Get-QuarantineMessage
This cmdlet is available only in the cloud-based service.
Use the Get-QuarantineMessage cmdlet to view quarantined messages and files in your cloud-based organization. Files are quarantined by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.
Syntax
Get-QuarantineMessage
-Identity <QuarantineMessageIdentity>
[-EntityType <Microsoft.Exchange.Management.FfoQuarantine.EntityType>]
[-RecipientAddress <String[]>]
[-SenderAddress <String[]>]
[-TeamsConversationTypes <Microsoft.Exchange.Management.FfoQuarantine.TeamsConversationType[]>]
[<CommonParameters>]
Get-QuarantineMessage
[-Direction <Microsoft.Exchange.Management.FfoQuarantine.QuarantineMessageDirectionEnum>]
[-Domain <String[]>]
[-EndExpiresDate <System.DateTime>]
[-EndReceivedDate <System.DateTime>]
[-EntityType <Microsoft.Exchange.Management.FfoQuarantine.EntityType>]
[-IncludeMessagesFromBlockedSenderAddress]
[-MessageId <String>]
[-MyItems]
[-Page <Int32>]
[-PageSize <Int32>]
[-PolicyName <String>]
[-PolicyTypes <QuarantinePolicyTypeEnum[]>]
[-QuarantineTypes <QuarantineMessageTypeEnum[]>]
[-RecipientAddress <String[]>]
[-RecipientTag <String[]>]
[-ReleaseStatus <ReleaseStatus[]>]
[-Reported <Boolean>]
[-SenderAddress <String[]>]
[-StartExpiresDate <System.DateTime>]
[-StartReceivedDate <System.DateTime>]
[-Subject <String>]
[-TeamsConversationTypes <Microsoft.Exchange.Management.FfoQuarantine.TeamsConversationType[]>]
[-Type <Microsoft.Exchange.Management.FfoQuarantine.QuarantineMessageTypeEnum>]
[<CommonParameters>]
Description
You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.
Examples
Example 1
Get-QuarantineMessage -StartReceivedDate 06/13/2017 -EndReceivedDate 06/15/2017
This example returns a summary list of messages quarantined between June 13, 2017 and June 15, 2017.
Example 2
Get-QuarantineMessage -PageSize 50 -Page 3
This example presents 50 quarantined messages per page, and returns the third page of results.
Example 3
Get-QuarantineMessage -MessageID "<[email protected]>"
This example returns the quarantined message with the Message-ID value <[email protected]>
.
Example 4
Get-QuarantineMessage -Identity c14401cf-aa9a-465b-cfd5-08d0f0ca37c5\4c2ca98e-94ea-db3a-7eb8-3b63657d4db7 | Format-List
This example returns detailed information for the quarantined message with the specified Identity value.
Example 5
Get-QuarantineMessage -QuarantineTypes SPOMalware | Format-List
This example returns detailed information for the files protected by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
Parameters
-Direction
The Direction parameter filters the results by incoming or outgoing messages. Valid values are:
- Inbound
- Outbound
You can specify multiple values separated by commas.
Type: | Microsoft.Exchange.Management.FfoQuarantine.QuarantineMessageDirectionEnum |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Online, Security & Compliance, Exchange Online Protection |
-Domain
The Domain parameter filters the results by sender or recipient domain. You can specify multiple domain values separated by commas.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Online, Security & Compliance, Exchange Online Protection |
-EndExpiresDate
The EndExpiresDate parameter specifies the latest messages that will automatically be deleted from the quarantine. Use this parameter with the StartExpiresDate parameter.
Use the short date format that's defined in the Regional Options settings on the computer where you're running the command. For example, if the computer is configured to use the short date format MM/dd/yyyy, enter 09/01/2018 to specify September 1, 2018. You can enter the date only, or you can enter the date and time of day. If you enter the date and time of day, enclose the value in quotation marks ("), for example, "09/01/2018 5:00 PM".
For example, if you specify the StartExpiresDate value of today's date and the EndExpiresDate value of the date three days from today, you will only see messages that will expire from the quarantine in the next three days.
Type: | System.DateTime |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Online, Security & Compliance, Exchange Online Protection |
-EndReceivedDate
The EndReceivedDate parameter specifies the latest messages to return in the results. Use this parameter with the StartReceivedDate parameter.
