Exchange Online provides many different reports to monitor email activities and audit emails to aid with compliance requirements. As an Exchange admin, you need to monitor
- Employee’s emails,
- Inbound/outbound mail traffic
- Number of spams and malwares detected,
- Number of emails sent and received by a specific user,
- Emails that matched with rules, policies, etc.
If you use Microsoft 365 Admin portal to view the above information, you might suffer in searching the right portal. Also, you need to navigate to multiple admin portals like Microsoft 365 admin center, Exchange admin center, Security and Compliance center, etc. So, most admins prefer PowerShell or Microsoft 365 monitoring tool to track email activities.
Reporting and Monitoring Emails in Office 365 using PowerShell:
This blog lists the top 10 Exchange Online PowerShell cmdlets that help in monitoring and reporting employees’ email activity. With these cmdlets, you can generate the following Office 365 email reports.
- Email traffic report
- Inbound and Outbound email traffic report
- Mail flow status report
- Sent and received email count by users
- Office 365 spam reports
- Office 365 malware reports
- Identify which transport rule was applied on a mail
- Identify emails that were redirected to another email address
- Emails detected by DLP policy
- Top senders and recipient report
- Microsoft 365 message tracing report
Email Traffic Report:
Email traffic reports help you to analyze an organization’s email traffic such as the number of emails sent and received, number of spams received and sent, malware emails, spoof emails, etc.
1 |
Get-MailTrafficReport |
By default, the cmdlet retrieves email traffic for the last 7 days. By using –StartDate and -EndDate attributes, you can retrieve max of the past 90 days email statistics report.
I have also included more use-cases for this cmdlet below.
Inbound and Outbound Email Traffic Report:
To get incoming and outgoing email traffic separately, run the cmdlet with Direction param.
1 |
Get-MailTrafficReport –Direction Inbound –StartDate 6/13/21 -EndDate 6/20/21 |
The above cmdlet retrieves inbound email traffic statistics from June 13, 20021 to June 20, 2021.
To view outbound email traffic,
1 |
Get-MailTrafficReport –Direction Outbound |
The result shows outgoing email traffic data for the past 90 days.
‘EventType’ values help to analyze what happened to messages when they were filtered by the service.
To view good mail received in the last month,
1 |
Get-MailTrafficReport –Direction Inbound –EventType GoodMail –StartDate 5/1/21 -EndDate 5/31/21 |
To know messages that were marked as spoofed by anti-spoofing protection.
1 |
Get-MailTrafficReport –EventType SpoofMail |
Exchange Sent and Received Email Report:
Often, admins want to know how many emails were sent and received by users. To view these email statistics, you can use the Get-MailTrafficTopReport cmdlet.
1 |
Get-MailTrafficTopReport -EventType TopMailUser |
The above cmdlet shows the number of emails sent and received by users for the past 7 days.
To view sent mail count by users,
1 |
Get-MailTrafficTopReport -EventType TopMailUser –Direction Outbound |
To view received mail count by users for the custom period,
1 |
Get-MailTrafficTopReport -EventType TopMailUser –Direction Inbound –StartDate 6/15/21 -EndDate 6/20/21 |
Office 365 Mail Flow Status Report:
Mail flow status report shows information about incoming and outgoing emails along with the emails blocked by edge protection.
1 |
Get-MailFlowStatusReport | ft Date,EventType,MessageCount |
The above cmdlet returns message counts for a specific date range organized by the final disposition of the message. By default, the cmdlet shows the last 7 days’ data. You can get a mail flow status report for up to 90 days by specifying StartDate and EndDate.
Generate Email Protection Reports:
Email protection reports help you to identify spams and malware detected by Exchange Online Protection (EOP) and emails that match rules such as mail flow rules, DLP rules, etc.
Office 365 Spam Reports:
Get-MailDetailSpamReport cmdlet shows the details of spam messages sent and received by your organization.
1 |
Get-MailDetailSpamReport |
The above cmdlet lists spam messages detected in the last 10 days.
In some situations, emails sent from your organization are rejected or marked as spam by Microsoft 365. To identify those emails, execute the following cmdlet.
1 |
Get-MailDetailSpamReport –Direction Outbound |
Sometimes, good inbound emails are also determined as spam by anti-spam filters. By checking those emails, the admin can whitelist a domain or specific address.
To view inbound spam messages,
1 |
Get-MailDetailsSpamReport –Direction Inbound |
To view spams sent by a specific user for a custom period,
1 |
Get-MailDetailsSpamReport –SenderAddress Jones@contoso.com -StartDate 6/15/21 -EndDate 6/20/21 |
To view spams received by a user, run the cmdlet with ‘RecipientAddress’ in the place of ‘SenderAddress’.
Exchange Online Malware Reports:
The Get-MailDetailMalwareReport cmdlet helps to identify emails that contain malware.
To view all the sent and received malwares for past 10 days,
1 |
Get-MailDetailMalwareReport |
To view malwares sent from your organization,
1 |
Get-MailDetailMalwareReport –Direction Outbound |
To list detected malware emails received by your organization,
1 |
Get-MailDetailMalwareReport –Direction Inbound |
To view malwares sent by specific users,
1 |
Get-MailDetailMalwareReport –SenderAddress Jones@contoso.com |
Identify Which Transport Rule was Applied to an Email:
The Get-MailDetailTranportRuleReport cmdlet shows details of messages that matched the conditions defined by any transport rules.
