Create Active Directory Exchange Reports with PowerShell. Microsoft Exchange is a popular email server software used by businesses and organizations worldwide. One of the key features of Exchange is the ability to generate reports on various aspects of the server and its usage. These reports provide valuable insights into the performance and health of the Exchange server, as well as the usage patterns of its users.
This article explores how to generate these reports using PowerShell, a powerful command line scripting language. We look at some common report types, the PowerShell cmdlets used to create them, and some best practices for working with PowerShell and Exchange. We should understand how to generate and work with Exchange reports in PowerShell by the end of this article.
Shall we start with Create Active Directory Exchange Reports with PowerShell.
Create Active Directory Exchange Reports with PowerShell
- We must have the appropriate permissions to run PowerShell commands on the Exchange server. Accessing these permissions typically means being a member of the Exchange Organization Management group or being assigned the proper roles and permissions.
- We must have the Exchange Management Shell installed on our computer. The Exchange Management Shell is a PowerShell module with cmdlets specifically designed to manage Exchange servers. Commonly, the Exchange Management Shell is built inside a Windows Server with Exchange services.
- Suppose we are to establish a remote PowerShell session with the Exchange server. This can be done using the Connect-ExchangeServer cmdlet, which allows us to connect to the server using our Exchange credentials.
- Alternatively, we import the Exchange Management Shell module into our PowerShell session. We import the module using the Import-Module cmdlet, followed by the module’s name.
Using the Get Mail Commands in PowerShell
The PowerShell Get-Mail cmdlet is a powerful tool for managing and working with email messages in Microsoft Exchange. It allows us to retrieve specific email messages or groups of notifications based on various criteria, such as sender, recipient, subject, or date range. In addition, we can use the Get-Mail cmdlet to view the details of individual messages or to export them to a file for further analysis.
Here are a few examples of the Get-Mail commands.
Generating an Email Traffic Report
All in all, email traffic reports generated by the Get-MailTrafficSummaryReport command assist us in analysing an organization’s email traffic by providing information such as the number of emails sent and received, the number of spams received and sent, malware, spoof emails, and so on.
The command above retrieves email traffic for the last seven (7) days by default. We can, however, recover the maximum of the previous 90 days’ email statistics report by using the -StartDate and -EndDate attributes. Here are a few examples:
Inbound and Outbound Email Traffic Report
Run the cmdlet with the –Direction parameter to get incoming and outgoing email traffic separately:
Get-MailTrafficSummaryReport –Direction Inbound –StartDate 6/13/22 -EndDate 6/15/22
We can do the same if we are viewing outbound traffic:
Get-MailTrafficSummaryReport –Direction Outbound
Accordingly, we can use the -EventType parameter values to determine what happened to messages after the service filtered them:
Get-MailTrafficSummaryReport –Direction Inbound –EventType GoodMail –StartDate 7/1/22 -EndDate 7/31/22
To learn about messages that were flagged as spoofed by anti spoofing software:
Get-MailTrafficSummaryReport –EventType SpoofMail
Please note that the output of the command will depend on the specific configuration of your Exchange Server and the mail traffic during the specified period.
Exchange Sent and Received Email Report
Additionally, administrators frequently want to know how many emails users send and receive. We can use the Get-MailTrafficTopReport cmdlet to view these email statistics. The cmdlet below displays the count of emails sent and received by users over the last 7 days:
Get-MailTrafficTopReport -EventType TopMailUser
Get-MailTrafficTopReport -EventType TopMailUser –Direction Inbound –StartDate 7/15/22 -EndDate 7/20/22
Office 365 Mail Flow Status Report
Before using this command, ensure you are currently authenticated with a hybrid server converged to Office 365. Alternatively, you may connect and authenticate directly to Office 365 with the following command:
$UserCredential = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUrl https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
The mail flow status report generated by the command Get-MailFlowStatusReport displays information about blocked incoming and outgoing emails by edge protection:
Get-MailFlowStatusReport | ft Date, EventType, MessageCount
Improve your Active Directory Security & Azure AD
Try us out for Free, Access to all features. – 200+ AD Report templates Available. Easily customise your own AD reports.
Generating an Email Protection Report
Above all, email Protection reports assist us in identifying spam and malware by Exchange Online Protection (EOP), as well as emails that match mail flow rules, DLP rules, and other criteria.
