Message properties and search operators for In-Place eDiscovery in Exchange Server

This topic describes the properties of Exchange email messages that you can search by using In-Place eDiscovery & Hold in Exchange Server 2016 or Exchange Server 2019. The topic also describes Boolean search operators and other search query techniques that you can use to refine eDiscovery search results.

In-Place eDiscovery uses Keyword Query Language (KQL). For more details, see Keyword Query Language syntax reference.

Searchable properties in Exchange

The following table lists email message properties that can be searched using an In-Place eDiscovery search or by using the New-MailboxSearch or the Set-MailboxSearch cmdlet. The table includes an example of the property:value syntax for each property and a description of the search results returned by the examples.

Property Property description Examples Search results returned by the examples
The names of files attached to an email message.
Messages that have an attached file with a name matching annualreport.ppt, e.g. "annualreport.ppt" or "2017 annualreport.ppt".
In the second example, using the wildcard returns messages with the word "annual" in the file name of an attachment.
The BCC field of an email message.1
bcc:"Pilar Pinilla"
All examples return messages with Pilar Pinilla included in the Bcc field.
The categories to search. Categories can be defined by users by using Outlook or Outlook on the web (formerly known as Outlook Web App). Valid values are:
category:"Red Category"
Messages that have been assigned the red category in the source mailboxes.
The CC field of an email message.1
cc:"Pilar Pinilla"
In both examples, messages with Pilar Pinilla specified in the CC field.
The sender of an email message.1
Messages sent by the specified user or sent from a specified domain.
The importance of an email message, which a sender can specify when sending a message. By default, messages are sent with normal importance, unless the sender sets the importance as high or low.
Messages that are marked as high importance, medium importance, or low importance.
The message type to search. Valid values are:
kind:email OR kind:im OR kind:voicemail
Email messages that meet the search criteria. The second example returns email messages, instant messaging conversations, and voice messages that meet the search criteria.
All the people fields in an email message; these fields are From, To, CC, and BCC.1
Messages sent by or sent to
The second example returns all messages sent by or sent to a user in the domain.
The date that an email message was received by a recipient.
received>=01/01/2015 AND received<=03/31/2015
Messages that were received on April 15, 2014. The second example returns all messages received between January 1, 2014 and March 31, 2014.
All recipient fields in an email message; these fields are To, CC, and BCC.1
Messages sent to
The second example returns messages sent to any recipient in the domain.
The date that an email message was sent by the sender.
sent>=06/01/2015 AND sent<=07/01/2015
Messages that were sent on the specified date or sent within the specified date range.
The size of an item, in bytes.
Messages larger than 25 MB.
The second example returns messages from 1 through 1,048,576 bytes (1 MB) in size.
The text in the subject line of an email message.
subject:"Quarterly Financials"
Messages that contain the exact phrase "Quarterly Financials" anywhere in the text of the subject line.
The second example returns all messages that contain the word northwind in the subject line.
The To field of an email message.1
to:"Ann Beebe"
All examples return messages where Ann Beebe is specified in the To: line.

1: For the value of a recipient property, you can use the SMTP address, display name, or alias to specify a user. For example, you can use, annb, or "Ann Beebe" to specify the user Ann Beebe.

Supported search operators

Boolean search operators, such as AND, OR, and NOT, help you define more-precise mailbox searches by including or excluding specific words in the search query. Other techniques, such as using property operators (such as >= or ..), quotation marks, parentheses, and wildcards, help you refine eDiscovery search queries. The following table lists the operators that you can use to narrow or broaden search results.

