Search Mailbox in Office 365 Using PowerShell Cmdlets
Finding a specific message across thousands of emails of an entire organization is a tough task even for veteran admins. This is where learning to search mailbox in Office 365 using PowerShell becomes an invaluable skill.
With this knowledge, you can fulfil a user request, comply with new regulatory norms, or conduct a preliminary eDiscovery operation on your own. Without further ado, let’s start.
To Search Email in an O365 Mailbox Using PowerShell Connect Correctly
Before any search can be done, admins must ensure that they are in the right environment. In other words, the connection is with the correct service.
Depending on how deep or what exactly the goal of your search is, you may opt for different routes.
For Broad Tenant Wide Searches, use the Exchange Online PowerShell module. Apart from the module and basic knowledge set to use the cmdlets, the account you are using must have the eDiscovery Manager role.
Also Read: How We Made OneDrive Usage Report M365 Admin Center & PowerShell?
For targeted script-specific searches that you would want to automate later, we will use the Microsoft Graph PowerShell module. Here we would have to apply for specific API permissions (like User.Read.All), whose consent can be found on the Azure portal. Graph API is not role-dependent; any user can search for mailbox messages within their account using this method.
To set up the system, launch a new PowerShell Instance with device admin privileges.
You can also open a run module (Windows + R) and use this command:
pwsh -Command "Start-Process powershell -Verb RunAs"
For the same effect.
Once the PowerShell window is ready, type cls and press Enter. This is to clear any default messages and make a clean slate.
After that type:
Install-Module -Name ExchangeOnlineManagement
Use the -Force flag to guarantee installation.
In a few seconds, PowerShell will inform you that the installation is done. So now run
Connect-ExchangeOnline -UserPrincipalName [email protected]
Put in your credentials in the login window and validate. You are now ready to conduct organization-wide mailbox searches.
Use New-ComplianceSearch Cmdlet to Look for Emails in O365
This command is useful in scenarios where HR wants to find which new joiners have received the welcome letter, or the internal legal team wants to gather evidence for an investigation.
This modern command replaces the legacy Search-Mailbox and New-MailboxSearch cmdlets.
Plus, it is fully integrated within the new Purview portal, and so compliant with many different regulatory frameworks.
Read About: M365 Outage on June 17 2025
Administrators can use this query to quickly find messages hidden deep within employee email threads. You need not build complex multipage scripts; just a simple one-line cmdlet will do fine.
Here is the syntax:
New-ComplianceSearch -Name "NameOfTheSearch" -ExchangeLocation All -ContentMatchQuery 'Mailbox or Message you are searching for'
Here, “Name” is not the item we are searching for, but is the name of this particular search request.
“ExchangeLocation” specifies the scope or the “where to search part,” and the “ContentMatchQuery” defines “what to search for.”
In this example to search mailbox in Office 365 using PowerShell, we used the cmdlet with 3 parameters only. There are, in fact, many different parameters available to make your query more robust. You can read bout it on the official documentation page.
As we have specified earlier, New-ComplianceSearch is not to only way you search for mailboxes in the M365 environment; there is a second, which some consider an even better search command in specific scenarios. So let’s see what it is.
How to Use the Get-MgUserMessage Command to Find User Mailbox Messages?
This is a method that employs a completely different set of PowerShell commands and is available within the Microsoft Graph PowerShell SDK.
The major advantage of Get-MgUserMessage is that it limits the search scope to one user mailbox. You may think of it as a limitation, but this is perfect for automation, scripting, or when a user needs help finding a specific item.
Don’t treat it as a means to conduct eDiscovery; instead, use it when you want to look within a single, specified user’s mailbox.
In the PowerShell module (you can use the same one that you were working on earlier, but it is always better to open a new, fresh one). Type:
Connect-MgGraph -Scopes "Mail.Read"
This will immediately launch a browser window and ask you to log in. Feed in your credentials, but remember that all search options will happen in the emails that are on this particular ID.
This is true even if you put admin credentials. This syntax to search mailbox in Office 365 using PowerShell is simpler when we compare it to the previous cmdlet:
Get-MgUserMessage -UserId "[email protected]" -Search "invoice"
Here, we have the main cmdlet followed by the user ID and the search term. Plus, you also have other parameters that all tweak the results you get from the query.
You can also make a custom Azure cloud app, add organization-wide message scope to it, and then use this same cmdlet with a full tenant scope.
Now that we know about all the options that are available to us, let us see the use cases.
Which PowerShell Command to Use for Searching Within M365 Mailboxes and When?
Use a compliance search when you have to search across multiple mailboxes or the entire organization.
You have to export a copy of the messages post-search. The compliance command gives you the option to download the data in PST format.
Also See: How to Migrate iRedMail to Office 365 Easily?
Get-MgUserMessage is useful if you are a developer designing an app/utility that uses mailbox search in some capacity.
Use automation to re-distribute messages in different folders of your M365 account
In short, the New-ComplianceSearch is an admin’s go-to to whereas Get-MgUserMessages is better in specific development/support scenarios.
PowerShell Command to Search and Delete Email from Mailbox
If your organization were subject to a phishing attack or some other cyber calamity, then admins must search and delete said emails from every Office 365 mailbox to prevent further damage.
You must make a new search to find the faulty emails. Here, the tenant’s wide scope of New-ComplianceSearch comes into play. As every message has a similar structure admin can make a search query like:
New-ComplianceSearch -Name "PhishingEmailRemoval" -ExchangeLocation All -ContentMatchQuery 'subject: "URGENT: Verify Your Account Now"'
Once the search parameters are set, start and verify the search:
Start-ComplianceSearch -Identity "PhishingEmailRemoval"
(Wait for it to complete and check the results)
Finally, purge the emails from affected accounts:
New-ComplianceSearchAction -SearchName "PhishingEmailRemoval" -Purge -PurgeType SoftDelete
Whenever you perform a permanent action like mail purge, extra caution is necessary. You should start with a SoftDelete as it gives an option to correct mistakes. Only after a second set of eyes confirms that the emails found from the search are correct that should you make the deletion permanent with HardDelete
Conclusion
Now, there shouldn’t be any problems when you try to search mailbox in Office 365 using PowerShell, whether you are an admin or regular user. In this blog, we gave you instructions on how to use the New-ComplianceSearch as well as the Get-MgUserMessage to cover all possible scenarios.
Use whichever command you think applies to your situation. Moreover, admins in an M365 environment know how important role backups if by mistake a wrong item is purged during a search. So, before you start your search, use the SysTools Office 365 Backup tool to build a safe copy of user email, contacts, and calendar data.