Skip to main content

EWS Extension Online Powershell v3

This Integration is part of the Microsoft Exchange Online Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

Use the EWS Extension Online Powershell v3 integration to get information about mailboxes and users in your organization. This integration was integrated and tested with version v3 of EWS Extension Online Powershell v3

Note: This integration does not replace the O365 - EWS - Extension integration, but an additional EWS extension integration which utilizes the EXO v3 module.

Configure EWS Extension Online Powershell v3 in Cortex#

ParameterDescriptionRequired
NameThe name of the integrationTrue
Exchange Online URLhttps://outlook.office365.comTrue
CertificateA txt certificate encoded in Base64.True
The organization used in app-only authentication.True
The application ID from the Azure portalTrue

Important Notes#


  • It is strongly recommended to follow the Docker Hardening Guide to prevent the docker container from utilizing excessive memory. Details about the known memory leak can be found here.
  • If your instance does experience memory management issues, please configure your playbooks to use Retry on error.

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ews-mailbox-list#


Displays mailbox objects and attributes, populate property pages, or supplies mailbox information to other tasks.

Base Command#

ews-mailbox-list

Input#

Argument NameDescriptionRequired
identityThe identity of the mailbox you want to view.Optional
organizational_unitThe object's location in Active Directory by which to filter the results.Optional
primary_smtp_addressThe primary SMTP email address of the mailbox you want to view. Cannot be used with the user_principal_name argument. Can be retrieved using the ews-user-list command.Optional
user_principal_nameThe UPN of the mailbox you want to view. Cannot be used with the primary_smtp_address argument. Can be retrieved using the ews-user-list command.Optional
property_setsA comma-separated list of property sets to fetch. These property sets will supplement the outputs of this integration. Default is "Minimum". Available properties are: "All", "Minimum", "AddressList", "Archive", "Audit", "Delivery", "Hold", "Moderation", "Move", "Policy", "PublicFolder", "Quota", "Resource", "Retention", "SCL", "SoftDelete", "StatisticsSeed".Optional
limitThe maximum number of results to retrieve. Default is 10. Default is 10.Optional

Context Output#

PathTypeDescription
EWS.Mailbox.EmailAddressesStringEmail addresses of the mailbox.
EWS.Mailbox.AuditBypassEnabledBooleanWhether audit bypass is enabled.
EWS.Mailbox.DistinguishedNameStringDistinguished name of the mailbox.
EWS.Mailbox.ExchangeObjectIdStringExchange object ID of the mailbox.
EWS.Mailbox.ExchangeVersionStringExchange version of the mailbox.
EWS.Mailbox.GuidStringGUID of the mailbox.
EWS.Mailbox.IdStringID of the mailbox.
EWS.Mailbox.IdentityStringIdentity of the mailbox.
EWS.Mailbox.IsValidBooleanWhether the mailbox is valid.
EWS.Mailbox.NameStringName of the mailbox.
EWS.Mailbox.ObjectCategoryStringObject category of the mailbox.
EWS.Mailbox.ObjectClassStringObject class of the mailbox.
EWS.Mailbox.ObjectIdStringObject ID of the of the mailbox.
EWS.Mailbox.ObjectStateStringObject state of the mailbox.
EWS.Mailbox.OrganizationIdStringOrganization ID of the mailbox.
EWS.Mailbox.OriginatingServerStringOriginating server of the mailbox.
EWS.Mailbox.PSComputerNameStringPowerShell computer name of the mailbox.
EWS.Mailbox.PSShowComputerNameBooleanPowerShell show computer name of the mailbox.
EWS.Mailbox.RunspaceIdStringRun space ID of the mailbox.
EWS.Mailbox.WhenChangedDateLocal time of when the mailbox was last changed.
EWS.Mailbox.WhenChangedUTCDateUTC time of when the mailbox was last changed.
EWS.Mailbox.WhenCreatedDateLocal time of when the mailbox was created.
EWS.Mailbox.WhenCreatedUTCDateUTC time of when the mailbox was created.

Command Example#

!ews-mailbox-list limit=1

Context Example#

{
"EWS": {
"Mailbox": {
"Alias": "user",
"DisplayName": "User User",
"DistinguishedName": "CN=user,OU=example.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR07A005,DC=PROD,DC=OUTLOOK,DC=COM",
"EmailAddresses": [
"SPO:SPO_SPO0@SPO_SPO1",
"SIP:user@example.com",
"SMTP:user@example.com"
],
"ExchangeVersion": "0.20 (15.0.0)",
"ExternalDirectoryObjectId": "<ExternalDirectoryObjectId>",
"Guid": "<Guid>",
"Id": "user",
"Identity": "user",
"Name": "user",
"OrganizationId": "EURPR07A005.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/example.com - EURPR07A005.PROD.OUTLOOK.COM/ConfigurationUnits/example.com/Configuration",
"PrimarySmtpAddress": "user@example.com",
"RecipientType": "UserMailbox",
"RecipientTypeDetails": "UserMailbox",
"UserPrincipalName": "user@example.com"
}
}
}

Human Readable Output#

Results of ews-mailbox-list#

AliasDisplayNameDistinguishedNameEmailAddressesExchangeVersionExternalDirectoryObjectIdGuidIdIdentityNameOrganizationIdPrimarySmtpAddressRecipientTypeRecipientTypeDetailsUserPrincipalName
"user""User User""CN=user,OU=example.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR07A005,DC=PROD,DC=OUTLOOK,DC=COM"["SPO:SPO_cac4b654-5fcf-44f0-818e-479cf8ae42ac@SPO_SP01","SIP:user@example.com","SMTP:user@example.com"]"0.20 (15.0.0)""3fa9f28b-eb0e-463a-ba7b-8089fe9991e2"{"value":"042e60ea-0683-41a2-a149-ca4b682dcdda","Guid":"042e60ea-0683-41a2-a149-ca4b682dcdda"}"user""user""user""EURPR07A005.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/example.com - EURPR07A005.PROD.OUTLOOK.COM/ConfigurationUnits/example.com/Configuration""user@example.com""UserMailbox""UserMailbox""user@example.com"

ews-cas-mailbox-list#


Displays Client Access settings that are configured on mailboxes.

Base Command#

ews-cas-mailbox-list

Input#

Argument NameDescriptionRequired
identityThe identity of the mailbox you want to view.Optional
organizational_unitThe object's location in Active Directory by which to filter the results.Optional
primary_smtp_addressThe primary SMTP email address of the mailbox you want to view. Cannot be used with the user_principal_name argument. Can be retrieved using the ews-user-list command.Optional
user_principal_nameThe UPN of the mailbox you want to view. Cannot be used with the primary_smtp_address argument. Can be retrieved using the ews-user-list command.Optional
limitThe maximum number of results to retrieve. Default is 10. Default is 10.Optional

Context Output#

PathTypeDescription
EWS.CASMailbox.ActiveSyncEnabledBooleanWhether active sync is enabled.
EWS.CASMailbox.DisplayNameStringThe display name of the mailbox.
EWS.CASMailbox.ECPEnabledBooleanWhether the Exchange Control Panel (ECP) is enabled.
EWS.CASMailbox.EmailAddressesStringThe email addresses retrieved.
EWS.CASMailbox.EwsEnabledBooleanWhether the Exchange Web Services (EWS) is enabled.
EWS.CASMailbox.ExchangeVersionStringExchange version of the client access server mailbox.
EWS.CASMailbox.ExternalDirectoryObjectIdStringExternal directory object ID of the client access server mailbox.
EWS.CASMailbox.GuidStringThe GUID of the client access server mailbox.
EWS.CASMailbox.IdentityStringIdentity of the client access server mailbox.
EWS.CASMailbox.ImapEnabledBooleanWhether the Internet Message Access Protocol (IMAP) is enabled.
EWS.CASMailbox.MAPIEnabledBooleanWhether the Messaging Application Programming Interface is enabled.
EWS.CASMailbox.NameStringName of the client access server mailbox.
EWS.CASMailbox.OWAEnabledBooleanWhether Outlook on the web (OWA) is enabled.
EWS.CASMailbox.OrganizationIdStringOrganization ID
EWS.CASMailbox.PopEnabledBooleanWhether Post Office Protocol (POP) is enabled.
EWS.CASMailbox.PrimarySmtpAddressStringPrimary SMTP address.
EWS.CASMailbox.ServerLegacyDNStringServer legacy distinguished name (DN).

Command Example#

!ews-cas-mailbox-list limit=1

Context Example#

{
"EWS": {
"CASMailbox": {
"ActiveSyncEnabled": true,
"DisplayName": "User User",
"ECPEnabled": true,
"EmailAddresses": [
"SPO:SPO_SPO0@SPO_SPO1",
"SIP:user@example.com",
"SMTP:user@example.com"
],
"EwsEnabled": true,
"ExchangeVersion": "0.20 (15.0.0)",
"ExternalDirectoryObjectId": "<ExternalDirectoryObjectId>",
"Guid": "<Guid>",
"Identity": "user",
"ImapEnabled": true,
"MAPIEnabled": true,
"Name": "user",
"OWAEnabled": true,
"OrganizationId": "EURPR07A005.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/example.com - EURPR07A005.PROD.OUTLOOK.COM/ConfigurationUnits/example.com/Configuration",
"PopEnabled": true,
"PrimarySmtpAddress": "user@example.com",
"ServerLegacyDN": "/o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=DBXPR07MB383"
}
}
}

Human Readable Output#

Results of ews-cas-mailbox-list#

ActiveSyncEnabledDisplayNameECPEnabledEmailAddressesEwsEnabledExchangeVersionExternalDirectoryObjectIdGuidIdentityImapEnabledMAPIEnabledNameOrganizationIdOWAEnabledPopEnabledPrimarySmtpAddressServerLegacyDN
true"User User"true["SPO:SPO_cac4b654-5fcf-44f0-818e-479cf8ae42ac@SPO_SP01","SIP:user@example.com","SMTP:user@example.com"]true"0.20 (15.0.0)""3fa9f28b-eb0e-463a-ba7b-8089fe9991e2"{"value":"042e60ea-0683-41a2-a149-ca4b682dcdda","Guid":"042e60ea-0683-41a2-a149-ca4b682dcdda"}"user"truetrue"user""EURPR07A005.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/example.com - EURPR07A005.PROD.OUTLOOK.COM/ConfigurationUnits/example.com/Configuration"truetrue"user@example.com""/o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=DBXPR07MB383

ews-mailbox-permission-list#


Retrieves permissions on a mailbox.

Base Command#

ews-mailbox-permission-list

Input#

Argument NameDescriptionRequired
identityThe identity of the mailbox you want to view.Required

Context Output#

PathTypeDescription
EWS.MailboxPermission.IdentityStringThe specified identity of the mailbox.
EWS.MailboxPermission.Permission.AccessRightsStringAccess rights of the mailbox.
EWS.MailboxPermission.Permission.Deny.IsPresentBooleanWhether permission is denied.
EWS.MailboxPermission.Permission.IdentityStringThe permission identity.
EWS.MailboxPermission.Permission.InheritanceTypeStringPermission inheritance type.
EWS.MailboxPermission.Permission.IsInheritedBooleanWhether permission is inherited.
EWS.MailboxPermission.Permission.UserStringThe permission of the user.

Command Example#

!ews-mailbox-permission-list identity=user

Context Example#

{
"EWS": {
"MailboxPermission": {
"Identity": "user",
"Permission": {
"AccessRights": [
"FullAccess",
"ReadPermission"
],
"Deny": {
"IsPresent": false
},
"Identity": "user",
"InheritanceType": "All",
"IsInherited": false,
"User": "NT AUTHORITY\\SELF"
}
}
}
}

Human Readable Output#

Results of ews-mailbox-permission-list#

AccessRightsDenyIdentityInheritanceTypeIsInheritedUser
["FullAccess","ReadPermission"]{"IsPresent":false}"user""All"false"NT AUTHORITY\SELF"

ews-recipient-permission-list#


Displays information about SendAs permissions that are configured for users.

Base Command#

ews-recipient-permission-list

Input#

Argument NameDescriptionRequired
identityThe identity of the mailbox you want to view.Optional
limitThe maximum number of results to retrieve. Default is 10. Default is 10.Optional

Context Output#

PathTypeDescription
EWS.RecipientPermission.AccessControlTypeStringAccess control type of the recipient permission.
EWS.RecipientPermission.AccessRightsNumberAccess rights of the recipient permission.
EWS.RecipientPermission.IdentityStringIdentity of the recipient permission.
EWS.RecipientPermission.InheritanceTypeStringInheritance type of the recipient permission.
EWS.RecipientPermission.IsInheritedBooleanWhether the recipient permission is inherited.
EWS.RecipientPermission.TrusteeStringTrustee of the recipient permission.

Command Example#

!ews-recipient-permission-list identity=<Guid>

Context Example#

{
"EWS": {
"RecipientPermission": {
"AccessControlType": "Allow",
"AccessRights": [
1
],
"Identity": "user",
"InheritanceType": "None",
"IsInherited": false,
"Trustee": "NT AUTHORITY\\SELF"
}
}
}

Human Readable Output#

Results of ews-mailbox-permission-list#

AccessRightsDenyIdentityInheritanceTypeIsInheritedUser
["FullAccess","ReadPermission"]{"IsPresent":false}"user""All"false"NT AUTHORITY\SELF"

ews-recipient-list#


Displays existing recipient objects in your organization. This command returns all mail-enabled objects (for example, mailboxes, mail users, mail contacts, and distribution groups).

