Export-QuarantineMessage
This cmdlet is available only in the cloud-based service.
Use the Export-QuarantineMessage cmdlet to export quarantined messages and files from your cloud-based organization. Messages are exported to .eml message files so you can open them in Outlook.
For files that were quarantined by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, the files are exported in Base64 format.
For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.
Syntax
Export-QuarantineMessage
-Identities <QuarantineMessageIdentity[]>
[-Identity <QuarantineMessageIdentity>]
[-CompressOutput]
[-EntityType <Microsoft.Exchange.Management.FfoQuarantine.EntityType>]
[-ForceConversionToMime]
[-Password <SecureString>]
[-ReasonForExport <String>]
[-RecipientAddress <String>]
[<CommonParameters>] Export-QuarantineMessage
-Identity <QuarantineMessageIdentity>
[-CompressOutput]
[-EntityType <Microsoft.Exchange.Management.FfoQuarantine.EntityType>]
[-ForceConversionToMime]
[-Password <SecureString>]
[-ReasonForExport <String>]
[-RecipientAddress <String>]
[<CommonParameters>] Description
You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.
Examples
Example 1
$e = Export-QuarantineMessage -Identity b28e0706-e50e-4c33-17e8-08daf2898d15\e939baaf-9dac-6126-2137-b82abf373159
$txt = [System.Text.Encoding]::Ascii.GetString([System.Convert]::FromBase64String($e.eml))
[IO.File]::WriteAllText("C:\My Documents\Quarantined Message.eml", $txt)This example exports the specified message that was quarantined as spam:
- The first command exports the quarantined message to the variable
$e. The message is stored in the Eml property (the$e.emlvalue) as Base64 (based on the$e.BodyEncodingvalue). - The second command converts the Eml property from Base64 to ASCII text and stores the result in the variable
$txt. - The third command writes the quarantined message to the specified .eml file.
Note: Don't enclose the Identity value in quotation marks (you might get an error).
Example 2
$f = Export-QuarantineMessage -Identity 9c6bb3e8-db9e-4823-9759-08d594179bd3\7fec89fe-41b0-ae67-4887-5bede017d111
$bytes = [Convert]::FromBase64String($f.eml)
[IO.File]::WriteAllBytes("C:\My Documents\Quarantined Message with Attachments.eml", $bytes)This example exports the specified message with attachments that was quarantined as malware:
- The first command exports the quarantined message and attachments to the variable
$f. The message and attachments are stored in the Eml property (the$f.emlvalue) as Base64 (based on the$f.BodyEncodingvalue). - The second command converts the Eml property from Base64 to bytes and stores the result in the variable
$bytes. - The third command writes the quarantined message and attachments to the specified .eml file.
Parameters
-CompressOutput
The CompressOutput switch exports the message as a compressed .zip file. You don't need to specify a value with this switch.
For exported messages, including messages with attachments, the .zip file contains a folder that's named after the first GUID value in the Identity. The folder contains the .eml message that's named after the second GUID value in the Identity.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Security & Compliance, Exchange Online Protection |
-EntityType
The EntityType parameter filters the results by EntityType. Valid values are:
- SharePointOnline
- Teams (currently in Preview)
- DataLossPrevention
| Type: | Microsoft.Exchange.Management.FfoQuarantine.EntityType |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Exchange Online, Security & Compliance, Exchange Online Protection |
-ForceConversionToMime
The ForceConversionToMime switch converts exported plain text messages to MIME formatting. You don't need to specify a value with this switch.
This switch has no effect if the message is already encoded as Base64.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Exchange Online, Security & Compliance, Exchange Online Protection |
-Identities
The Identities parameter identifies quarantined messages for bulk operations. You identify the messages by using the syntax: value1,value2...valueN. Each value is a unique quarantined message identifier in the format GUID1\GUID2 (for example c14401cf-aa9a-465b-cfd5-08d0f0ca37c5\4c2ca98e-94ea-db3a-7eb8-3b63657d4db7).
You can find the Identity value for a quarantined message by using the Get-QuarantineMessage cmdlet.
When you use this parameter, the Identity parameter is required, but the value is ignored. For example, use the value 000 for the Identity parameter.
| Type: | QuarantineMessageIdentity[] |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Exchange Online, Security & Compliance, Exchange Online Protection |
-Identity
The Identity parameter specifies the quarantined message that you want to export. The value is a unique quarantined message identifier in the format GUID1\GUID2 (for example c14401cf-aa9a-465b-cfd5-08d0f0ca37c5\4c2ca98e-94ea-db3a-7eb8-3b63657d4db7).
You can find the Identity value for a quarantined message by using the Get-QuarantineMessage cmdlet.
| Type: | QuarantineMessageIdentity |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
| Applies to: | Exchange Online, Security & Compliance, Exchange Online Protection |
-Password
The Password parameter specifies the password that's required to open the exported message.
You can use the following methods as a value for this parameter:
(ConvertTo-SecureString -String '<password>' -AsPlainText -Force).- Before you run this command, store the password as a variable (for example,
$password = Read-Host "Enter password" -AsSecureString), and then use the variable ($password) for the value. (Get-Credential).passwordto be prompted to enter the password securely when you run this command.
| Type: | SecureString |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Exchange Online, Security & Compliance, Exchange Online Protection |
-ReasonForExport
The ReasonForExport parameter specifies why the message was exported. If the value contains spaces, enclose the value in quotation marks (").
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Exchange Online, Security & Compliance, Exchange Online Protection |
-RecipientAddress
The RecipientAddress parameter filters the results by the recipient's email address. You can specify multiple values separated by commas.
| Type: | String[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Applies to: | Exchange Online, Security & Compliance, Exchange Online Protection |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for