Active Directory & Office 365 Reporting Tool

Create Active Directory Exchange Reports with PowerShell. Microsoft Exchange is a popular email server software used by businesses and organizations worldwide. One of the key features of Exchange is the ability to generate reports on various aspects of the server and its usage. These reports provide valuable insights into the performance and health of the Exchange server, as well as the usage patterns of its users. 

This article explores how to generate these reports using PowerShell, a powerful command line scripting language. We look at some common report types, the PowerShell cmdlets used to create them, and some best practices for working with PowerShell and Exchange. We should understand how to generate and work with Exchange reports in PowerShell by the end of this article.

Shall we start with Create Active Directory Exchange Reports with PowerShell.

Create Active Directory Exchange Reports with PowerShell


To run Exchange PowerShell commands, we need to meet the following prerequisites:

  1. We must have the appropriate permissions to run PowerShell commands on the Exchange server. Accessing these permissions typically means being a member of the Exchange Organization Management group or being assigned the proper roles and permissions.
  2. We must have the Exchange Management Shell installed on our computer. The Exchange Management Shell is a PowerShell module with cmdlets specifically designed to manage Exchange servers. Commonly, the Exchange Management Shell is built inside a Windows Server with Exchange services.
  3. Suppose we are to establish a remote PowerShell session with the Exchange server. This can be done using the Connect-ExchangeServer cmdlet, which allows us to connect to the server using our Exchange credentials.
  4. Alternatively, we import the Exchange Management Shell module into our PowerShell session. We import the module using the Import-Module cmdlet, followed by the module’s name.
					Import-Module ExchangeManagementShell

Once we have met these prerequisites, we should be ready to run Exchange PowerShell commands and generate reports. In the following section of the article, we will list down multiple ways to audit our Microsoft Exchange environment.

Using the Get Mail Commands in PowerShell

The PowerShell Get-Mail cmdlet is a powerful tool for managing and working with email messages in Microsoft Exchange. It allows us to retrieve specific email messages or groups of notifications based on various criteria, such as sender, recipient, subject, or date range. In addition, we can use the Get-Mail cmdlet to view the details of individual messages or to export them to a file for further analysis.

Here are a few examples of the Get-Mail commands.

Generating an Email Traffic Report

All in all, email traffic reports generated by the Get-MailTrafficSummaryReport command assist us in analysing an organization’s email traffic by providing information such as the number of emails sent and received, the number of spams received and sent, malware, spoof emails, and so on.


The command above retrieves email traffic for the last seven (7) days by default. We can, however, recover the maximum of the previous 90 days’ email statistics report by using the -StartDate and -EndDate attributes. Here are a few examples:

Inbound and Outbound Email Traffic Report

Run the cmdlet with the Direction parameter to get incoming and outgoing email traffic separately:

					Get-MailTrafficSummaryReport –Direction Inbound –StartDate 6/13/22 -EndDate 6/15/22

The above snippet retrieves inbound email traffic statistics from June 13, 2022, to June 20, 2022.

We can do the same if we are viewing outbound traffic:

					Get-MailTrafficSummaryReport –Direction Outbound

Accordingly, we can use the -EventType parameter values to determine what happened to messages after the service filtered them:

					Get-MailTrafficSummaryReport –Direction Inbound –EventType GoodMail –StartDate 7/1/22 -EndDate 7/31/22

To learn about messages that were flagged as spoofed by anti spoofing software:

					Get-MailTrafficSummaryReport –EventType SpoofMail

Please note that the output of the command will depend on the specific configuration of your Exchange Server and the mail traffic during the specified period.

Exchange Sent and Received Email Report

Additionally, administrators frequently want to know how many emails users send and receive. We can use the Get-MailTrafficTopReport cmdlet to view these email statistics. The cmdlet below displays the count of emails sent and received by users over the last 7 days:

					Get-MailTrafficTopReport -EventType TopMailUser

View the number of emails users receive during the specified period.

