von

Copyright:

Verfügbare Formate

Contents

Exchange Server PowerShell

Exchange Online PowerShell

Office 365 Security & Compliance Center PowerShell

Exchange Online Protection PowerShell

How the Exchange Management Shell works on all Exchange server

How Exchange Management Shell works on Edge Transport servers

Exchange Management Shell documentation

What do you need to know before you begin?

Open the Exchange Management Shell in Windows Server 2016 or

Open the Exchange Management Shell in Windows Server 2012 R2 or

What do you need to know before you begin?

Connect to a remote Exchange server

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri

Note: The ConnectionUri value is http , not https .

Import-PSSession $Session -DisableNameChecking

How do you know this worked?

What do you need to know before you begin?

Use the Exchange Management Shell to enable or disable remote

Set-User "Therese Lindqvist" -RemotePowerShellEnabled $false

Set-User "Sirirat Kitjakarn" -RemotePowerShellEnabled $true

Use the Exchange Management Shell to disable remote PowerShell

$<VariableName> = <Get-Mailbox | Get-User> -ResultSize unlimited -Filter <Filter>

$<VariableName> | foreach {Set-User -RemotePowerShellEnabled $false}

$DSA | foreach {Set-User -RemotePowerShellEnabled $false}

Use a list of specific users

$<VariableName> = Get-Content <text file>

$<VariableName> | foreach {Set-User -RemotePowerShellEnabled $false

$NPS = Get-Content "C:\My Documents\NoPowerShell.txt"

$NPS | foreach {Set-User -RemotePowerShellEnabled $false}

View the remote PowerShell access for users

Get-User -Identity <UserIdentity> | Format-List RemotePowerShellEnabled

Get-User -Identity "Sarah Jones" | Format-List RemotePowerShellEnabled

Get-User -ResultSize unlimited | Format-Table -Auto Name,DisplayName,RemotePowerShellEnabled

Get-User -ResultSize unlimited -Filter 'RemotePowerShellEnabled -eq $false'

Get-User -ResultSize unlimited -Filter 'RemotePowerShellEnabled -eq $true'

What do you need to know before you begin?

Use PowerShell to find the permissions required to run a cmdlet

$Perms = Get-ManagementRole -Cmdlet <Cmdlet> [-CmdletParameters <Parameter1>,<Parameter2>,...]

3. Run the following command:

Interpreting the results

Get-ManagementRoleEntry -Identity *\<Cmdlet> [-Parameters <Parameter1>,<Parameter2>,... ]

$na = Get-ManagementRole ; $na | foreach {If ((Get-ManagementRoleAssignment -Role $_.Name -

$Perms | foreach {Get-ManagementRoleAssignment -Role $_.Name -Delegating $false | Format-List

Get-ManagementRoleAssignment -RoleAssignee <UserIdentity> -Delegating $false | Format-Table -Auto

Get-ManagementRoleAssignment -RoleAssignee julia@contoso.com -Delegating $false | Format-Table -Auto

Get-ManagementRoleAssignment -Role "<Role name>" -GetEffectiveUsers -Delegating $false | Where-Object

Get-ManagementRoleAssignment -Role "Mailbox Import Export" -GetEffectiveUsers -Delegating $false |

Get-RoleGroupMember "<Role group name>"

Get-RoleGroupMember "Organization Management"

Command conventions in Exchange PowerShell

- A hyphen indicates a parameter. For example, -Identity .

<> Angle brackets indicate the possible values for a parameter.

[] Square brackets indicate optional parameters and their values.

| Pipe symbols in parameter values indicate a choice between

Parameter sets in Exchange PowerShell

New-SystemMessage -DsnCode <EnhancedStatusCode> -Internal <$true | $false> -Language <CultureInfo> -Text

New-SystemMessage -Language <CultureInfo> -QuotaMessageType <WarningMailboxUnlimitedSize|

Quotation marks in Exchange PowerShell

Get-ReceiveConnector -Identity 'Contoso Receive Connector'

For more information about variables, see about_Variables and about_Automatic_Variables.

Escape characters in Exchange PowerShell

Get-DynamicDistributionGroup -Identity "Contoso Finance" | Format-List Recipient,Included