Base Command#

ews-recipient-list

Input#

Argument NameDescriptionRequired
identityThe identity of the mailbox you want to view.Optional
limitThe maximum number of results to retrieve. Default is 10. Default is 10.Optional

Context Output#

PathTypeDescription
EWS.Recipient.AliasStringRecipient alias.
EWS.Recipient.DisplayNameStringRecipient display name.
EWS.Recipient.DistinguishedNameStringRecipient distinguished name.
EWS.Recipient.EmailAddressesStringRecipient email addresses.
EWS.Recipient.ExchangeVersionStringRecipient exchange version.
EWS.Recipient.ExternalDirectoryObjectIdStringRecipient external directory object ID.
EWS.Recipient.IdentityStringRecipient identity.
EWS.Recipient.NameStringRecipient name.
EWS.Recipient.OrganizationIdStringRecipient organization ID.
EWS.Recipient.PrimarySmtpAddressStringRecipient primary SMTP address.
EWS.Recipient.RecipientTypeStringRecipient type.
EWS.Recipient.RecipientTypeDetailsStringRecipient type details.

Command Example#

!ews-recipient-list identity=<ExternalDirectoryObjectId>

Context Example#

{
"EWS": {
"Recipient": {
"Alias": "user",
"DisplayName": "User User",
"DistinguishedName": "CN=user,OU=example.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR07A005,DC=PROD,DC=OUTLOOK,DC=COM",
"EmailAddresses": [
"SPO:SPO_SPO0@SPO_SPO1",
"SIP:user@example.com",
"SMTP:user@example.com"
],
"ExchangeVersion": "0.20 (15.0.0)",
"ExternalDirectoryObjectId": "<ExternalDirectoryObjectId>",
"Identity": "user",
"Name": "user",
"OrganizationId": "EURPR07A005.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/example.com - EURPR07A005.PROD.OUTLOOK.COM/ConfigurationUnits/example.com/Configuration",
"PrimarySmtpAddress": "user@example.com",
"RecipientType": "UserMailbox",
"RecipientTypeDetails": "UserMailbox"
}
}
}

Human Readable Output#

Results of ews-recipient-list#

AliasDisplayNameDistinguishedNameEmailAddressesExchangeVersionExternalDirectoryObjectIdIdentityNameOrganizationIdPrimarySmtpAddressRecipientTypeRecipientTypeDetails
"user""user""CN=user_Identity,OU=example.com,OU=Microsoft Exchange Hosted Organizations,DC=EURPR07A005,DC=PROD,DC=OUTLOOK,DC=COM"["SPO:SPO_SP00@SPO_SP01","SMTP:user@example.com"]"0.10 (14.0.100)""Identity""user_Identity""user_Identity""EURPR07A005.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/example.com - EURPR07A005.PROD.OUTLOOK.COM/ConfigurationUnits/example.com/Configuration""user@example.com""MailUniversalDistributionGroup""GroupMailbox"

ews-new-tenant-allow-block-list-items#


Add new items to the Tenant Allow/Block Lists. Uses PowerShell New-TenantAllowBlockListItems cmdlet.

Official PowerShell cmdlet documentation here

Base Command#

ews-new-tenant-allow-block-list-items

Input#

Argument NameDescriptionRequired
entriesEntries to add to the list. Separate multiple entries with a comma (e.g. "Item1,Item2").Required
list_typeList type to add items to.Required
list_subtypeList subtype to add items to.Optional
actionAction to set for new entriesRequired
notesNotes to include on new list entriesOptional
expiration_dateEnter a specific date and time for the new entries to expire using format "YYYY-MM-DD HH:MM:SSz" for UTC time. Alternately, a PowerShell GetDate statement can be used.Optional
no_expirationSpecify whether to create list entries with no expiration date. Cannot be used with "expiration_date". If left false and no expiration date is set, default of 30 days will be used.Optional

Context Output#

PathTypeDescription
EWS.NewTenantBlocks.ActionStringList type ('Block' or 'Allow')
EWS.NewTenantBlocks.EntryValueHashStringEntry Value Hash
EWS.NewTenantBlocks.ErrorStringError (if any) returned by remote command
EWS.NewTenantBlocks.ExpirationDateStringDateTime the entry will expire and be removed
EWS.NewTenantBlocks.IdentityStringUnique identifier for the entry
EWS.NewTenantBlocks.LastModifiedDateTimeStringDateTime of last modification
EWS.NewTenantBlocks.ListSubTypeStringList sub type (Tenant or AdvancedDelivery)
EWS.NewTenantBlocks.ModifiedByStringUser / App Registration which last modified this entry
EWS.NewTenantBlocks.NotesStringCustom notes added to the entry.
EWS.NewTenantBlocks.ObjectStateStringState of the object (e.g. New/Modified/Deleted)
EWS.NewTenantBlocks.PSComputerNameStringName of Remote Powershell endpoint
EWS.NewTenantBlocks.PSShowComputerNameBoolFlag whether or not remote computer name is shown in PS prompt
EWS.NewTenantBlocks.RunspaceIdStringRunspaceID of the entry
EWS.NewTenantBlocks.SubmissionIDStringSubmissionID of the entry
EWS.NewTenantBlocks.SysManagedBoolSysManaged property of the entry
EWS.NewTenantBlocks.ValueStringThe value of the new entry created

Command Example#

!ews-new-tenant-allow-block-list-items action=Block list_type=sender entries="attacker@phishingsite.com" notes="Email observed in a phishing campaign."

Context Example#

{
"Action": "Block",
"EntryValueHash": "d568L6iokOxrYqB2L1CxcKy6S6A/tCDoQQJal33AFWo=",
"Error": null,
"ExpirationDate": "2022-06-15T19:30:52.6071551Z",
"Identity": "RgAAAAAuoyIuRcZsTKgZbIQyJWZUBwA02rlnO0nOR5RO-QI-xRP9AAAAAAEVAAA02rlnO0nOR5RO-QI-xRP9AAADfzPhAAAA0",
"LastModifiedDateTime": "2022-05-16T19:30:52.7320883Z",
"ListSubType": "Tenant",
"ModifiedBy": "",
"Notes": "Email observed in a phishing campaign.",
"ObjectState": "New",
"PSComputerName": "outlook.office365.com",
"PSShowComputerName": false,
"RunspaceId": "fe0186a8-6ce6-487d-bd65-a9869f60ffcd",
"SubmissionID": "",
"SysManaged": false,
"Value": "attacker@phishingsite.com"
}

Human Readable Output#

Results of ews-new-tenant-allow-block-list-items#

ActionEntryValueHashErrorExpirationDateIdentityLastModifiedDateTimeListSubTypeModifiedByNotesObjectStatePSComputerNamePSShowComputerNameRunspaceIdSubmissionIDSysManagedValue
Blockd568L6iokOxrYqB2L1CxcKy6S6A/tCDoQQJal33AFWo={"value":"2022-06-15T19:34:01.2028448Z","DateTime":"Wednesday, June 15, 2022 7:34:01 PM"}RgAAAAAuoyIuRcZsTKgZbIQyJWZUBwA02rlnO0nOR5RO-QI-xRP9AAAAAAEVAAA02rlnO0nOR5RO-QI-xRP9AAADfzPiAAAA0{"value":"2022-05-16T19:34:01.2652934Z","DateTime":"Monday, May 16, 2022 7:34:01 PM"}TenantEmail observed in a phishing campaign.Newoutlook.office365.comfalse{"value":"8f736b87-f951-4b6b-aa21-e358720c44e3","Guid":"8f736b87-f951-4b6b-aa21-e358720c44e3"}falseattacker@phishingsite.com

ews-get-tenant-allow-block-list-items#


Retrieve current Tenant Allow/Block List items. Uses Get-TenantAllowBlockListItems cmdlet.

Official PowerShell cmdlet documentation here

Base Command#

ews-get-tenant-allow-block-list-items

Input#

Argument NameDescriptionRequired
list_typeList type to retrieve items from.Required
list_subtypeList subtype to retrieve items from.Optional
actionAction to filter entries by.Required
expiration_dateEnter a specific date and time to filter entries by using format "YYYY-MM-DD HH:MM:SSz" for UTC time. Alternately, a PowerShell GetDate statement can be used.Optional
no_expirationFilter list items that are set to never expire.Optional
entrySpecif8ic entry value to retrieve.Optional

Context Output#

PathTypeDescription
EWS.CurrentTenantBlocks.ActionStringList type ('Block' or 'Allow')
EWS.CurrentTenantBlocks.EntryValueHashStringEntry Value Hash
EWS.CurrentTenantBlocks.ErrorBoolError (if any) returned by remote command
EWS.CurrentTenantBlocks.ExpirationDateStringDateTime the entry will expire and be removed
EWS.CurrentTenantBlocks.IdentityStringUnique identifier for the entry
EWS.CurrentTenantBlocks.LastModifiedDateTimeStringDateTime of last modification
EWS.CurrentTenantBlocks.ListSubTypeStringList sub type (Tenant or AdvancedDelivery)
EWS.CurrentTenantBlocks.ModifiedByStringUser / App Registration which last modified this entry
EWS.CurrentTenantBlocks.NotesStringCustom notes added to the entry.
EWS.CurrentTenantBlocks.ObjectStateStringState of the object (e.g. New/Modified/Deleted)
EWS.CurrentTenantBlocks.PSComputerNameStringName of Remote Powershell endpoint
EWS.CurrentTenantBlocks.PSShowComputerNameBoolFlag whether or not remote computer name is shown in PS prompt
EWS.CurrentTenantBlocks.RunspaceIdStringRunspaceID of the entry
EWS.CurrentTenantBlocks.SubmissionIDStringSubmissionID of the entry
EWS.CurrentTenantBlocks.SysManagedBoolSysManaged property of the entry
EWS.CurrentTenantBlocks.ValueStringThe value of the new entry created

Command Example#

!ews-get-tenant-allow-block-list-items action=Block list_type=sender

Context Example#

[
{
"Action": "Block",
"EntryValueHash": "d568L6iokOxrYqB2L1CxcKy6S6A/tCDoQQJal33AFWo=",
"Error": null,
"ExpirationDate": "2022-06-15T19:34:01.2028448Z",
"Identity": "RgAAAAAuoyIuRcZsTKgZbIQyJWZUBwA02rlnO0nOR5RO-QI-xRP9AAAAAAEVAAA02rlnO0nOR5RO-QI-xRP9AAADfzPiAAAA0",
"LastModifiedDateTime": "2022-05-16T19:34:01.2652934Z",
"ListSubType": "Tenant",
"ModifiedBy": "",
"Notes": "Email observed in a phishing campaign.",
"ObjectState": "Unchanged",
"PSComputerName": "outlook.office365.com",
"PSShowComputerName": false,
"RunspaceId": "010da4cf-2d47-4b8a-a882-4bd6885faff1",
"SubmissionID": "",
"SysManaged": false,
"Value": "attacker@phishingsite.com"
}
]

Human Readable Output#

Results of ews-get-tenant-allow-block-list-items#

ActionEntryValueHashErrorExpirationDateIdentityLastModifiedDateTimeListSubTypeModifiedByNotesObjectStatePSComputerNamePSShowComputerNameRunspaceIdSubmissionIDSysManagedValue
Blockd568L6iokOxrYqB2L1CxcKy6S6A/tCDoQQJal33AFWo={"value":"2022-06-15T19:34:01.2028448Z","DateTime":"Wednesday, June 15, 2022 7:34:01 PM"}RgAAAAAuoyIuRcZsTKgZbIQyJWZUBwA02rlnO0nOR5RO-QI-xRP9AAAAAAEVAAA02rlnO0nOR5RO-QI-xRP9AAADfzPiAAAA0{"value":"2022-05-16T19:34:01.2652934Z","DateTime":"Monday, May 16, 2022 7:34:01 PM"}TenantEmail observed in a phishing campaign.Unchangedoutlook.office365.comfalse{"value":"feada07c-99b7-48e9-a562-a755073522ff","Guid":"feada07c-99b7-48e9-a562-a755073522ff"}falseattacker@phishingsite.com

ews-get-tenant-allow-block-list-count#


Retrieve current count of defined Tenant Allow/Block List items. Uses Get-TenantAllowBlockListItems cmdlet.

Official PowerShell cmdlet documentation here

Base Command#

ews-get-tenant-allow-block-list-count

Input#

Argument NameDescriptionRequired
list_typeList type to retrieve items from.Optional
list_subtypeList subtype to retrieve items from.Optional

Context Output#

PathTypeDescription
EWS.CurrentListCount.CountNumberNumber of entries presently in the specified list
EWS.CurrentListCount.ListSubTypeStringList sub type (Tenant or AdvancedDelivery)
EWS.CurrentListCount.ListTypeStringList type

Command Example#

!ews-get-tenant-allow-block-list-count list_type=sender

Context Example#

{
"Count": 2,
"ListSubType": "Tenant",
"ListType": "sender"
}

Human Readable Output#

Results of ews-get-tenant-allow-block-list-count#

CountListSubTypeListType
2Tenantsender

ews-remove-tenant-allow-block-list-items#


Remove items from the Tenant Allow/Block Lists. You can delete items by their value or by unique ID. Uses PowerShell cmdlet Remove-TenantAllowBlockListItems cmdlet.