					Get-MailTrafficTopReport -EventType TopMailUser –Direction Inbound –StartDate 7/15/22 -EndDate 7/20/22

Office 365 Mail Flow Status Report

Before using this command, ensure you are currently authenticated with a hybrid server converged to Office 365. Alternatively, you may connect and authenticate directly to Office 365 with the following command:

					$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUrl https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

The mail flow status report generated by the command Get-MailFlowStatusReport displays information about blocked incoming and outgoing emails by edge protection:

					Get-MailFlowStatusReport | ft Date, EventType, MessageCount

The cmdlet above returns the number of messages for a date range, organized by the message’s final disposition. By default, the command displays data from the previous seven days. However, we get a mail flow report for up to ninety days by specifying the -StartDate and -EndDate.

Improve your Active Directory Security & Azure AD

Try us out for Free, Access to all features. – 200+ AD Report templates Available. Easily customise your own AD reports.

Generating an Email Protection Report

Above all, email Protection reports assist us in identifying spam and malware by Exchange Online Protection (EOP), as well as emails that match mail flow rules, DLP rules, and other criteria.

Office 365 Spam Reports

Altogether, the Get-MailDetailSpamReport command displays information about spam messages sent and received by our organization. The cmdlet displays a list of spam messages detected in the last ten (10) days.

Hence, Microsoft 365 rejects or marks emails sent from our organization as spam in some cases. Execute the following cmdlet to identify those emails:

					Get-MailDetailSpamReport –Direction Outbound

Also, with anti-spam filters will sometimes classify good inbound emails as spam. The admin can white list a domain or specific address by checking those emails. To view inbound spam messages:

					Get-MailDetailsSpamReport –Direction Inbound

To view spam sent by a specific user over a specified period by using the -StartDate and -EndDate parameters:

					Get-MailDetailsSpamReport –SenderAddress marion@infrasos.com -StartDate 7/15/22 -EndDate 7/20/22

Run the cmdlet with RecipientAddress instead of SenderAddress to view spams received by a user.

Exchange Online Malware Reports

Next, the Get-MailDetailATPReport cmdlet assists in identifying emails containing malware. Run the cmdlet to see all malware sent and received in the last ten (10) days.

To view malware sent from our organization, we can use the following snippet below:

					Get-MailDetailATPReport –Direction Outbound

In addition, we also list detected malware emails received by our organization if we use the Inbound direction instead:

					Get-MailDetailATPReport –Direction Inbound

So, in order to view malware sent by specific users, use the -RecipientAddress parameter:

					Get-MailDetailATPReport –RecipientAddress marion@infrasos.com

Identifying the Transport Rule

The PowerShell Get-MailDetailTranportRuleReport command displays information about messages that meet the conditions specified by any transport rules. The command shows the applied transport rule and the email details for the last ten (10) days. 

The example below retrieves all messages sent by marion@infrasos.com that met the condition defined by the transport rule between July 15, 2021, and July 20, 2022:

					Get-MailDetailTransportRuleReport -TransportRule r1 –StartDate 7/15/22 -EndDate 7/20/22 -SenderAddress marion@infrasos.com

The output below is an example of a transport rule report generated by the previous command:

Please, run the following cmdlet to identify emails and the Exchange transport rule redirecting the message to another email address:

					Get-MailDetailTransportRuleReport –Action RedirectMessage

Monitor Emails Detected by DLP Policy

Most organizations configure Data Loss Prevention (DLP) policies to secure their confidential email data. We can use the cmdlet Get-MailDetailDLPPolicyReport to identify messages that match the conditions defined by DLP policies.


Get Microsoft 365 Message Tracing Report

To monitor email flow, most administrators prefer message tracking. Message tracing gives administrators detailed information on messages sent, received, purged, and deleted. Among the details are:

  • Sender address 
  • Recipient address 
  • Sent/received date 
  • Email Subject 
  • Email delivery status 
  • Email size 
  • Message trace id, etc. 
  • Source IP address

To get the trace report, we can run the Get-MessageTrace command. By default, the cmdlet retrieves the past 48 hours of data. We can retrieve the last ten (10) days’ data using the –StartDate and –EndDate parameters. We can use Start-HistoricalSearch and Get-HistoricalSearch cmdlets to search message data for more than ten days.