Office 365 Spam Reports
Altogether, the Get-MailDetailSpamReport command displays information about spam messages sent and received by our organization. The cmdlet displays a list of spam messages detected in the last ten (10) days.
Hence, Microsoft 365 rejects or marks emails sent from our organization as spam in some cases. Execute the following cmdlet to identify those emails:
Get-MailDetailSpamReport –Direction Outbound
Also, with anti-spam filters will sometimes classify good inbound emails as spam. The admin can white list a domain or specific address by checking those emails. To view inbound spam messages:
Get-MailDetailsSpamReport –Direction Inbound
To view spam sent by a specific user over a specified period by using the -StartDate and -EndDate parameters:
Get-MailDetailsSpamReport –SenderAddress firstname.lastname@example.org -StartDate 7/15/22 -EndDate 7/20/22
Run the cmdlet with RecipientAddress instead of SenderAddress to view spams received by a user.
Exchange Online Malware Reports
Next, the Get-MailDetailATPReport cmdlet assists in identifying emails containing malware. Run the cmdlet to see all malware sent and received in the last ten (10) days.
To view malware sent from our organization, we can use the following snippet below:
Get-MailDetailATPReport –Direction Outbound
In addition, we also list detected malware emails received by our organization if we use the Inbound direction instead:
Get-MailDetailATPReport –Direction Inbound
Get-MailDetailATPReport –RecipientAddress email@example.com
Identifying the Transport Rule
The PowerShell Get-MailDetailTranportRuleReport command displays information about messages that meet the conditions specified by any transport rules. The command shows the applied transport rule and the email details for the last ten (10) days.
The example below retrieves all messages sent by firstname.lastname@example.org that met the condition defined by the transport rule between July 15, 2021, and July 20, 2022:
Get-MailDetailTransportRuleReport -TransportRule r1 –StartDate 7/15/22 -EndDate 7/20/22 -SenderAddress email@example.com
The output below is an example of a transport rule report generated by the previous command:
Please, run the following cmdlet to identify emails and the Exchange transport rule redirecting the message to another email address:
Get-MailDetailTransportRuleReport –Action RedirectMessage
Monitor Emails Detected by DLP Policy
Most organizations configure Data Loss Prevention (DLP) policies to secure their confidential email data. We can use the cmdlet Get-MailDetailDLPPolicyReport to identify messages that match the conditions defined by DLP policies.
Get Microsoft 365 Message Tracing Report
To monitor email flow, most administrators prefer message tracking. Message tracing gives administrators detailed information on messages sent, received, purged, and deleted. Among the details are:
- Sender address
- Recipient address
- Sent/received date
- Email Subject
- Email delivery status
- Email size
- Message trace id, etc.
- Source IP address
To get the trace report, we can run the Get-MessageTrace command. By default, the cmdlet retrieves the past 48 hours of data. We can retrieve the last ten (10) days’ data using the –StartDate and –EndDate parameters. We can use Start-HistoricalSearch and Get-HistoricalSearch cmdlets to search message data for more than ten days.
Basically, the example below retrieves trace information for messages sent by a particular user during the specified period:
Get-MessageTrace –SenderAddress firstname.lastname@example.org -StartDate 7/25/22 -EndDate 7/30/22
Get-MessageTrace | Export-CSV -NoTypeInformation
We can send the output to the grid view if we want to filter the message trace details:
Get-MessageTrace | Out-GridView
The command above allows us to filter or narrow down the message trace details, such as
- Trace messages by subject,
- Message delivery statuses include delivered, failed, pending, expanded, quarantined, spam-filtered, and unknown
Thank you for reading Create Active Directory Exchange Reports with PowerShell. We shall conclude this article now.
Create Active Directory Exchange Reports with PowerShell Conclusion
In conclusion, Microsoft Exchange provides a wealth of information and insights about the performance and usage of our email server. By generating reports using PowerShell, we access this information to improve your Exchange server’s health and efficiency.
Whether we are system administrators or users, understanding how to generate and work with Exchange reports in PowerShell can be a valuable skill. By following the examples and best practices outlined in this article, we should be well on our way to mastering this powerful tool.
Try InfraSOS for FREE
Invite your team and explore InfraSOS features for free