Operator Usage Description
keyword1 AND keyword2
Returns messages that include all of the specified keywords or property:value expressions.
keyword1 +keyword2 +keyword3
Returns items that contain either keyword2 or keyword3 and that also contain keyword1. Therefore, this example is equivalent to the query (keyword2 OR keyword3) AND keyword1.
Note that the query keyword1 + keyword2 (with a space after the + symbol) isn't the same as using the AND operator. This query would be equivalent to "keyword1 + keyword2" and return items with the exact phase "keyword1 + keyword2".
keyword1 OR keyword2
Returns messages that include one or more of the specified keywords or property:value expressions.
keyword1 NOT keyword2
NOT from:"Ann Beebe"
Excludes messages specified by a keyword or a property:value expression. For example, NOT from:"Ann Beebe" excludes messages sent by Ann Beebe.
keyword1 -keyword2
The same as the NOT operator. This query returns items that contain keyword1 and excludes items that contain keyword2.
keyword1 NEAR(n) keyword2
Returns messages with words that are near each other, where n equals the number of words apart. For example, best NEAR(5) worst returns messages where the word "worst" is within five words of "best". If no number is specified, the default distance is eight words.
The colon (:) in the property:value syntax specifies that the property value being searched for equals the specified value. For example, returns any message sent to
Denotes that the property being searched is less than the specified value. 1
Denotes that the property being searched is greater than the specified value.1
Denotes that the property being searched is less than or equal to a specific value.1
Denotes that the property being searched is greater than or equal to a specific value.1
Denotes that the property being searched is greater than or equal to value1 and less than or equal to value2.1
" "
"fair value"
subject:"Quarterly Financials"
Use double quotation marks (" ") to search for an exact phrase or term in keyword and property:value search queries.
Prefix wildcard searches (where the asterisk is placed at the end of a word) match for zero or more characters in keywords or property:value queries. For example, subject:set* returns messages that contain the word set, setup, and setting (and other words that start with "set") in the subject line.
( )
(fair OR free) AND
(IPO OR initial) AND (stock OR shares)
(quarterly financials)
Parentheses group together Boolean phrases, property:value items, and keywords. For example, (quarterly financials) returns items that contain the words quarterly and financials.

1: Use this operator for properties that have date or numeric values.

2: Boolean search operators must be uppercase; for example, AND. Using lowercase operators in search queries will return an error.

Unsupported characters in search queries

Unsupported characters in a search query typically cause a search error or return unintended results. Unsupported characters are often hidden and they're typically added to a query when you copy the query or parts of the query from other applications (such as Microsoft Word or Microsoft Excel) and copy them to the keyword box on the query page of In-Place eDiscovery search.

Here's a list of the unsupported characters for an In-Place eDiscovery search query.

  • Smart quotation marks: Smart single and double quotation marks (also called curly quotes) aren't supported. Only straight quotation marks can be used in a search query.

  • Non-printable and control characters: Non-printable and control characters don't represent a written symbol, such as a alpha-numeric character. Examples of non-printable and control characters include characters that format text or separate lines of text.

  • Left-to-right and right-to-left marks: These are control characters used to indicate text direction for left-to-right languages (such as English and Spanish) and right-to-left languages (such as Arabic and Hebrew).

  • Lowercase Boolean operators: As previous explained, you have to use uppercase Boolean operators, such as AND and OR, in a search query. Note that the query syntax will often indicate that a Boolean operator is being used even though lowercase operators might be used; for example, (WordA or WordB) and (WordC or WordD).

How to prevent unsupported characters in your search queries? The best way to prevent unsupported characters is to just type the query in the keyword box. Alternatively, you can copy a query from Word or Excel and then paste it to file in a plain text editor, such as Microsoft Notepad. Then save the text file and select ANSI in the Encoding drop-down list. This will remove any formatting and unsupported characters. Then you can copy and paste the query from the text file to the keyword query box.

Search tips and tricks

  • Keyword searches are not case sensitive. For example, cat and CAT return the same results.

  • A space between two keywords or two property:value expressions is the same as using AND. For example, from:"Sara Davis" subject:reorganization returns all messages sent by Sara Davis that contain the word reorganization in the subject line.

  • Use syntax that matches the property:value format. Values are not case-sensitive, and they can't have a space after the operator. If there is a space, your intended value will just be full-text searched. For example, to: pilarp searches for "pilarp" as a keyword, rather than for messages that were sent to pilarp.

  • When searching a recipient property, such as To, From, Cc, or Recipients, you can use an SMTP address, alias, or display name to denote a recipient. For example, you can use, pilarp, or "Pilar Pinilla".

  • You can use only prefix wildcard searches (for example, cat* or set*). Suffix wildcard searches (*cat) or substring wildcard searches (*cat*) aren't supported.

  • When searching a property, use double quotation marks (" ") if the search value consists of multiple words. For example subject:budget Q1 returns messages that contain budget in the in the subject line and that contain Q1 anywhere in the message or in any of the message properties. Using subject:"budget Q1" returns all messages that contain budget Q1 anywhere in the subject line.

  • To exclude content marked with a certain property value from your search results, place a minus sign (-) before the name of the property. For example, -from:"Sara Davis" will exclude any messages sent by Sara Davis.