Official PowerShell cmdlet documentation here

Base Command#

ews-remove-tenant-allow-block-list-items

Input#

Argument NameDescriptionRequired
entriesEntries to remove from the list. Either use this OR 'ids' to specify items to remove. Separate multiple entries with a comma (e.g. "Item1,Item2").Optional
idsEntry IDs to remove from the list. Either use this OR 'entries' to specify items to remove. Separate multiple entries with a comma (e.g. "Item1,Item2").Optional
list_typeList type to remove items from.Required
list_subtypeList subtype to remove items from.Optional

Context Output#

PathTypeDescription
EWS.RemovedTenantBlocks.ActionStringAction
EWS.RemovedTenantBlocks.EntryValueHashStringNull for deleted items.
EWS.RemovedTenantBlocks.ErrorStringNull for deleted items.
EWS.RemovedTenantBlocks.ExpirationDateStringNull for deleted items.
EWS.RemovedTenantBlocks.IdentityStringBlank for deleted items.
EWS.RemovedTenantBlocks.LastModifiedDateTimeStringNull for deleted items.
EWS.RemovedTenantBlocks.ListSubTypeStringNull for deleted items.
EWS.RemovedTenantBlocks.ModifiedByStringNull for deleted items.
EWS.RemovedTenantBlocks.NotesStringNull for deleted items.
EWS.RemovedTenantBlocks.ObjectStateStringState of the object (Deleted)
EWS.RemovedTenantBlocks.PSComputerNameStringName of Remote Powershell endpoint
EWS.RemovedTenantBlocks.PSShowComputerNameBoolFlag whether or not remote computer name is shown in PS prompt
EWS.RemovedTenantBlocks.RunspaceIdStringRunspaceID of the entry
EWS.RemovedTenantBlocks.SubmissionIDStringSubmissionID of the entry
EWS.RemovedTenantBlocks.SysManagedBoolSysManaged property of the entry
EWS.RemovedTenantBlocks.ValueStringThe value of the entry that was removed

Command Example#

!ews-remove-tenant-allow-block-list-items list_type=sender entries="attacker2@phishingsite.com"

Context Example#

{
"Action": "0",
"EntryValueHash": null,
"Error": null,
"ExpirationDate": null,
"Identity": "",
"LastModifiedDateTime": null,
"ListSubType": null,
"ModifiedBy": null,
"Notes": null,
"ObjectState": "Deleted",
"PSComputerName": "outlook.office365.com",
"PSShowComputerName": false,
"RunspaceId": "efa88be5-7342-4b77-af2f-99dd2d914300",
"SubmissionID": null,
"SysManaged": null,
"Value": "attacker2@phishingsite.com"
}

Human Readable Output#

Results of ews-remove-tenant-allow-block-list-items#

ActionEntryValueHashErrorExpirationDateIdentityLastModifiedDateTimeListSubTypeModifiedByNotesObjectStatePSComputerNamePSShowComputerNameRunspaceIdSubmissionIDSysManagedValue
0Deletedoutlook.office365.comfalse{"value":"cd58060e-d033-4cdb-814e-9f9748fdf78c","Guid":"cd58060e-d033-4cdb-814e-9f9748fdf78c"}attacker@phishingsite.com

ews-export-quarantinemessage#


Export quarantine messages.

Base Command#

ews-export-quarantinemessage

Input#

Argument NameDescriptionRequired
identitiesA comma-separated list of identities of the messages to export.Optional
identityThe identity of a single message to export.Optional
compress_outputSpecify whether the output should be compressed.Optional
entity_typeThe type of entity being exported.Optional
force_conversion_to_mimeSpecify whether to force conversion to MIME format.Optional
passwordPassword to encrypt the exported file.Optional
reason_for_exportReason for exporting the message.Optional
recipient_addressEmail address to send the exported message to.Optional

Context Output#

PathTypeDescription
EWS.ExportQuarantineMessage.BodyEncodingStringEncoding used for the body of the message.
EWS.ExportQuarantineMessage.EmlStringThe email message in Base64 encoding.
EWS.ExportQuarantineMessage.IdentityStringUnique identifier for the retrieved message.
EWS.ExportQuarantineMessage.OrganizationBooleanIdentifier for the organization associated with the message.

Command Example#

!ews-export-quarantinemessage identity="12345678-beef-dead-beef-0123456789ab\\c0ffee13-beef-dead-beef-0123456789ab"

Context Example#

{
"BodyEncoding": "Base64",
"Eml": "TmV2ZXIgZ29ubmEgZ2l2ZSB5b3UgdXAsIG5ldmVyIGdvbm5hIGxldCB5b3UgZG93biwgbmV2ZXIgZ29ubmEgcnVuIGFyb3VuZCBhbmQgZGVzZXJ0IHlvdQo=",
"Identity": "12345678-beef-dead-beef-0123456789ab\\c0ffee13-beef-dead-beef-0123456789ab",
"Organization": "c0ffee13-beef-dead-beef-0123456789ab"
}

Human Readable Output#

Results of ews-export-quarantinemessage#

BodyEncodingEmlIdentityOrganization
Base64TmV2ZXIgZ29ubmEgZ2l2ZSB5b3UgdXAsIG5ldmVyIGdvbm5hIGxldCB5b3UgZG93biwgbmV2ZXIgZ29ubmEgcnVuIGFyb3VuZCBhbmQgZGVzZXJ0IHlvdQo=12345678-beef-dead-beef-0123456789ab\c0ffee13-beef-dead-beef-0123456789abc0ffee13-beef-dead-beef-0123456789ab

ews-get-quarantinemessage#


Retrieve quarantine messages.

Base Command#

ews-get-quarantinemessage

Input#

Argument NameDescriptionRequired
identityThe identity of a single message to retrieve.Optional
entity_typeThe type of entity being retrieved.Optional
recipient_addressEmail address of the recipient.Optional
sender_addressEmail address of the sender.Optional
teams_conversation_typesTypes of Teams conversations to retrieve.Optional
directionDirection of the message (Inbound/Outbound).Optional
domainDomain associated with the message.Optional
end_expires_dateEnd date for the message expiration.Optional
end_received_dateEnd date for when the message was received.Optional
include_messages_from_blocked_sender_addressInclude messages from blocked sender addresses.Optional
message_idID of the message.Optional
my_itemsInclude only items belonging to the user.Optional
pagePage number for pagination.Optional
page_sizeNumber of items per page.Optional
policy_nameName of the policy associated with the message.Optional
policy_typesTypes of policies associated with the message.Optional
quarantine_typesTypes of quarantine associated with the message.Optional
recipient_tagTag associated with the recipient.Optional
release_statusRelease status of the message.Optional
reportedInclude only reported messages.Optional
start_expires_dateStart date for the message expiration.Optional
start_received_dateStart date for when the message was received.Optional
subjectSubject of the message.Optional
typeType of the message.Optional

Context Output#

PathTypeDescription
EWS.GetQuarantineMessage.ApprovalIdstringApproval ID of the message.
EWS.GetQuarantineMessage.ApprovalUPNstringUser Principal Name (UPN) of the approver.
EWS.GetQuarantineMessage.CustomDataunknownCustom data associated with the message.
EWS.GetQuarantineMessage.DeletedForRecipientsstringList of recipients for whom the message was deleted.
EWS.GetQuarantineMessage.DirectionstringDirection of the message (Inbound/Outbound).
EWS.GetQuarantineMessage.EntityTypestringEntity type of the message.
EWS.GetQuarantineMessage.ExpiresdateExpiry date of the message.
EWS.GetQuarantineMessage.IdentitystringUnique identifier for the message.
EWS.GetQuarantineMessage.MessageIdstringMessage ID of the email.
EWS.GetQuarantineMessage.MoveToQuarantineAdminActionTakenBystringAdmin action taken by.
EWS.GetQuarantineMessage.MoveToQuarantineApprovalIdstringApproval ID for moving to quarantine.
EWS.GetQuarantineMessage.OrganizationstringIdentifier for the organization associated with the message.
EWS.GetQuarantineMessage.OverrideReasonstringReason for overriding the message.
EWS.GetQuarantineMessage.OverrideReasonIntValuenumberInteger value of the override reason.
EWS.GetQuarantineMessage.PermissionToAllowSenderbooleanPermission to allow the sender.
EWS.GetQuarantineMessage.PermissionToBlockSenderbooleanPermission to block the sender.
EWS.GetQuarantineMessage.PermissionToDeletebooleanPermission to delete the message.
EWS.GetQuarantineMessage.PermissionToDownloadbooleanPermission to download the message.
EWS.GetQuarantineMessage.PermissionToPreviewbooleanPermission to preview the message.
EWS.GetQuarantineMessage.PermissionToReleasebooleanPermission to release the message.
EWS.GetQuarantineMessage.PermissionToRequestReleasebooleanPermission to request release of the message.
EWS.GetQuarantineMessage.PermissionToViewHeaderbooleanPermission to view the header of the message.
EWS.GetQuarantineMessage.PolicyNamestringName of the policy applied to the message.
EWS.GetQuarantineMessage.PolicyTypestringType of the policy applied to the message.
EWS.GetQuarantineMessage.QuarantineTypesstringTypes of quarantine applied to the message.
EWS.GetQuarantineMessage.QuarantinedUserstringList of users quarantined.
EWS.GetQuarantineMessage.ReceivedTimedateTime the message was received.
EWS.GetQuarantineMessage.RecipientAddressstringList of recipient email addresses.
EWS.GetQuarantineMessage.RecipientCountnumberNumber of recipients.
EWS.GetQuarantineMessage.RecipientTagstringTags associated with the recipient.
EWS.GetQuarantineMessage.ReleaseStatusstringRelease status of the message.
EWS.GetQuarantineMessage.ReleasedbooleanWhether the message was released.
EWS.GetQuarantineMessage.ReleasedBystringList of users who released the message.
EWS.GetQuarantineMessage.ReleasedCountnumberNumber of times the message was released.
EWS.GetQuarantineMessage.ReleasedUserstringList of users who released the message.
EWS.GetQuarantineMessage.ReportedbooleanWhether the message was reported.
EWS.GetQuarantineMessage.SenderAddressstringEmail address of the sender.
EWS.GetQuarantineMessage.SizenumberSize of the message in bytes.
EWS.GetQuarantineMessage.SourceIdstringSource ID of the message.
EWS.GetQuarantineMessage.SubjectstringSubject of the message.
EWS.GetQuarantineMessage.SystemReleasedbooleanWhether the system released the message.
EWS.GetQuarantineMessage.TagNamestringTag name associated with the message.
EWS.GetQuarantineMessage.TeamsConversationTypestringTeams conversation type associated with the message.
EWS.GetQuarantineMessage.TypestringType of the message.

Command Example#

!ews-get-quarantinemessage

Context Example#

{
[
{
"ApprovalId": "",
"ApprovalUPN": "",
"CustomData": null,
"DeletedForRecipients": [],
"Direction": "Outbound",
"EntityType": "Email",
"Expires": "2024-07-18T13:20:02.7166413+00:00",
"Identity": "12345678-beef-dead-beef-0123456789ab\\c0ffee13-beef-dead-beef-0123456789ab",
"MessageId": "\u003c12345678-beef-dead-beef-0123456789ab@123456.789a.bcde.example.com\u003e",
"MoveToQuarantineAdminActionTakenBy": "",
"MoveToQuarantineApprovalId": "",
"Organization": "c0ffee13-beef-dead-beef-0123456789ab",
"OverrideReason": "None",
"OverrideReasonIntValue": 0,
"PermissionToAllowSender": true,
"PermissionToBlockSender": false,
"PermissionToDelete": true,
"PermissionToDownload": true,
"PermissionToPreview": true,
"PermissionToRelease": true,
"PermissionToRequestRelease": false,
"PermissionToViewHeader": false,
"PolicyName": "Default",
"PolicyType": "HostedContentFilterPolicy",
"QuarantineTypes": "HighConfPhish",
"QuarantinedUser": [],
"ReceivedTime": "2024-07-02T13:20:02.7166413+00:00",
"RecipientAddress": [
"admin@example.com"
],
"RecipientCount": 1,
"RecipientTag": [
""
],
"ReleaseStatus": "NOTRELEASED",
"Released": false,
"ReleasedBy": [],
"ReleasedCount": 0,
"ReleasedUser": [],
"Reported": false,
"SenderAddress": "alerts@example.com",
"Size": 31218,
"SourceId": "",
"Subject": "Informational-severity alert: Tenant Allow/Block List entry is about to expire",
"SystemReleased": false,
"TagName": "AdminOnlyAccessPolicy",
"TeamsConversationType": "",
"Type": "High Confidence Phish"
},
{
"ApprovalId": "",
"ApprovalUPN": "",
"CustomData": null,
"DeletedForRecipients": [],
"Direction": "Inbound",
"EntityType": "Email",
"Expires": "2024-07-13T10:59:12.7581841+00:00",
"Identity": "12345678-beef-dead-beef-0123456789ac\\c0ffee13-beef-dead-beef-0123456789ac",
"MessageId": "\u003c12345678-beef-dead-beef-0123456789ac@123456.789a.bcde.example.com\u003e",
"MoveToQuarantineAdminActionTakenBy": "",
"MoveToQuarantineApprovalId": "",
"Organization": "c0ffee13-beef-dead-beef-0123456789ac",
"OverrideReason": "None",
"OverrideReasonIntValue": 0,
"PermissionToAllowSender": true,
"PermissionToBlockSender": false,
"PermissionToDelete": true,
"PermissionToDownload": true,
"PermissionToPreview": true,
"PermissionToRelease": true,
"PermissionToRequestRelease": false,
"PermissionToViewHeader": false,
"PolicyName": "testing_quarantine_release",
"PolicyType": "HostedContentFilterPolicy",
"QuarantineTypes": "HighConfPhish",
"QuarantinedUser": [],
"ReceivedTime": "2024-06-28T10:59:12.7581841+00:00",
"RecipientAddress": [
"user@example.com"
],
"RecipientCount": 1,
"RecipientTag": [
""
],
"ReleaseStatus": "RELEASED",
"Released": true,
"ReleasedBy": [
"SystemMailbox{deadbeef-dead-beef-dead-beefdeadbeef}@example.com"
],
"ReleasedCount": 1,
"ReleasedUser": [],
"Reported": false,
"SenderAddress": "sender@example.com",
"Size": 14781,
"SourceId": "",
"Subject": "Check the inbox",
"SystemReleased": false,
"TagName": "testing_release",
"TeamsConversationType": "",
"Type": "High Confidence Phish"
}
]
}