Use the short date format that's defined in the Regional Options settings on the computer where you're running the command. For example, if the computer is configured to use the short date format MM/dd/yyyy, enter 09/01/2018 to specify September 1, 2018. You can enter the date only, or you can enter the date and time of day. If you enter the date and time of day, enclose the value in quotation marks ("), for example, "09/01/2018 5:00 PM".
Type: | System.DateTime |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Online, Security & Compliance, Exchange Online Protection |
-EntityType
The EntityType parameter filters the results by EntityType. Valid values are:
- SharePointOnline
- Teams (currently in Preview)
- DataLossPrevention
Type: | Microsoft.Exchange.Management.FfoQuarantine.EntityType |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Online, Security & Compliance, Exchange Online Protection |
-Identity
The Identity parameter specifies the quarantined message that you want to view. The value is a unique quarantined message identifier in the format GUID1\GUID2
(for example c14401cf-aa9a-465b-cfd5-08d0f0ca37c5\4c2ca98e-94ea-db3a-7eb8-3b63657d4db7
).
When you identify the quarantine message by using this parameter, the RecipientAddress, QuarantineUser, and ReleasedUser properties are available. To see these values, you need to use a formatting cmdlet. For example, Get-QuarantineMessage -Identity <Identity> | Format-List
.
Type: | QuarantineMessageIdentity |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
Applies to: | Exchange Online, Security & Compliance, Exchange Online Protection |
-IncludeMessagesFromBlockedSenderAddress
The IncludeMessagesFromBlockedSenderAddress switch specifies whether to include quarantined messages from blocked senders in the results. You don't need to specify a value with this switch.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Online, Security & Compliance, Exchange Online Protection |
-MessageId
The MessageId parameter filters the results by the Message-ID header field of the message. This value is also known as the Client ID. The format of the Message-ID depends on the messaging server that sent the message. The value should be unique for each message. However, not all messaging servers create values for the Message-ID in the same way. Be sure to include the full Message ID string (which may include angle brackets) and enclose the value in quotation marks (for example, "<d9683b4c-127b-413a-ae2e-fa7dfb32c69d@DM3NAM06BG401.Eop-nam06.prod.protection.outlook.com>"
).
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Online, Security & Compliance, Exchange Online Protection |
-MyItems
The MyItems switch filters the results by messages where you (the user that's running the command) are the recipient. You don't need to specify a value with this switch.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Online, Security & Compliance, Exchange Online Protection |
-Page
The Page parameter specifies the page number of the results you want to view. Valid input for this parameter is an integer between 1 and 1000. The default value is 1.
Type: | Int32 |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Online, Security & Compliance, Exchange Online Protection |
-PageSize
The PageSize parameter specifies the maximum number of entries per page. Valid input for this parameter is an integer between 1 and 1000. The default value is 100.
Type: | Int32 |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Online, Security & Compliance, Exchange Online Protection |
-PolicyName
The PolicyName parameter filters the results by the protection policy that quarantined the message (for example, the anti-malware policy). You can use any value that uniquely identifies the policy. For example:
- Name
- Distinguished name (DN)
- GUID
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Online, Security & Compliance, Exchange Online Protection |
-PolicyTypes
The PolicyTypes parameter filters the results by the type of protection policy that quarantined the message. Valid values are:
- AntiMalwarePolicy
- AntiPhishPolicy
- DataLossPreventionRule
- ExchangeTransportRule (mail flow rule)
- HostedContentFilterPolicy (anti-spam policy)
- SafeAttachmentPolicy (Microsoft Defender for Office 365 only)
You can specify multiple values separated by commas.
Type: | QuarantinePolicyTypeEnum[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Online, Security & Compliance, Exchange Online Protection |
-QuarantineTypes
The QuarantineTypes parameter filters the results by what caused the message to be quarantined. Valid values are:
- Bulk
- DataLossPrevention
- FileTypeBlock (common attachments filter in anti-malware policies in EOP)
- HighConfPhish
- Malware (anti-malware policies in EOP or Safe Attachments policies in Defender for Office 365)
- Phish
- Spam
- SPOMalware (Microsoft Defender for Office 365 only)
- TransportRule
You can specify multiple values separated by commas.
You don't need to use this parameter with the Type parameter.
For files quarantined by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, the detection information can be found in CustomData field in the output.