Basically, the example below retrieves trace information for messages sent by a particular user during the specified period:

					Get-MessageTrace –SenderAddress marion@infrasos.com -StartDate 7/25/22 -EndDate 7/30/22

To export the message trace report to a CSV file:

					Get-MessageTrace | Export-CSV  -NoTypeInformation

We can send the output to the grid view if we want to filter the message trace details:

					Get-MessageTrace | Out-GridView

The command above allows us to filter or narrow down the message trace details, such as

  • Trace messages by subject,
  • Message delivery statuses include delivered, failed, pending, expanded, quarantined, spam-filtered, and unknown

Thank you for reading Create Active Directory Exchange Reports with PowerShell. We shall conclude this article now.

Create Active Directory Exchange Reports with PowerShell Conclusion

In conclusion, Microsoft Exchange provides a wealth of information and insights about the performance and usage of our email server. By generating reports using PowerShell, we access this information to improve your Exchange server’s health and efficiency.

Whether we are system administrators or users, understanding how to generate and work with Exchange reports in PowerShell can be a valuable skill. By following the examples and best practices outlined in this article, we should be well on our way to mastering this powerful tool.


Try InfraSOS for FREE

Invite your team and explore InfraSOS features for free

Marion Mendoza

Marion Mendoza

Windows Server and VMware SME. Powershell Guru. Currently working with Fortune 500 companies responsible for participating in 3rd level systems support across the enterprise. Acting as a Windows Server engineer and VMware Specialist.

Comments (6)

  1. Ian Martin
    June 19, 2023

    I’ve been running the ‘Get-MailTrafficSummaryReport’ command and if I run it for any date before 6th June 23 it returns data as expected however if I run it for any date after 6th it returns NO data (doesn’t give any errors just returns the prompt with no data) I’ve tried sender, recipient and spam category’s and its the same.

    Interestingly I’ve just tried running this report:
    Microsoft 365 Defender / Reports / Email & Collaboration / Top senders and recipients
    If I use dates before 6th jun23 it shows a graph and returns data
    Any date after the 6th Jun 23 empty graph and no data
    So even the Microsoft website is showing the same missing data!

    Anyone else seeing this?

  2. Ian Martin
    June 28, 2023

    Still nothing except a daily message from MS:

    We are engaging with our next level team investigation still ongoing, once we get, we will connect with you.
    Still, we haven’t proper update, once we had we will connect with you.
    We are appreciating your patience.
    Microsoft 365 Support Engineer

    Can’t say I’m filled with confidence.

  3. Ian Martin
    July 14, 2023

    I’ve just had an email from MS saying the issue is now fixed. I have not had chance to check myself yet.

  4. Ian Martin
    July 17, 2023

    I am now getting results from the command however after spot checking a couple of users the results are not correct!
    I also tried adding ‘-Domain ALL’ which increased some results and oddly decreased others!?
    I have reported this back to MS.

  5. Ian Martin
    July 17, 2023

    MS are telling me I have to raise another case over the incorrect results!

  6. Ian Martin
    August 23, 2023

    Final response from Microsoft support it will not work for intra-org emails, only external emails!
    Their response:

    If you are trying to verify the sending mail data reports for the External senders, we will get the same results in Both Outlook applications and PowerShell outputs.
    If you are trying to match the mail sending reports for Internal users will not get the same results, it’s still on the features on yet to developed from our Product team.
    Currently the feature not available for users.

    Please can you confirm with the customer if the email was sent within the organization? basically were they intra-org sent emails.
    if that is the case, then the numbers won’t add up.
    This feature still not released from Microsoft end. There is no ETA.

Leave a comment

Your email address will not be published. Required fields are marked *