Human Readable Output#

Results of ews-get-quarantinemessage#

ApprovalIdApprovalUPNCustomDataDeletedForRecipientsDirectionEntityTypeExpiresIdentityMessageIdMoveToQuarantineAdminActionTakenByMoveToQuarantineApprovalIdOrganizationOverrideReasonOverrideReasonIntValuePermissionToAllowSenderPermissionToBlockSenderPermissionToDeletePermissionToDownloadPermissionToPreviewPermissionToReleasePermissionToRequestReleasePermissionToViewHeaderPolicyNamePolicyTypeQuarantineTypesQuarantinedUserReceivedTimeRecipientAddressRecipientCountRecipientTagReleaseStatusReleasedReleasedByReleasedCountReleasedUserReportedSenderAddressSizeSourceIdSubjectSystemReleasedTagNameTeamsConversationTypeType
OutboundEmail2024-07-18T13:20:02.7166413+00:0012345678-beef-dead-beef-0123456789ab\c0ffee13-beef-dead-beef-0123456789ab\u003c12345678-beef-dead-beef-0123456789ab@123456.789a.bcde.example.com\u003ec0ffee13-beef-dead-beef-0123456789abNone0truefalsetruetruetruetruefalsefalseDefaultHostedContentFilterPolicyHighConfPhish[]2024-07-02T13:20:02.7166413+00:00["admin@example.com"]1[""]NOTRELEASEDfalse[]0[]falsealerts@example.com31218Informational-severity alert: Tenant Allow/Block List entry is about to expirefalseAdminOnlyAccessPolicyHigh Confidence Phish
InboundEmail2024-07-13T10:59:12.7581841+00:0012345678-beef-dead-beef-0123456789ac\c0ffee13-beef-dead-beef-0123456789ac\u003c12345678-beef-dead-beef-0123456789ac@123456.789a.bcde.example.com\u003ec0ffee13-beef-dead-beef-0123456789acNone0truefalsetruetruetruetruefalsefalsetesting_quarantine_releaseHostedContentFilterPolicyHighConfPhish[]2024-06-28T10:59:12.7581841+00:00["user@example.com"]1[""]RELEASEDtrue["SystemMailbox{deadbeef-dead-beef-dead-beefdeadbeef}@example.com"]1[]falsesender@example.com14781Check the inboxfalsetesting_releaseHigh Confidence Phish

ews-release-quarantinemessage#


Release quarantine messages.

Base Command#

ews-release-quarantinemessage

Input#

Argument NameDescriptionRequired
userThe user associated with the quarantine message.Optional
identitiesA comma-separated list of identities of the messages to release.Optional
identityThe identity of a single message to release.Optional
release_to_allSpecify whether to release the message to all recipients.Optional
allow_senderSpecify whether to allow the sender.Optional
entity_typeThe type of entity being released.Optional
forceSpecify whether to force the release.Optional
report_false_positiveSpecify whether to report the message as a false positive.Optional
action_typeThe type of action to take when releasing the message.Optional

Context Output#

There are no context outputs for this command.

Human Readable Output#

The message with identity 12345678-beef-dead-beef-0123456789ab\c0ffee13-beef-dead-beef-0123456789ab has been sent for release from quarantine.

ews-junk-rules-get#


Gets junk rules for the specified mailbox.

Base Command#

ews-junk-rules-get

Input#

Argument NameDescriptionRequired
mailboxID of the mailbox for which to get junk rules.Required

Context Output#

PathTypeDescription
EWS.Rule.Junk.BlockedSendersAndDomainsStringBlocked senders and domains list.
EWS.Rule.Junk.ContactsTrustedBooleanIf true, contacts are trusted by default.
EWS.Rule.Junk.EmailStringJunk rule mailbox.
EWS.Rule.Junk.EnabledBooleanIf true, junk rule is enabled.
EWS.Rule.Junk.IdentityStringJunk rule identity.
EWS.Rule.Junk.MailboxOwnerIdStringMail box owner ID.
EWS.Rule.Junk.TrustedListsOnlyBooleanIf true, only a list defined in the trusted lists are trusted.
EWS.Rule.Junk.TrustedRecipientsAndDomainsStringList of trusted recipients and domains.
EWS.Rule.Junk.TrustedSendersAndDomainsStringList of trusted senders and domains.

Command Example#

!ews-junk-rules-get mailbox="xsoar@dev.onmicrosoft.com"

Context Example#

{
"EWS": {
"Rule": {
"Junk": {
"BlockedSendersAndDomains": [
"user1@gmail.com",
"user2@gmail.com"
],
"ContactsTrusted": false,
"Enabled": false,
"Identity": "xsoar",
"MailboxOwnerId": "xsoar",
"TrustedListsOnly": false,
"TrustedRecipientsAndDomains": [
"user1@gmail.com",
"user2@gmail.com"
],
"TrustedSendersAndDomains": [
"user1@gmail.com",
"user2@gmail.com"
]
}
}
}
}

Human Readable Output#

EWS extension - 'xsoar@dev.onmicrosoft.com' Junk rules#

BlockedSendersAndDomainsContactsTrustedEnabledTrustedListsOnlyTrustedSendersAndDomains
["user1@gmail.com","user2@gmail.com"]FalseFalseFalse["user1@gmail.com","user2@gmail.com"]

ews-junk-rules-set#


Sets junk rules for the specified mailbox.

Base Command#

ews-junk-rules-set

Input#

Argument NameDescriptionRequired
mailboxID of the mailbox for which to set junk rules.Required
add_blocked_senders_and_domainsComma-separated list of blocked senders and domains to add to the mailbox.Optional
remove_blocked_senders_and_domainsComma-separated list of blocked senders and domains to remove from the mailbox.Optional
add_trusted_senders_and_domainsComma-separated list of trusted senders and domains to add to the mailbox.Optional
remove_trusted_senders_and_domainsComma-separated list of trusted senders and domains to remove from the mailbox.Optional
trusted_lists_onlyIf true, trust only lists defined in the trusted lists. Can be "true" or "false". Possible values are: true, false.Optional
contacts_trustedIf true, contacts are trusted by default. Can be "true" or "false". Possible values are: true, false.Optional
enabledIf true, the junk rule is enabled. Can be "true" or "false". Possible values are: true, false.Optional

Context Output#

There is no context output for this command.

Command Example#

!ews-junk-rules-set mailbox="xsoar@dev.onmicrosoft.com" add_blocked_senders_and_domains="test@gmail.com" add_trusted_senders_and_domains="dev.onmicrosoft.com"

Human Readable Output#

EWS extension - 'xsoar@dev.onmicrosoft.com' Junk rules modified!

ews-global-junk-rules-set#


Sets junk rules in all managed accounts.

Base Command#

ews-global-junk-rules-set

Input#

Argument NameDescriptionRequired
add_blocked_senders_and_domainsComma-separated list of blocked senders and domains to add to the mailbox.Optional
remove_blocked_senders_and_domainsComma-separated list of blocked senders and domains to remove from the mailbox.Optional
add_trusted_senders_and_domainsComma-separated list of trusted senders and domains to add to the mailbox.Optional
remove_trusted_senders_and_domainsComma-separated list of trusted senders and domains to remove from the mailbox.Optional
trusted_lists_onlyIf true, trust only lists defined in the trusted lists. Can be "true" or "false". Possible values are: true, false.Optional
contacts_trustedIf true, contacts are trusted by default. Can be "true" or "false". Possible values are: true, false.Optional
enabledIf true, the junk rule is enabled. Can be "true" or "false". Possible values are: true, false.Optional

Context Output#

There is no context output for this command.

Command Example#

!ews-global-junk-rules-set add_blocked_senders_and_domains="test@demisto.com" add_trusted_senders_and_domains="demisto.com"

Human Readable Output#

EWS extension - Junk rules globally modified!

ews-message-trace-get#


Searches message data for the last 10 days. If you run this command without any arguments, only data from the last 48 hours is returned. If you enter a start date that is older than 10 days, you will receive an error and the command will return no results. This command returns a maximum of 1,000,000 results, and will timeout on very large queries. If your query returns too many results, consider splitting it up using shorter start_date and end_date intervals.

Base Command#

ews-message-trace-get

Input#

Argument NameDescriptionRequired
sender_addressThe sender_address parameter filters the results by the sender's email address. You can specify multiple values separated by commas.
.
Optional
recipient_addressThe recipient_address parameter filters the results by the recipient's email address. You can specify multiple values separated by commas.
.
Optional
from_ipThe from_ip parameter filters the results by the source IP address.
For incoming messages, the value of from_ip is the public IP address of the SMTP email server that sent the message.
For outgoing messages from Exchange Online, the value is blank.
.
Optional
to_ipThe to_ip parameter filters the results by the destination IP address.
For outgoing messages, the value of to_ip is the public IP address in the resolved MX record for the destination domain.
For incoming messages to Exchange Online, the value is blank.
.
Optional
message_idThe message_id parameter filters the results by the Message-ID header field of the message.
This value is also known as the Client ID. The format of the Message-ID depends on the messaging server that sent the message.
The value should be unique for each message. However, not all messaging servers create values for the Message-ID in the same way.
Be sure to include the full Message ID string (which may include angle brackets) and enclose the value in quotation marks (for example,"d9683b4c-127b-413a-ae2e-fa7dfb32c69d@DM3NAM06BG401.Eop-nam06.prod.protection.outlook.com").
.
Optional
message_trace_idThe message_trace_id parameter can be used with the recipient address to uniquely identify a message trace and obtain more details.
A message trace ID is generated for every message that's processed by the system.
.
Optional
pageThe page number of the results you want to view.
Can be an integer between 1 and 1000. The default value is 1.
. Default is 1.
Optional
page_sizeThe maximum number of entries per page.
Can be an integer between 1 and 5000. The default value is 100.
. Default is 100.
Optional
start_dateThe start date of the date range.
Use the short date format that's defined in the Regional Options settings on the computer where you're running the command. For example, if the computer is configured to use the short date format mm/dd/yyyy,
enter 09/01/2018 to specify September 1, 2018. You can enter the date only, or you can enter the date and time of day.
If you enter the date and time of day, enclose the value in quotation marks ("), for example, "09/01/2018 5:00 PM".
Valid input for this parameter is from 10 days - now ago. The default value is 48 hours ago.
.
Optional
end_dateThe end date of the date range.
Use the short date format that's defined in the Regional Options settings on the computer where you're running the command.
For example, if the computer is configured to use the short date format mm/dd/yyyy, enter 09/01/2018 to specify September 1, 2018.
You can enter the date only, or you can enter the date and time of day.
If you enter the date and time of day, enclose the value in quotation marks ("), for example, "09/01/2018 5:00 PM".
Valid input for this parameter is from start_date - now. The default value is now.
.
Optional
statusThe status of the message. Can be one of the following:
GettingStatus: The message is waiting for status update.
Failed: Message delivery was attempted and it failed or the message was filtered as spam or malware, or by transport rules.
Pending: Message delivery is underway or was deferred and is being retried.
Delivered: The message was delivered to its destination.
Expanded: There was no message delivery because the message was addressed to a distribution group and the membership of the distribution was expanded.
Quarantined: The message was quarantined.
* FilteredAsSpam: The message was marked as spam.
. Possible values are: GettingStatus, Failed, Pending, Delivered, Expanded, Quarantined, FilteredAsSpam.
Optional

Context Output#

PathTypeDescription
EWS.MessageTrace.FromIPStringThe public IP address of the SMTP email server that sent the message.
EWS.MessageTrace.ToIPStringThe public IP address in the resolved MX record for the destination domain. For incoming messages to Exchange Online, the value is blank.
EWS.MessageTrace.IndexNumberMessage index in pagination. (Index starts from 0)
EWS.MessageTrace.MessageIdStringMessage-ID header field of the message.
EWS.MessageTrace.MessageTraceIdStringMessage trace ID of the message.
EWS.MessageTrace.OrganizationStringMessage trace organization source.
EWS.MessageTrace.ReceivedDateMessage receive time.
EWS.MessageTrace.RecipientAddressStringMessage recipients address.
EWS.MessageTrace.SenderAddressStringMessage sender address.
EWS.MessageTrace.SizeNumberMessage size in bytes.
EWS.MessageTrace.StartDateDateMessage trace start date.
EWS.MessageTrace.EndDateDateMessage trace end date.
EWS.MessageTrace.StatusStringMessage status.
EWS.MessageTrace.SubjectStringMessage subject.