Type: | QuarantineMessageTypeEnum[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Online, Security & Compliance, Exchange Online Protection |
-RecipientAddress
The RecipientAddress parameter filters the results by the recipient's email address. You can specify multiple values separated by commas.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Online, Security & Compliance, Exchange Online Protection |
-RecipientTag
The RecipientTag parameter filters the results by the recipient's user tag value (for example, Priority Account
). For more information about user tags, see User tags in Defender for Office 365.
You can specify multiple values separated by commas.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Online, Security & Compliance, Exchange Online Protection |
-ReleaseStatus
The ReleaseStatus parameter filters the results by the release status of the message. Valid values are:
- Approved
- Denied
- Error
- NotReleased
- PreparingToRelease
- Released
- Requested
You can specify multiple values separated by commas.
Note: Messages that were quarantined and released by Microsoft due to a service issue have the SystemReleased property value TRUE. To filter the results by system released messages, run the following command: Get-QuarantineMessage | where {$_.systemreleased -like "True"}
.
Type: | ReleaseStatus[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Online, Security & Compliance, Exchange Online Protection |
-Reported
The Reported parameter filters the results by messages that have already been reported as false positives. Valid values are:
- $true: The command only returns quarantined messages that have already been reported as false positives.
- $false: The command only returns quarantined messages that haven't been reported as false positives.
Type: | Boolean |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Online, Security & Compliance, Exchange Online Protection |
-SenderAddress
The SenderAddress parameter filters the results by the sender's email address. You can specify multiple values separated by commas.
Type: | String[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Online, Security & Compliance, Exchange Online Protection |
-StartExpiresDate
The StartExpiresDate parameter specifies the earliest messages that will automatically be deleted from the quarantine. Use this parameter with the EndExpiresDate parameter.
Use the short date format that's defined in the Regional Options settings on the computer where you're running the command. For example, if the computer is configured to use the short date format MM/dd/yyyy, enter 09/01/2018 to specify September 1, 2018. You can enter the date only, or you can enter the date and time of day. If you enter the date and time of day, enclose the value in quotation marks ("), for example, "09/01/2018 5:00 PM".
For example, if you specify the StartExpiresDate value of today's date and the EndExpiresDate value of the date three days from today, you will only see messages that will expire from the quarantine in the next three days.
Type: | System.DateTime |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Online, Security & Compliance, Exchange Online Protection |
-StartReceivedDate
The StartReceivedDate parameter specifies the earliest messages to return in the results. Use this parameter with the EndReceivedDate parameter.
Use the short date format that's defined in the Regional Options settings on the computer where you're running the command. For example, if the computer is configured to use the short date format MM/dd/yyyy, enter 09/01/2018 to specify September 1, 2018. You can enter the date only, or you can enter the date and time of day. If you enter the date and time of day, enclose the value in quotation marks ("), for example, "09/01/2018 5:00 PM".
By default, if you don't use the StartReceivedDate and EndReceivedDate parameters, the command will return data for the last 16 days. The maximum value for this parameter is 30 days. If you use a value that's older than 30 days, the value is ignored and only data for the last 30 days is returned.
Type: | System.DateTime |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Online, Security & Compliance, Exchange Online Protection |
-Subject
The Subject parameter filters the results by the subject field of the message. If the value contains spaces, enclose the value in quotation marks (").
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Online, Security & Compliance, Exchange Online Protection |
-TeamsConversationTypes
This parameter is available only in Security & Compliance PowerShell.
The TeamsConversationTypes parameters filters the results by Microsoft Teams conversation types. Valid values are:
- Channel
- Chat
You can specify multiple values separated by commas.
Type: | Microsoft.Exchange.Management.FfoQuarantine.TeamsConversationType[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Security & Compliance |
-Type
The Type parameter filters the results by what caused the message to be quarantined. Valid values are:
- Bulk
- DataLossPrevention
- HighConfPhish
- Malware
- Phish
- Spam
- SPOMalware (Microsoft Defender for Office 365 only)
- TransportRule
You don't need to use this parameter with the QuarantineTypes parameter.
For files protected by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, the detection information can be found in CustomData field in the output.
Type: | Microsoft.Exchange.Management.FfoQuarantine.QuarantineMessageTypeEnum |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Applies to: | Exchange Online, Security & Compliance, Exchange Online Protection |
Inputs
Input types
To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn't accept input data.
Outputs
Output types
To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn't return data.