1 |
Get-MailDetailTransportRuleReport |
The above PowerShell cmdlet shows the applied transport rule along with the email details for the last 10 days.
To view all the emails processed by specific transport rule,
1 |
Get-MailDetailTranportRuleReport -TransportRule <RuleName> |
The below example retrieves the messages sent by Jones@contono.com that matched the condition defined by the transport rule between June 15. 2021 and June 20, 2021.
1 |
Get-MailDetailTransportRuleReport –StartDate 6/15/21 -EndDate 6/20/21 -SenderAddress Jones@contoso.com |
Identify Emails that Redirected to Another Email Address:
To identify emails and Exchange transport rule that redirects the message to another email address, run the following cmdlet.
1 |
Get-MailDetailTransportRuleReport –Action RedirectMessage |
Monitor Emails Detected by DLP Policy:
Most organizations configure DLP policy to secure their confidential email data. To identify messages that matched the condition defined by Data Loss Prevention (DLP) policies, you can run the below cmdlet.
1 |
Get-MailDetailDLPPolicyReport |
Top Senders and Recipient Report:
Top domain mail flow status insights can be obtained using the Get-MailFlowStatusReport cmdlet. By supplying ‘Category’ value, you can get top senders and recipients reports.
To get top mail senders report,
1 |
Get-MailTrafficSummaryReport –Category TopMailSender | Select C1,C2 |
The given example retrieves top mail senders and their mail count for the last 90 days. To view top senders for the custom period, you can use –StartDate and EndDate params.
To list top mail recipients report,
1 |
Get-MailTrafficSummaryReport –Category TopMailRecipient –StartDate 6/10/21 -EndDate 6/20/21 | Select C1,C2 |
This example shows the top mail recipient statistics between June 10, 2021, and June 20, 2021.
To view top spam recipients,
1 |
Get-MailTrafficSummaryReport –Category TopSpamRecipient | Select C1,C2 |
To display the top malware recipient report,
1 |
Get-MailTrafficSummaryReport -Category TopMalwareRecipient | Select C1,C2 |
To get Office 365 top malware report,
1 |
Get-MailTrafficSummaryReport –Category TopMalware | Select C1,C2 |
Column C1 is the malware name and C2 the number of appearances.
Get Microsoft 365 Message Tracing Report:
Most admins prefer message tracking to monitor email flow. With message tracing, admins can get complete information of the sent, received, purged, and deleted message. The information includes,
- Sender address
- Recipient address
- Sent/received date
- Email Subject
- Email delivery status
- Email size
- Source IP address (From IP)
- Message trace id, etc.
To get a message tracking report, run the below cmdlet
1 |
Get-MessageTrace |
By default, the cmdlet retrieves past 48 hours of data. If you want to retrieve the last 10 days’s data, you can use –StartDate and –EndDate parameters. To search message data for more than 10 days, you can use Start-HistoricalSearch and Get-HistoricalSearch cmdlets.
The below example retrieves message trace information for messages sent by a specific user between the custom period.
1 |
Get-MessageTrace –SenderAddress John@contoso.com -StartDate 6/25/21 -EndDate 6/30/21 |
To export message trace report to CSV/Excel file,
1 |
Get-MessageTrace | Export-CSV <FilePath> -NoTypeInformation |
If you want to filter the message trace details, you can send the output to grid view.
1 |
Get-MessageTrace | Out-GridView |
In this way, you can filter or narrow down the message trace details like
- Message trace by subject,
- Message trace by delivery status such as delivered, failed, pending, expanded, quarantined, filtered as spam, and unknown.
To generate more customized message trace report or cmdlet examples for most needed use cases, you can refer to the dedicated blog on Message tracing using PowerShell.
Challenges in Generating Email Reports with PowerShell
Monitoring email activity through PowerShell is one of the toughest jobs because
- It requires different cmdlets for each email activity.
- Even after finding the right cmdlet, you need to use multiple filters and parameters to get the desired report.
- If your organization is large, you cannot retrieve all the data due to the PowerShell session expiry.
So, what if there is the easiest way to monitor employee emails? A tool like AdminDroid will help you track email activities and get an in-depth view of your organization’s mail flow activities.
AdminDroid provides 250+ pre-built email reports and smart dashboards to know more about your organization’s email activities at a glance. By using the ‘Views’ and ‘Advanced Filter’ options, you can create custom reports based on your requirement.
Each report provides AI-powered graphical analysis to gain insights and better understand the data in a visually appealing manner.
Office 365 Email Dashboards:
Additionally, AdminDroid provides 1500+ reports to get detailed reports on various Office 365 services like Azure AD, Exchange Online, SharePoint Online, Microsoft Teams, OneDrive for Business, Streams, One Note, Yammer, etc.
Besides, AdminDroid offers 100+ reports and a handful of dashboards as free to manage your organization’s users, licenses, groups, group membership, membership changes, user logins, password changes, etc. The free version allows you to perform customization, scheduling and exporting too. Download Free Office 365 reporting tool by AdminDroid and see how it helps you.
I hope this blog will help you in monitoring emails in Office 365 environment.