Command Example#

!ews-message-trace-get

Context Example#

{
"EWS": {
"MessageTrace": [
{
"EndDate": "2021-01-03T06:14:14.9596257Z",
"FromIP": "8.8.8.8",
"Index": 1,
"MessageId": "xxx",
"MessageTraceId": "xxxx",
"Organization": "dev.onmicrosoft.com",
"Received": "2021-01-03T04:45:36.4662406",
"RecipientAddress": "xsoar@dev.onmicrosoft.com",
"SenderAddress": "xsoar@dev.onmicrosoft.com",
"Size": 1882,
"StartDate": "2021-01-01T06:14:14.9596257Z",
"Status": "GettingStatus",
"Subject": "Test mail",
"ToIP": null
},
{
"EndDate": "2021-01-03T06:15:14.9596257Z",
"FromIP": "8.8.8.8",
"Index": 2,
"MessageId": "xxx",
"MessageTraceId": "xxxx",
"Organization": "dev.onmicrosoft.com",
"Received": "2021-01-03T04:46:36.4662406",
"RecipientAddress": "xsoar@dev.onmicrosoft.com",
"SenderAddress": "xsoar@dev.onmicrosoft.com",
"Size": 1882,
"StartDate": "2021-01-01T06:15:14.9596257Z",
"Status": "GettingStatus",
"Subject": "Test mail",
"ToIP": null
}
]
}
}

Human Readable Output#

EWS extension - Messages trace#

EndDateFromIPIndexMessageIdMessageTraceIdOrganizationReceivedRecipientAddressSenderAddressSizeStartDateStatusSubjectToIP
1/3/2021 6:14:14 AM8.8.8.80xxxxxxxmicrosoft.com1/3/2021 4:45:36 AMxsoar@dev.microsoft.comxsoar@dev.onmicrosoft.com69751/1/2021 6:14:14 AMDeliveredTest mail
1/3/2021 6:15:14 AM8.8.8.81xxxxxxxmicrosoft.com1/3/2021 4:46:36 AMxsoar@dev.microsoft.comxsoar@dev.onmicrosoft.com69751/1/2021 6:15:14 AMDeliveredTest mail

ews-federation-trust-get#


Displays the federation trust configured for the Exchange organization.

Base Command#

ews-federation-trust-get

Input#

Argument NameDescriptionRequired
domain_controllerThe domain controller identified by its fully qualified domain name (FQDN). For example, dc01.example.com. This argument is available only in on-premises Exchange.Optional
identityThe federation trust ID. If not specified, the command returns all federation trusts configured for the Exchange organization.Optional

Context Output#

PathTypeDescription
EWS.FederationTrust.AdminDisplayNameStringAdministrator display name of the federation trust.
EWS.FederationTrust.ApplicationIdentifierStringApplication identifier of the federation trust.
EWS.FederationTrust.ApplicationUriStringApplication URI of the federation trust.
EWS.FederationTrust.DistinguishedNameStringDistinguished name of the federation trust.
EWS.FederationTrust.ExchangeObjectIdStringExchange object ID of the federation trust.
EWS.FederationTrust.ExchangeVersionStringExchange version of the federation trust.
EWS.FederationTrust.GuidStringGUID of the federation trust.
EWS.FederationTrust.IdStringID of the federation trust.
EWS.FederationTrust.IdentityStringIdentity of the federation trust.
EWS.FederationTrust.IsValidBooleanWhether the federation trust is valid.
EWS.FederationTrust.MetadataEprStringMetadata EPR of the federation trust.
EWS.FederationTrust.MetadataPollIntervalDateMetadata poll interval of the federation trust.
EWS.FederationTrust.MetadataPutEprUnknownMetadata put EPR of the federation trust.
EWS.FederationTrust.NameStringName of the federation trust.
EWS.FederationTrust.NamespaceProvisionerStringNamespace provisioner of the federation trust.
EWS.FederationTrust.ObjectCategoryStringObject category of the federation trust.
EWS.FederationTrust.ObjectClassStringObject class of the federation trust.
EWS.FederationTrust.ObjectStateStringObject state of the federation trust.
EWS.FederationTrust.OrgCertificate.ArchivedBooleanWhether the organization certificate of the federation trust is archived.
EWS.FederationTrust.OrgCertificate.Extensions.CriticalBooleanWhether the extensions of the organization certificate are critical.
EWS.FederationTrust.OrgCertificate.Extensions.Oid.FriendlyNameStringFriendly name of the OID of the organization certificate extensions.
EWS.FederationTrust.OrgCertificate.Extensions.Oid.ValueStringValue of the OID of the organization certificate extensions.
EWS.FederationTrust.OrgCertificate.Extensions.RawDataNumberRaw data of the organization certificate extensions.
EWS.FederationTrust.OrgCertificate.Extensions.SubjectKeyIdentifierStringSubject key identifier of the organization certificate extensions.
EWS.FederationTrust.OrgCertificate.Extensions.KeyUsagesNumberKey usages of the organization certificate extensions.
EWS.FederationTrust.OrgCertificate.Extensions.EnhancedKeyUsages.FriendlyNameStringFriendly name of the enhanced key usages of the organization certificate extensions.
EWS.FederationTrust.OrgCertificate.Extensions.EnhancedKeyUsages.ValueStringValue of the enhanced key usages of the organization certificate extensions.
EWS.FederationTrust.OrgCertificate.Extensions.CertificateAuthorityBooleanWhether the organization certificate extensions have a certificate authority.
EWS.FederationTrust.OrgCertificate.Extensions.HasPathLengthConstraintBooleanWhether the organization certificate extensions have a path length constraint.
EWS.FederationTrust.OrgCertificate.Extensions.PathLengthConstraintNumberPath length constraint of the organization certificate extensions.
EWS.FederationTrust.OrgCertificate.FriendlyNameStringFriendly name of the organization certificate.
EWS.FederationTrust.OrgCertificate.Handle.valueNumberThe handle value of the organization certificate.
EWS.FederationTrust.OrgCertificate.HasPrivateKeyBooleanWhether the organization certificate has a private key.
EWS.FederationTrust.OrgCertificate.IssuerStringIssuer of the organization certificate.
EWS.FederationTrust.OrgCertificate.IssuerName.NameStringName of the issuer of the organization certificate.
EWS.FederationTrust.OrgCertificate.IssuerName.Oid.FriendlyNameUnknownFriendly Name of the OID of the issuer name of the organization certificate.
EWS.FederationTrust.OrgCertificate.IssuerName.Oid.ValueUnknownValue of the OID of the issuer name of the organization certificate.
EWS.FederationTrust.OrgCertificate.IssuerName.RawDataNumberRaw data of the issuer name of the organization certificate.
EWS.FederationTrust.OrgCertificate.NotAfterDateThe date until when the organization certificate is valid.
EWS.FederationTrust.OrgCertificate.NotBeforeDateThe date the organization certificate became valid.
EWS.FederationTrust.OrgCertificate.PrivateKeyUnknownPrivate key of the organization certificate.
EWS.FederationTrust.OrgCertificate.PublicKey.EncodedKeyValue.Oid.FriendlyNameStringFriendly name of the OID of the encoded key value of the public key.
EWS.FederationTrust.OrgCertificate.PublicKey.EncodedKeyValue.Oid.ValueStringValue of the OID of the encoded key value of the public key.
EWS.FederationTrust.OrgCertificate.PublicKey.EncodedKeyValue.RawDataNumberRaw data of the encoded key value of the public key.
EWS.FederationTrust.OrgCertificate.PublicKey.EncodedParameters.Oid.FriendlyNameStringFriendly name of the OID of the encoded parameters of the public key.
EWS.FederationTrust.OrgCertificate.PublicKey.EncodedParameters.Oid.ValueStringValue of the OID of the encoded parameters of the public key.
EWS.FederationTrust.OrgCertificate.PublicKey.EncodedParameters.RawDataNumberRaw data of the encoded parameters of the public key.
EWS.FederationTrust.OrgCertificate.PublicKey.Key.KeyExchangeAlgorithmStringKey exchange algorithm of the public key.
EWS.FederationTrust.OrgCertificate.PublicKey.Key.LegalKeySizes.MaxSizeNumberMaximum size of the public key.
EWS.FederationTrust.OrgCertificate.PublicKey.Key.LegalKeySizes.MinSizeNumberMinimum size of the public key.
EWS.FederationTrust.OrgCertificate.PublicKey.Key.LegalKeySizes.SkipSizeNumberSkipSize of the public key.
EWS.FederationTrust.OrgCertificate.PublicKey.Key.SignatureAlgorithmStringSignature algorithm of the public key.
EWS.FederationTrust.OrgCertificate.PublicKey.Oid.FriendlyNameStringFriendly name of the OID of the public key.
EWS.FederationTrust.OrgCertificate.PublicKey.Oid.ValueStringValue of the OID of the public key.
EWS.FederationTrust.OrgCertificate.RawDataNumberRaw data of the organization certificate.
EWS.FederationTrust.OrgCertificate.SerialNumberStringSerial number of the organization certificate.
EWS.FederationTrust.OrgCertificate.SignatureAlgorithm.FriendlyNameStringFriendly name of the signature algorithm.
EWS.FederationTrust.OrgCertificate.SignatureAlgorithm.ValueStringValue of the signature algorithm.
EWS.FederationTrust.OrgCertificate.SubjectStringSubject of the organization certificate.
EWS.FederationTrust.OrgCertificate.SubjectName.NameStringName of the subject of the organization certificate.
EWS.FederationTrust.OrgCertificate.SubjectName.Oid.FriendlyNameUnknownFriendly name of the OID of the subject name.
EWS.FederationTrust.OrgCertificate.SubjectName.Oid.ValueUnknownValue of the OID of the subject name.
EWS.FederationTrust.OrgCertificate.SubjectName.RawDataNumberRaw Data of the subject name.
EWS.FederationTrust.OrgCertificate.ThumbprintStringThumbprint of the organization certificate.
EWS.FederationTrust.OrgCertificate.VersionNumberVersion of the organization certificate.
EWS.FederationTrust.OrgNextCertificateUnknownNext organization certificate.
EWS.FederationTrust.OrgNextPrivCertificateStringNext organization private certificate.
EWS.FederationTrust.OrgPrevCertificate.ArchivedBooleanWhether to archive the previous organization certificate.
EWS.FederationTrust.OrgPrevCertificate.Extensions.CriticalBooleanWhether the extensions of the previous organization certificate are critical.
EWS.FederationTrust.OrgPrevCertificate.Extensions.Oid.FriendlyNameStringFriendly name of the OID of the previous organization certificate extensions.
EWS.FederationTrust.OrgPrevCertificate.Extensions.Oid.ValueStringValue of the OID of the previous organization certificate extensions.
EWS.FederationTrust.OrgPrevCertificate.Extensions.RawDataNumberRaw data of the previous organization certificate extensions.
EWS.FederationTrust.OrgPrevCertificate.Extensions.SubjectKeyIdentifierStringSubject key identifier of the previous organization certificate extensions.
EWS.FederationTrust.OrgPrevCertificate.Extensions.KeyUsagesNumberKey usages of the previous organization certificate extensions.
EWS.FederationTrust.OrgPrevCertificate.Extensions.EnhancedKeyUsages.FriendlyNameStringFriendly name of the enhanced key usages of the previous organization certificate extensions.
EWS.FederationTrust.OrgPrevCertificate.Extensions.EnhancedKeyUsages.ValueStringValue of the enhanced key usages of the previous organization certificate extensions.
EWS.FederationTrust.OrgPrevCertificate.FriendlyNameStringFriendly name of the previous organization certificate.
EWS.FederationTrust.OrgPrevCertificate.Handle.valueNumberValue of the handle of the previous organization certificate.
EWS.FederationTrust.OrgPrevCertificate.HasPrivateKeyBooleanWhether the previous organization certificate has a private key.
EWS.FederationTrust.OrgPrevCertificate.IssuerStringIssuer of the previous organization certificate.
EWS.FederationTrust.OrgPrevCertificate.IssuerName.NameStringName of the issuer of the previous organization certificate.
EWS.FederationTrust.OrgPrevCertificate.IssuerName.Oid.FriendlyNameUnknownFriendly name of the OID of the issuer of the previous organization certificate.
EWS.FederationTrust.OrgPrevCertificate.IssuerName.Oid.ValueUnknownValue of the OID of the issuer of the previous organization certificate.
EWS.FederationTrust.OrgPrevCertificate.IssuerName.RawDataNumberRaw data of the issuer of the previous organization certificate.
EWS.FederationTrust.OrgPrevCertificate.NotAfterDateThe date until when the previous organization certificate is valid.
EWS.FederationTrust.OrgPrevCertificate.NotBeforeDateThe date the previous organization certificate became valid.
EWS.FederationTrust.OrgPrevCertificate.PrivateKeyUnknownPrivate Key of the previous organization certificate.
EWS.FederationTrust.OrgPrevCertificate.PublicKey.EncodedKeyValue.Oid.FriendlyNameStringFriendly Name of the OID of the encoded key value of the public key of the previous organization certificate.
EWS.FederationTrust.OrgPrevCertificate.PublicKey.EncodedKeyValue.Oid.ValueStringValue of the OID of the encoded key value of the public key of the previous organization certificate.
EWS.FederationTrust.OrgPrevCertificate.PublicKey.EncodedKeyValue.RawDataNumberRaw Data of the encoded key value of the public key of the previous organization certificate.
EWS.FederationTrust.OrgPrevCertificate.PublicKey.EncodedParameters.Oid.FriendlyNameStringFriendly name of the OID of the encoded parameters of the public key of the previous organization certificate.
EWS.FederationTrust.OrgPrevCertificate.PublicKey.EncodedParameters.Oid.ValueStringValue of the OID of the encoded parameters of the public key of the previous organization certificate.
EWS.FederationTrust.OrgPrevCertificate.PublicKey.EncodedParameters.RawDataNumberRaw Data of the encoded parameters of the public key of the previous organization certificate.
EWS.FederationTrust.OrgPrevCertificate.PublicKey.Key.KeyExchangeAlgorithmStringKey exchange algorithm of the public key of the previous organization certificate.
EWS.FederationTrust.OrgPrevCertificate.PublicKey.Key.LegalKeySizes.MaxSizeNumberMaximum size of the public key of the previous organization certificate.
EWS.FederationTrust.OrgPrevCertificate.PublicKey.Key.LegalKeySizes.MinSizeNumberMinimum size of the public key of the previous organization certificate.
EWS.FederationTrust.OrgPrevCertificate.PublicKey.Key.LegalKeySizes.SkipSizeNumberSkiPSize of the public key of the previous organization certificate.
EWS.FederationTrust.OrgPrevCertificate.PublicKey.Key.SignatureAlgorithmStringSignature algorithm of the public key of the previous organization certificate.
EWS.FederationTrust.OrgPrevCertificate.PublicKey.Oid.FriendlyNameStringFriendly name of the OID of the public key of the previous organization certificate.
EWS.FederationTrust.OrgPrevCertificate.PublicKey.Oid.ValueStringValue of the OID of the public key of the previous organization certificate.
EWS.FederationTrust.OrgPrevCertificate.RawDataNumberRaw Data of the previous organization certificate.
EWS.FederationTrust.OrgPrevCertificate.SerialNumberStringSerial number of the previous organization certificate.
EWS.FederationTrust.OrgPrevCertificate.SignatureAlgorithm.FriendlyNameStringFriendly name of the signature algorithm of the previous organization certificate.
EWS.FederationTrust.OrgPrevCertificate.SignatureAlgorithm.ValueStringValue of the signature algorithm of the previous organization certificate.
EWS.FederationTrust.OrgPrevCertificate.SubjectStringSubject of the previous organization certificate.
EWS.FederationTrust.OrgPrevCertificate.SubjectName.NameStringName of the subject of the previous organization certificate.
EWS.FederationTrust.OrgPrevCertificate.SubjectName.Oid.FriendlyNameUnknownFriendly name of the OID of the subject of the previous organization certificate.
EWS.FederationTrust.OrgPrevCertificate.SubjectName.Oid.ValueUnknownValue of the OID of the subject name of the previous organization certificate.
EWS.FederationTrust.OrgPrevCertificate.SubjectName.RawDataNumberRaw Data of the subject name of the previous organization certificate.
EWS.FederationTrust.OrgPrevCertificate.ThumbprintStringThumbprint of the previous organization certificate.
EWS.FederationTrust.OrgPrevCertificate.VersionNumberVersion of the previous organization certificate.
EWS.FederationTrust.OrgPrevPrivCertificateStringOrganization previous private certificate.
EWS.FederationTrust.OrgPrivCertificateStringOrganization private certificate.
EWS.FederationTrust.OrganizationIdStringOrganization ID.
EWS.FederationTrust.OriginatingServerStringOriginating server.
EWS.FederationTrust.PSComputerNameStringPowerShell computer name.
EWS.FederationTrust.PSShowComputerNameBooleanWhether to show the PowerShell computer name.
EWS.FederationTrust.PolicyReferenceUriStringPolicy Reference URI.
EWS.FederationTrust.RunspaceIdStringRunspace ID.
EWS.FederationTrust.TimesOfUnmatchPartnerNumberTimes Of unmatch partner.
EWS.FederationTrust.TokenIssuerCertReferenceStringToken issuer certificate reference.
EWS.FederationTrust.TokenIssuerCertificate.ArchivedBooleanWhether the token issuer certificate is archived.
EWS.FederationTrust.TokenIssuerCertificate.Extensions.CriticalBooleanWhether the extensions of the token issuer certificate are critical.
EWS.FederationTrust.TokenIssuerCertificate.Extensions.Oid.FriendlyNameStringFriendly name of the OID of the extensions of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.Extensions.Oid.ValueStringValue of the OID of the extensions of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.Extensions.RawDataNumberRaw Data of the extensions of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.Extensions.SubjectKeyIdentifierStringSubject key identifier of the extensions of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.Extensions.KeyUsagesNumberKey usages of the extensions of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.FriendlyNameStringFriendly name of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.Handle.valueNumberValue of the handle of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.HasPrivateKeyBooleanWhether the token issuer certificate has a private key.
EWS.FederationTrust.TokenIssuerCertificate.IssuerStringIssuer of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.IssuerName.NameStringName of the issuer of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.IssuerName.Oid.FriendlyNameUnknownFriendly name of the OID of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.IssuerName.Oid.ValueUnknownValue of the OID of the issuer of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.IssuerName.RawDataNumberRaw data of the issuer of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.NotAfterDateThe date until when the token issuer certificate is valid.
EWS.FederationTrust.TokenIssuerCertificate.NotBeforeDateThe date the token issuer certificate became valid.
EWS.FederationTrust.TokenIssuerCertificate.PrivateKeyUnknownPrivate key of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.PublicKey.EncodedKeyValue.Oid.FriendlyNameStringFriendly name of the OID of the encoded key value of the public key of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.PublicKey.EncodedKeyValue.Oid.ValueStringValue of the OID of the encoded key value of the public key of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.PublicKey.EncodedKeyValue.RawDataNumberRaw data of the encoded key value of the public key of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.PublicKey.EncodedParameters.Oid.FriendlyNameStringFriendly name of the OID of the encoded parameters of the public key of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.PublicKey.EncodedParameters.Oid.ValueStringValue of the OID of the encoded parameters of the public key of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.PublicKey.EncodedParameters.RawDataNumberRaw Data of the encoded parameters of the public key of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.PublicKey.Key.KeyExchangeAlgorithmStringKey exchange algorithm of the public key of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.PublicKey.Key.LegalKeySizes.MaxSizeNumberMaximum size of the public key of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.PublicKey.Key.LegalKeySizes.MinSizeNumberMinimum size of the public key of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.PublicKey.Key.LegalKeySizes.SkipSizeNumberSkiPSize of the public key of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.PublicKey.Key.SignatureAlgorithmStringSignature algorithm of the public key of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.PublicKey.Oid.FriendlyNameStringFriendly name of the OID of the public key of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.PublicKey.Oid.ValueStringValue of the OID of the public key of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.RawDataNumberRaw Data of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.SerialNumberStringSerial number of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.SignatureAlgorithm.FriendlyNameStringFriendly name of the signature algorithm of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.SignatureAlgorithm.ValueStringValue of the signature algorithm of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.SubjectStringSubject of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.SubjectName.NameStringName of the subject of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.SubjectName.Oid.FriendlyNameUnknownFriendly name of the OID of the subject of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.SubjectName.Oid.ValueUnknownValue of the OID of the subject of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.SubjectName.RawDataNumberRaw data of the subject of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.ThumbprintStringThumbprint of the token issuer certificate.
EWS.FederationTrust.TokenIssuerCertificate.VersionNumberVersion of the token issuer certificate.
EWS.FederationTrust.TokenIssuerEprStringToken issuer EPR.
EWS.FederationTrust.TokenIssuerMetadataEprStringToken issuer metadata EPR.
EWS.FederationTrust.TokenIssuerPrevCertReferenceStringToken issuer previous certificate reference.
EWS.FederationTrust.TokenIssuerPrevCertificate.ArchivedBooleanWhether the token issuer previous certificate was archived.
EWS.FederationTrust.TokenIssuerPrevCertificate.Extensions.CriticalBooleanWhether the extensions of the token issuer previous certificate was critical.
EWS.FederationTrust.TokenIssuerPrevCertificate.Extensions.Oid.FriendlyNameStringFriendly name of the OID of the extensions of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.Extensions.Oid.ValueStringValue of the OID of the extensions of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.Extensions.RawDataNumberRaw data of the extensions of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.Extensions.SubjectKeyIdentifierStringSubject key identifier of the extensions of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.Extensions.KeyUsagesNumberKey usages of the extensions of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.FriendlyNameStringFriendly name of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.Handle.valueNumberThe handle value of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.HasPrivateKeyBooleanWhether the token issuer previous certificate has a private key.
EWS.FederationTrust.TokenIssuerPrevCertificate.IssuerStringIssuer of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.IssuerName.NameStringName of the issuer of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.IssuerName.Oid.FriendlyNameUnknownFriendly name of the OID of the issuer name of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.IssuerName.Oid.ValueUnknownValue of the OID of the issuer name of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.IssuerName.RawDataNumberRaw Data of the issuer name of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.NotAfterDateThe date until when the token issuer previous certificate is valid.
EWS.FederationTrust.TokenIssuerPrevCertificate.NotBeforeDateThe date the token issuer previous certificate became valid.
EWS.FederationTrust.TokenIssuerPrevCertificate.PrivateKeyUnknownPrivate Key of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.PublicKey.EncodedKeyValue.Oid.FriendlyNameStringFriendly name of the OID of the encoded key value of the public key of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.PublicKey.EncodedKeyValue.Oid.ValueStringValue of the OID of the encoded key value of the public key of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.PublicKey.EncodedKeyValue.RawDataNumberRaw data of the encoded key value of the public key of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.PublicKey.EncodedParameters.Oid.FriendlyNameStringFriendly name of the OID of the encoded parameters of the public key of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.PublicKey.EncodedParameters.Oid.ValueStringValue of the OID of the encoded parameters of the public key of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.PublicKey.EncodedParameters.RawDataNumberRaw data of the encoded parameters of the public key of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.PublicKey.Key.KeyExchangeAlgorithmStringKey exchange algorithm of the public key of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.PublicKey.Key.LegalKeySizes.MaxSizeNumberMaximum size of the public key of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.PublicKey.Key.LegalKeySizes.MinSizeNumberMinimum size of the public key of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.PublicKey.Key.LegalKeySizes.SkipSizeNumberSkiPSize of the public key of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.PublicKey.Key.SignatureAlgorithmStringSignature algorithm of the public key of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.PublicKey.Oid.FriendlyNameStringFriendly Name of the OID of the public key of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.PublicKey.Oid.ValueStringValue of the OID of teh public key of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.RawDataNumberRaw Data of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.SerialNumberStringSerial number of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.SignatureAlgorithm.FriendlyNameStringFriendly name of the signature algorithm of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.SignatureAlgorithm.ValueStringValue of the signature algorithm of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.SubjectStringSubject of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.SubjectName.NameStringName of the subject of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.SubjectName.Oid.FriendlyNameUnknownFriendly Name of the OID of the subject of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.SubjectName.Oid.ValueUnknownValue of the OID of the subject name of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.SubjectName.RawDataNumberRaw data of the subject name of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.ThumbprintStringThumbprint of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerPrevCertificate.VersionNumberVersion of the token issuer previous certificate.
EWS.FederationTrust.TokenIssuerTypeStringToken issuer type of the federation trust.
EWS.FederationTrust.TokenIssuerUriStringToken Issuer UIR of the federation trust.
EWS.FederationTrust.WebRequestorRedirectEprStringWeb requestor redirect EPR of the federation trust.
EWS.FederationTrust.WhenChangedDateThe date the federation trust was changed.
EWS.FederationTrust.WhenChangedUTCDateThe date in UTC format of when the federation trust was changed.
EWS.FederationTrust.WhenCreatedDateThe date the federation trust was created.
EWS.FederationTrust.WhenCreatedUTCDateThe date in UTC format of when the federation trust was created.

