EXO : Exporting Messages from Quarantine

byartic6 -
0

 If you need to export messages from Quarantine and you need to get a copy the messages then you need to use PowerShell to build download, first connecto to Exchange Online in PowerShell with this command:

Connect-ExchangeOnline

Then once connected you need the command Export-QuarantineMessage to export the messages but the command has weird syntax, according to the Microsoft website which you can view here - there is some weird syntax for this command to get one message, this is the syntax........

$e = Export-QuarantineMessage -Identity <message ID>
$txt = [System.Text.Encoding]::Ascii.GetString([System.Convert]::FromBase64String($e.eml))
[IO.File]::WriteAllText("C:\My Documents\Quarantined Message.eml", $txt)

First we need to find the messages to get the message ID, so lets look at the messages which can be done with this command for the first 5 messages:

Get-QuarantineMessage -RecipientAddress crazy.spammer@pokebearswithsticks.com  -PageSize 5 | fl 

We require messages that are linked to a transport rule interception, so we can add this on to the syntax:

Get-QuarantineMessage -RecipientAddress crazy.spammer@pokebearswithsticks.com  -PolicyTypes ExchangeTransportRule -PageSize 5 | fl 

This will return all the details of the messages, or the five we have asked for, we are looking for the "Identity" field as below in green:



Now we have this we need all the ID of the Quarantined messages with this command:

Get-QuarantineMessage -RecipientAddress crazy.spammer@pokebearswithsticks.com  -PolicyTypes ExchangeTransportRule -PageSize 5 | Select Identity


That will return a list of Identity ID's which is required for the next section of this guide, as below:


If you wish all the results you can use this command up to 1,000 which is the maximum number, if you have more than this, you can use the operator on the end of the command -Page x - this is the page number, so if you have 2000 messages, you will have 2 pages, that will be 1000 per page:

Get-QuarantineMessage -RecipientAddress crazy.spammer@pokebearswithsticks.com  -PolicyTypes ExchangeTransportRule -PageSize 1000 -Page x | Select Identity

We now need to modify the "single" message script from earlier to this, note that the "id.txt" file, more on that later.....

# Read the list of identities from the text file
$identities = Get-Content -Path "C:\temp\id.txt"

# Loop through each identity
foreach ($identity in $identities) {
    # Retrieve the QuarantineMessage for each identity
    $e = Export-QuarantineMessage -Identity $identity

# Convert the base64 encoded eml content to a string
    $emlContent = [System.Text.Encoding]::Ascii.GetString([System.Convert]::FromBase64String($e.eml))

 # Create the filename for the eml file based on the identity
    $fileName = "C:\Quarantine\$($e.Identity.Replace('\', '-')).eml"

# Write the eml content to a file in the Quarantine folder
    [IO.File]::WriteAllText($fileName, $emlContent)
}


The "id.txt" file contains a list of all your Identity strings are listed from the PowerShell earlier like this:


Then when you run the script you will get all your e-mails exported in EML format in the folder you specify, the emails can then be opened in Outlook or my favourite Notepad and Notepad++ - below is the what the folder should look like:


This saves you lots of time from exporting each message one by one, which is boring and administratively pointless.

Tags

You may like these posts

Previous Post Next Post

نموذج الاتصال