ews-federation-configuration-get#


Retrieves the Exchange organization's federated organization identifier and related details, such as federated domains, organization contact, and status.

Base Command#

ews-federation-configuration-get

Input#

Argument NameDescriptionRequired
domain_controllerThe fully qualified domain name (FQDN) of the domain controller. For example, dc01.example.com. This argument is available only in on-premises Exchange.Optional
identityThe federation trust ID. If not specified, all federation trusts configured for the Exchange organization are returned.Optional
include_extended_domain_infoThe IncludeExtendedDomainInfo switch specifies that the command query Microsoft Federation Gateway for the status of each accepted domain that's federated. The status is returned with each domain in the Domains property. Possible values: "true" and "false". Possible values are: true, false. Default is false.Optional

Context Output#

PathTypeDescription
EWS.FederationConfiguration.AccountNamespaceStringAccount namespace of the federation configuration.
EWS.FederationConfiguration.DefaultDomainUnknownDefault domain of the federation configuration.
EWS.FederationConfiguration.DelegationTrustLinkStringDelegation trust link of the federation configuration.
EWS.FederationConfiguration.DistinguishedNameStringDistinguished name of the federation configuration.
EWS.FederationConfiguration.DomainsStringDomains of the federation configuration.
EWS.FederationConfiguration.EnabledBooleanWhether the federation configuration is enabled.
EWS.FederationConfiguration.ExchangeObjectIdStringExchange object ID of the federation configuration.
EWS.FederationConfiguration.ExchangeVersionStringExchange version of the federation configuration.
EWS.FederationConfiguration.GuidStringGUID of the federation configuration.
EWS.FederationConfiguration.IdStringID of the federation configuration.
EWS.FederationConfiguration.IdentityStringIdentity of the federation configuration.
EWS.FederationConfiguration.IsValidBooleanWhether the federation configration is valid.
EWS.FederationConfiguration.NameStringName of the federation configuration.
EWS.FederationConfiguration.ObjectCategoryStringObject category of the federation configuration.
EWS.FederationConfiguration.ObjectClassStringObject class of the federation configuration.
EWS.FederationConfiguration.ObjectStateStringObject state of the federation configuration.
EWS.FederationConfiguration.OrganizationContactStringOrganization contact of the federation configuration.
EWS.FederationConfiguration.OrganizationIdStringOrganization ID of the federation configuration.
EWS.FederationConfiguration.OriginatingServerStringOriginating server of the federation configuration.
EWS.FederationConfiguration.PSComputerNameStringPowerShell computer name of the federation configuration.
EWS.FederationConfiguration.PSShowComputerNameBooleanWhether to show the PowerShell computer name of the federation configuration.
EWS.FederationConfiguration.RunspaceIdStringRunspace ID of the federation configuration.
EWS.FederationConfiguration.WhenChangedDateThe date the federation configuration was changed.
EWS.FederationConfiguration.WhenChangedUTCDateThe date in UTC format of when the federation configuration was changed.
EWS.FederationConfiguration.WhenCreatedDateThe date the federation configuration was created.
EWS.FederationConfiguration.WhenCreatedUTCDateThe date in UTC format of when the federation configuration was created.

ews-remote-domain-get#


Gets the configuration information for the remote domains configured in your organization. This command is available only in the Exchange Online PowerShell V3 module.

Base Command#

ews-remote-domain-get

Input#

Argument NameDescriptionRequired
domain_controllerThe fully qualified domain name (FQDN) of the domain controller. For example, dc01.example.com.
This argument is available only in on-premises Exchange.
Optional
identityThe remote domain that you want to view. You can use the GUID, ID, or any other identifier.Optional

Context Output#

PathTypeDescription
EWS.RemoteDomain.AdminDisplayNameStringAdmin display name of the remote domain.
EWS.RemoteDomain.AllowedOOFTypeStringAllowed OOF type of the remote domain.
EWS.RemoteDomain.AutoForwardEnabledBooleanWhether auto forward is enabled for the remote domain.
EWS.RemoteDomain.AutoReplyEnabledBooleanWhether auto reply is enabled for the remote domain..
EWS.RemoteDomain.ByteEncoderTypeFor7BitCharsetsStringByte encoder type For 7-bit charsets of the remote domain.
EWS.RemoteDomain.CharacterSetStringCharacter set of the remote domain.
EWS.RemoteDomain.ContentTypeStringContent type of the remote domain.
EWS.RemoteDomain.DeliveryReportEnabledBooleanWhether delivery report is enabled for the remote domain.
EWS.RemoteDomain.DisplaySenderNameBooleanWhether to display the sender name for the remote domain.
EWS.RemoteDomain.DistinguishedNameStringDistinguished name of the remote domain.
EWS.RemoteDomain.DomainNameStringDomain name of the remote domain.
EWS.RemoteDomain.ExchangeObjectIdStringExchange object ID of the remote domain.
EWS.RemoteDomain.ExchangeVersionStringExchange version of the remote domain.
EWS.RemoteDomain.GuidStringGUID of the remote domain.
EWS.RemoteDomain.IdStringID of the remote domain.
EWS.RemoteDomain.IdentityStringIdentity of the remote domain.
EWS.RemoteDomain.IsInternalBooleanWhether the remote domain is internal.
EWS.RemoteDomain.IsValidBooleanWhether the remote domain is valid.
EWS.RemoteDomain.LineWrapSizeStringLine wrap size for the remote domain.
EWS.RemoteDomain.MeetingForwardNotificationEnabledBooleanWhether meeting forward notification is enabled for the remote domain.
EWS.RemoteDomain.MessageCountThresholdNumberMessage count threshold of the remote domain.
EWS.RemoteDomain.NDRDiagnosticInfoEnabledBooleanWhether NDR diagnostic information is enabled for the remote domain.
EWS.RemoteDomain.NDREnabledBooleanWhether NDR is enabled for the remote domain.
EWS.RemoteDomain.NameStringName of the remote domain.
EWS.RemoteDomain.NonMimeCharacterSetStringNon-mime character set of the remote domain.
EWS.RemoteDomain.ObjectCategoryStringObject category of the remote domain.
EWS.RemoteDomain.ObjectClassStringObject class of the remote domain.
EWS.RemoteDomain.ObjectStateStringObject state of the remote domain.
EWS.RemoteDomain.OrganizationIdStringOrganization ID of the remote domain.
EWS.RemoteDomain.OriginatingServerStringOriginating server of the remote domain.
EWS.RemoteDomain.PSComputerNameStringPowerShell computer name of the remote domain.
EWS.RemoteDomain.PSShowComputerNameBooleanWhether to show the PowerShell computer name for the remote domain.
EWS.RemoteDomain.PreferredInternetCodePageForShiftJisStringPreferred internet code page for shift JIS for the remote domain.
EWS.RemoteDomain.RequiredCharsetCoverageUnknownRequired charset coverage for the remote domain.
EWS.RemoteDomain.RunspaceIdStringRunspace ID for the remote domain.
EWS.RemoteDomain.TNEFEnabledUnknownWhether TNEF is enabled for the remote domain.
EWS.RemoteDomain.TargetDeliveryDomainBooleanWhether the remote domain is used for the target email address of mail users that represent the users in the other forest.
EWS.RemoteDomain.TrustedMailInboundEnabledBooleanWhether inbound trusted mail is enabled.
EWS.RemoteDomain.TrustedMailOutboundEnabledBooleanWhether outbound trusted mail is enabled.
EWS.RemoteDomain.UseSimpleDisplayNameBooleanWhether to use the simple display name.
EWS.RemoteDomain.WhenChangedDateThe date the remote domain was changed.
EWS.RemoteDomain.WhenChangedUTCDateThe date in UTC format of when the remote domain was changed.
EWS.RemoteDomain.WhenCreatedDateThe date the remote domain was created.
EWS.RemoteDomain.WhenCreatedUTCDateThe date in UTC format of when the remote domain was created.

ews-user-list#


Displays the existing user objects in your organization.

Base Command#

ews-user-list

Input#

Argument NameDescriptionRequired
identityThe mailbox you want to view.Optional
organizational_unitThe object's location in Active Directory by which to filter the results.Optional
limitMaximum number of users to get. A value of 0 means to get all users. Default is 10.Optional

Context Output#

PathTypeDescription
EWS.User.AccountDisabledBooleanWhether the user account is disabled.
EWS.User.AllowUMCallsFromNonUsersBooleanWhether to allow Unified Messaging calls from non-users.
EWS.User.ArchiveReleaseStringThe archive release of the user object.
EWS.User.AssistantNameStringThe assistant name of the user object.
EWS.User.AuthenticationPolicyUnknownThe authentication policy of the user object.
EWS.User.CanHaveCloudCacheBooleanWhether the user object can have cloud cache.
EWS.User.CityStringThe city of the user object.
EWS.User.CloudCacheAccountTypeStringCloud cache account type of the user object.
EWS.User.CloudCacheProviderNumberCloud cache provider of the user object.
EWS.User.CloudCacheRemoteEmailAddressStringCloud cache remote email address of the user object.
EWS.User.CloudCacheScopeNumberCloud cache scope of the user object.
EWS.User.CloudCacheUserNameStringCloud cache user name of the user object.
EWS.User.CompanyStringCompany of the user object.
EWS.User.ConsumerNetIDUnknownConsumer net ID of the user object.
EWS.User.CountryOrRegionStringCountry or region of the .
EWS.User.DefaultMailboxWorkloadsMaskUnknownDefault mailbox workloads mask of the user object.
EWS.User.DepartmentStringDepartment of the user object.
EWS.User.DesiredMailboxWorkloadsUnknownDesired mailbox workloads of the user object.
EWS.User.DesiredMailboxWorkloadsGracePeriodUnknownDesired mailbox workloads grace period of the user object.
EWS.User.DesiredMailboxWorkloadsModifiedUnknownModified desired mailbox workloads of the user object.
EWS.User.DisplayNameStringDisplay name of the user object.
EWS.User.DistinguishedNameStringDistinguished name of the user object.
EWS.User.ExchangeObjectIdStringExchange object ID of the user object.
EWS.User.ExchangeVersionStringExchange version of the user object.
EWS.User.ExternalDirectoryObjectIdStringExternal Directory Object ID of the user object.
EWS.User.FaxStringFax of the user object.
EWS.User.FirstNameStringFirst name of the user object.
EWS.User.GeoCoordinatesUnknownGeo coordinates of the user object.
EWS.User.GuidStringGUID of the user object.
EWS.User.HomePhoneStringHome phone of the user object.
EWS.User.IdStringID of the user object.
EWS.User.IdentityStringIdentity of the user object.
EWS.User.InitialsStringInitials of the user object.
EWS.User.IsCloudCacheBooleanWhether there is a cloud cache for the user object.
EWS.User.IsCloudCacheBlockedBooleanWhether the cloud cache is blocked.
EWS.User.IsCloudCacheProvisioningCompleteBooleanWhether cloud cache provisioning is complete.
EWS.User.IsDirSyncedBooleanWhether the directory is synched.
EWS.User.IsInactiveMailboxBooleanWhether the mailbox is inactive.
EWS.User.IsLinkedBooleanWhether the user object is linked.
EWS.User.IsSecurityPrincipalBooleanWhether there is a security principal.
EWS.User.IsSoftDeletedByDisableBooleanWhether soft delete is disabled and hard (permanent) delete occurs.
EWS.User.IsSoftDeletedByRemoveBooleanWhen the Exchange Online mailbox is deleted (soft delete), this property is set to True.
EWS.User.IsValidBooleanWhether the user object is valid.
EWS.User.LastNameStringLast name of the user object.
EWS.User.LegacyExchangeDNStringLegacy exchange distinguished name of the user object.
EWS.User.LegalAgeGroupUnknownLegal age group of the user object.
EWS.User.LinkedMasterAccountStringLinked master account of the user object.
EWS.User.MailboxLocationsStringMailbox locations of the user object.
EWS.User.MailboxProvisioningConstraintUnknownMailbox provisioning constraint of the user object.
EWS.User.MailboxRegionUnknownMailbox region of the user object.
EWS.User.MailboxRegionLastUpdateTimeUnknownLast time the mailbox region of the user object was updated.
EWS.User.MailboxRegionSuffixStringMailbox region suffix of the user object.
EWS.User.MailboxReleaseStringMailbox release of the user object.
EWS.User.MailboxWorkloadsStringMailbox workloads of the user object.
EWS.User.ManagerUnknownManager of the user object.
EWS.User.MicrosoftOnlineServicesIDStringMicrosoft Online Services ID of the user object.
EWS.User.MobilePhoneStringMobile phone of the user object.
EWS.User.NameStringName of the user object.
EWS.User.NetIDStringNetwork ID of the user object.
EWS.User.NotesStringNotes for the user object.
EWS.User.ObjectCategoryStringObject category of the user object.
EWS.User.ObjectClassStringObject class of the user object.
EWS.User.ObjectStateStringObject state of the user object.
EWS.User.OfficeStringOffice of the user object.
EWS.User.OrganizationIdStringOrganization ID of the user object.
EWS.User.OrganizationalUnitStringOrganizational unit of the user object.
EWS.User.OriginatingServerStringOriginating server of the user object.
EWS.User.PSComputerNameStringPowerShell computer name of the user object.
EWS.User.PSShowComputerNameBooleanWhether to show the PowerShell computer name of the user object.
EWS.User.PagerStringPager of the user object.
EWS.User.PhoneStringPhone of the user object.
EWS.User.PhoneticDisplayNameStringPhonetic display name of the user object.
EWS.User.PostalCodeStringPostal Code of the user object.
EWS.User.PreviousRecipientTypeDetailsStringDetails of the previous recipient type of the user object.
EWS.User.RecipientTypeStringRecipient type of the user object.
EWS.User.RecipientTypeDetailsStringDetails of the recipient type of the user object.
EWS.User.RemotePowerShellEnabledBooleanWhether remote PowerShell is enabled for the user object.
EWS.User.ResetPasswordOnNextLogonBooleanWhether to reset the password on next logon.
EWS.User.RunspaceIdStringRunspace ID of the user object.
EWS.User.SKUAssignedBooleanWhether SKU is assigned.
EWS.User.SamAccountNameStringsAMAccountName of the user object.
EWS.User.SeniorityIndexUnknownSeniority index of the user object.
EWS.User.SidStringSID of the user object.
EWS.User.SimpleDisplayNameStringSimple display name of the user object.
EWS.User.StateOrProvinceStringState or province of the user object.
EWS.User.StreetAddressStringStreet address of the user object.
EWS.User.StsRefreshTokensValidFromDateThe validation start date for the Security Token Service (STS) refresh tokens of the user object.
EWS.User.TelephoneAssistantStringTelephone assistant of the user object.
EWS.User.TitleStringTitle of the user object.
EWS.User.UMDialPlanUnknownUnified Messaging (UM) dial plan of the user object.
EWS.User.UMDtmfMapStringUnified Messaging (UM) dual tone multi-frequency (DTMF) map of the user object.
EWS.User.UpgradeDetailsUnknownUpgrade details of the user object.
EWS.User.UpgradeMessageUnknownUpgrade message of the user object.
EWS.User.UpgradeRequestStringUpgrade request of the user object.
EWS.User.UpgradeStageUnknownUpgrade stage of the user object.
EWS.User.UpgradeStageTimeStampUnknownUpgrade stage time stamp of the user object.
EWS.User.UpgradeStatusStringUpgrade status of the user object.
EWS.User.UserAccountControlStringUser account control of the user object.
EWS.User.UserPrincipalNameStringUser principal name of the user object.
EWS.User.WebPageStringWeb page of the user object.
EWS.User.WhenChangedDateThe date the user object was changed.
EWS.User.WhenChangedUTCDateThe date in UTC format of when the user object was changed.
EWS.User.WhenCreatedDateThe date the user object was created.
EWS.User.WhenCreatedUTCDateThe date in UTC format of when the user object was created.
EWS.User.WhenSoftDeletedUnknownWhen the user object was soft deleted.
EWS.User.WindowsEmailAddressStringWindows email address of the user object.
EWS.User.WindowsLiveIDStringWindows live ID of the user object.
EWS.User.DirectReportsStringDirect reports of the user object.

ews-mailbox-audit-bypass-association-list#


Retrieves information about the AuditBypassEnabled property value for user accounts (on-premises Exchange and the cloud) and computer accounts (on-premises Exchange only).

Base Command#

ews-mailbox-audit-bypass-association-list

Input#

Argument NameDescriptionRequired
identityThe mailbox you want to view.Optional
domain_controllerThe domain controller that's used by this cmdlet to read data from or write data to Active Directory. You identify the domain controller by its fully qualified domain name (FQDN). This argument is available only in on-premises Exchange.Optional
limitMaximum number of users to get. A value of 0 means to get all users. Default is 10.Optional

Context Output#

PathTypeDescription
EWS.MailboxAuditBypassAssociation.AuditBypassEnabledBooleanWhether the mailbox audit bypass association is enabled.
EWS.MailboxAuditBypassAssociation.DistinguishedNameStringDistinguished name of the mailbox audit bypass association.
EWS.MailboxAuditBypassAssociation.ExchangeObjectIdStringExchange object ID of the mailbox audit bypass association.
EWS.MailboxAuditBypassAssociation.ExchangeVersionStringThe version of the exchanged server.
EWS.MailboxAuditBypassAssociation.GuidStringThe GUID of the mailbox audit bypass association.
EWS.MailboxAuditBypassAssociation.IdStringID of the mailbox audit bypass association.
EWS.MailboxAuditBypassAssociation.IdentityStringThe unique identity of the mailbox audit bypass association.
EWS.MailboxAuditBypassAssociation.IsValidBooleanWhether the mailbox audit bypass association property is enabled.
EWS.MailboxAuditBypassAssociation.NameStringName of the mailbox audit bypass association.
EWS.MailboxAuditBypassAssociation.ObjectCategoryStringObject category of the mailbox audit bypass association.
EWS.MailboxAuditBypassAssociation.ObjectClassStringObject class of the mailbox audit bypass association.
EWS.MailboxAuditBypassAssociation.ObjectIdStringObject ID of the mailbox audit bypass association.
EWS.MailboxAuditBypassAssociation.ObjectStateStringObject state of the mailbox audit bypass association.
EWS.MailboxAuditBypassAssociation.OrganizationIdStringOrganization ID of the mailbox audit bypass association.
EWS.MailboxAuditBypassAssociation.OriginatingServerStringOriginating server of the mailbox audit bypass association.
EWS.MailboxAuditBypassAssociation.PSComputerNameStringPowerShell computer name of the mailbox audit bypass association.
EWS.MailboxAuditBypassAssociation.PSShowComputerNameBooleanWhether to show the computer name of the mailbox audit bypass association.
EWS.MailboxAuditBypassAssociation.RunspaceIdStringRunspace ID of the mailbox audit bypass association.
EWS.MailboxAuditBypassAssociation.WhenChangedunknownThe date the mailbox audit bypass association was changed.
EWS.MailboxAuditBypassAssociation.WhenChangedUTCDateThe date in UTC of when the mailbox audit bypass association was changed.
EWS.MailboxAuditBypassAssociation.WhenCreatedDateThe date the mailbox audit bypass association was created.
EWS.MailboxAuditBypassAssociation.WhenCreatedUTCDateThe date in UTC format of when the mailbox audit bypass association was created.

ews-rule-list#


Get a list of all mailbox rules.

Base Command#

ews-rule-list

Input#

Argument NameDescriptionRequired
mailboxThe mailbox that contains the Inbox rule.Required
limitMaximum number of rules to get. A value of 0 means to get all rulesOptional

Context Output#

PathTypeDescription
EWS.Rule.RuleIdentityStringThe rule identity.
EWS.Rule.NameStringThe rule name.
EWS.Rule.EnabledBooleanWhether the rule is enabled or not.
EWS.Rule.PriorityStringthe rule priority.

Human Readable Output#

Results of ews-rule-list#

EnabledNamePriorityRuleIdentity
trueCheckActionRequired11268829516541722625
trueews phishing test81845290268845146113

ews-get-rule#


Get a mailbox rule.

Base Command#

ews-get-rule

Input#

Argument NameDescriptionRequired
mailboxThe mailbox that contains the Inbox rule.Required
identityThe ID of the rule.Required

Context Output#

PathTypeDescription
EWS.Rule.RuleStringThe rule identity.
EWS.Rule.RuleNameStringThe rule name.
EWS.Rule.IsEnabledBooleanWhether the rule is enabled or not.
EWS.Rule.PriorityStringThe rule priority.
EWS.Rule.DescriptionStringThe description of the rule.
EWS.Rule.StopProcessingRulesBooleanWhether to stop processing the rule or not.
EWS.Rule.IsValidBooleanWhether the rule is valid or not.

Human Readable Output#

Results of ews-rule-list#

EnabledNamePriorityRuleIdentityDescriptionIsValidStopProcessingRules
trueCheckActionRequired11268829516541722625If the message: the sender requested any action and my name is in the To boxtruefalse

ews-remove-rule#


Remove a mailbox rule.

Base Command#

ews-remove-rule

Input#

Argument NameDescriptionRequired
mailboxThe mailbox that contains the Inbox rule.Required
identityThe ID of the rule.Required

Context Output#

There are no context outputs for this command.

Human Readable Output#

Rule 1845290268845146113 has been deleted successfully

ews-rule-disable#


Disable an existing inbox rule in a given mailbox.

Base Command#

ews-rule-disable

Input#

Argument NameDescriptionRequired
mailboxThe mailbox that contains the inbox rule.Required
identityThe inbox rule that you want to disable.Required

Context Output#

There are no context outputs for this command.

Human Readable Output#

Rule 1845290268845146113 has been disabled successfully

ews-rule-enable#


Enable an existing inbox rule in a given mailbox.

Base Command#

ews-rule-enable

Input#

Argument NameDescriptionRequired
mailboxThe mailbox that contains the inbox rule.Required
identityThe inbox rule that you want to enable.Required

Context Output#

There are no context outputs for this command.

Human Readable Output#

Rule 1845290268845146113 has been enabled successfully

ews-mail-flow-rules-list#


List all mail flow rules (transport rules) in the organization.

Base Command#

ews-mail-flow-rules-list

Input#

Argument NameDescriptionPossible ValuesIs ArrayRequiredNote
extended_outputDetermine whether the output will be in verbose format or not.BooleanNoNoDefault = False
limitThe amount of mail flow rules to return.NumberNoNoDefault is 1000

Context Output#

PathTypeDescription
EWS.MailFlowRule.SizeNumberThe size of the mail flow rule in bytes, typically related to the storage or data usage of the rule.
EWS.MailFlowRule.ExpiryDateDateThe date and time when the mail flow rule is set to expire and no longer apply.
EWS.MailFlowRule.ModeStringThe operational mode of the rule, indicating whether it is active (Enforce), in testing mode (Test), or disabled.
EWS.MailFlowRule.QuarantineBooleanSpecifies whether the rule actions include quarantining messages that match the rule.
EWS.MailFlowRule.GuidStringThe unique identifier (Globally Unique Identifier) for the mail flow rule.
EWS.MailFlowRule.OrganizationIdStringThe identifier for the organization where the mail flow rule is configured, typically used in multi-tenant environments.
EWS.MailFlowRule.DistinguishedNameStringThe distinguished name of the mail flow rule in the Exchange directory structure.
EWS.MailFlowRule.IsValidBooleanIndicates whether the mail flow rule is valid and functional.
EWS.MailFlowRule.ConditionsArrayThe conditions that trigger the mail flow rule, such as specific senders, recipients, or message properties.
EWS.MailFlowRule.CommentsUnknownFree-form text field for adding comments or notes about the rule, typically used for documentation.
EWS.MailFlowRule.WhenChangedDateThe date and time when the mail flow rule was last modified.
EWS.MailFlowRule.DescriptionStringA brief description of the mail flow rule's purpose or functionality.
EWS.MailFlowRule.ActionsArrayThe actions taken when a message matches the rule's conditions, such as redirecting, blocking, or adding headers.
EWS.MailFlowRule.ImmutableIdStringA persistent, unchangeable identifier for the mail flow rule, ensuring it remains identifiable across modifications.
EWS.MailFlowRule.IdentityStringThe identity of the rule, often combining the name and unique identifiers, used to reference the rule programmatically.
EWS.MailFlowRule.NameStringThe user-friendly name of the mail flow rule, typically used for easy identification.
EWS.MailFlowRule.CreatedByStringThe user or process that created the mail flow rule.
EWS.MailFlowRule.RouteMessageOutboundConnectorUnknownSpecifies whether messages matching the rule should be routed through a specific outbound connector.

Human Readable Output#

Results of ews-rule-list#

NameStatePriorityCommentWhenChangedCreatedBy
demistoDisabled1comment2019-10-14T07:25:04+00:00Edwin Becker
demisto-2Enabled2comment2019-11-15T010:21:45+00:00Kemp Kimmons
demisto-3Enabled3comment2019-11-16T016:26:46+00:00Barbara Wagner

ews-mail-flow-rule-get#


Get a mail flow rule (transport rules) in the organization.

Base Command#

ews-mail-flow-rule-get

Input#

Argument NameDescriptionPossible ValuesIs ArrayRequiredNote
extended_outputDetermine whether the output will be in verbose format or not.BooleanNoNoDefault = False
identitySpecifies the rule that you want to view.stringNoNo

Context Output#

PathTypeDescription
EWS.MailFlowRule.SizeNumberThe size of the mail flow rule in bytes, typically related to the storage or data usage of the rule.
EWS.MailFlowRule.ExpiryDateDateThe date and time when the mail flow rule is set to expire and no longer apply.
EWS.MailFlowRule.ModeStringThe operational mode of the rule, indicating whether it is active (Enforce), in testing mode (Test), or disabled.
EWS.MailFlowRule.QuarantineBooleanSpecifies whether the rule actions include quarantining messages that match the rule.
EWS.MailFlowRule.GuidStringThe unique identifier (Globally Unique Identifier) for the mail flow rule.
EWS.MailFlowRule.OrganizationIdStringThe identifier for the organization where the mail flow rule is configured, typically used in multi-tenant environments.
EWS.MailFlowRule.DistinguishedNameStringThe distinguished name of the mail flow rule in the Exchange directory structure.
EWS.MailFlowRule.IsValidBooleanIndicates whether the mail flow rule is valid and functional.
EWS.MailFlowRule.ConditionsArrayThe conditions that trigger the mail flow rule, such as specific senders, recipients, or message properties.
EWS.MailFlowRule.CommentsUnknownFree-form text field for adding comments or notes about the rule, typically used for documentation.
EWS.MailFlowRule.WhenChangedDateThe date and time when the mail flow rule was last modified.
EWS.MailFlowRule.DescriptionStringA brief description of the mail flow rule's purpose or functionality.
EWS.MailFlowRule.ActionsArrayThe actions taken when a message matches the rule's conditions, such as redirecting, blocking, or adding headers.
EWS.MailFlowRule.ImmutableIdStringA persistent, unchangeable identifier for the mail flow rule, ensuring it remains identifiable across modifications.
EWS.MailFlowRule.IdentityStringThe identity of the rule, often combining the name and unique identifiers, used to reference the rule programmatically.
EWS.MailFlowRule.NameStringThe user-friendly name of the mail flow rule, typically used for easy identification.
EWS.MailFlowRule.CreatedByStringThe user or process that created the mail flow rule.
EWS.MailFlowRule.RouteMessageOutboundConnectorUnknownSpecifies whether messages matching the rule should be routed through a specific outbound connector.

Human Readable Output#

Results of ews-rule-list#

NameStatePriorityCommentWhenChangedCreatedBy
demistoDisabled1comment2019-10-14T07:25:04+00:00Edwin Becker

ews-mail-flow-rule-remove#


Remove a mail flow rule (transport rule) from the organization.

Base Command#

ews-mail-flow-rule-remove

Input#

Argument NameDescriptionRequired
identityThe rule that you want to remove.Required

Context Output#

There are no context outputs for this command.

Human Readable Output#

Mail flow rule 1845290268845146113 has been removed successfully

ews-mail-flow-rule-disable#


Disable a mail flow rule (transport rule) in the organization.

Base Command#

ews-mail-flow-rule-disable

Input#

Argument NameDescriptionRequired
identityThe rule that you want to disable.Required

Context Output#

There are no context outputs for this command.

Human Readable Output#

Mail flow rule 1845290268845146113 has been disabled successfully

ews-mail-flow-rule-enable#


Enable a mail flow rule (transport rule) in the organization.

Base Command#

ews-mail-flow-rule-enable

Input#

Argument NameDescriptionRequired
identityThe rule that you want to enable.Required

Context Output#

There are no context outputs for this command.

Human Readable Output#

Mail flow rule 1845290268845146113 has been enabled successfully

ews-mail-forwarding-disable#


Disable mail forwarding for a given user.

Base Command#

ews-mail-forwarding-disable

Input#

Argument NameDescriptionRequired
identityThe mailbox that you want to modify.Required

Context Output#

There are no context outputs for this command.

Human Readable Output#

Mail forwarding for user 1845290268845146113 has been disabled successfully