Identify M365 Emails with Attachments Using Graph PowerShell
Emails with attachments often carry crucial data or sensitive information that requires attention. For administrators, tracking these emails can be vital for data management, security auditing, or compliance purposes. Microsoft Graph PowerShell provides an efficient way to filter and identify emails containing attachments in user mailboxes.
In this article, we’ll guide you through a PowerShell script that leverages Microsoft Graph to retrieve emails with attachments from a user's mailbox. This tool is especially useful for administrators who need to monitor emails with files for data protection and security.
The Script: Retrieve M365 Emails with Attachments
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Mail.Read"
# Define the user whose emails with attachments you want to retrieve
$UserId = "user@yourdomain.com"
# Retrieve emails that have attachments from the user's mailbox
$emailsWithAttachments = Get-MgUserMessage -UserId $UserId -Filter "hasAttachments eq true" -Property Subject ReceivedDateTime Sender
# Display emails with attachments
if ($emailsWithAttachments.Count -gt 0) {
Write-Host "Emails with Attachments in $UserId's Mailbox:"
$emailsWithAttachments | Select-Object Subject ReceivedDateTime Sender | Format-Table
} else {
Write-Host "No emails with attachments found in $UserId's mailbox."
}
# Disconnect from Microsoft Graph
Disconnect-MgGraph
How the Script Works
- Connect-MgGraph: The script initiates a connection to Microsoft Graph using the Mail.Read permission, which allows it to read the user's email messages and check for specific criteria.
- Define the User: It specifies the UserId, which represents the email address of the user whose mailbox you want to inspect.
- Retrieve Emails with Attachments: The
Get-MgUserMessagecmdlet is used to query the user's mailbox for emails that include attachments. The filter conditionhasAttachments eq trueensures that only messages with attachments are retrieved. - Display the Results: If emails with attachments are found, they are displayed in a table format showing the subject, received date, and sender of each email. If no such emails are found, the script informs you that there are no emails with attachments in the mailbox.
- Disconnect-MgGraph: Finally, the script disconnects from Microsoft Graph to close the session securely.
Further Enhancements
- Export Emails with Attachments to CSV: You can modify the script to export the list of emails with attachments to a CSV file for further analysis or reporting.
$emailsWithAttachments | Export-Csv -Path "C:\Reports\EmailsWithAttachments.csv" -NoTypeInformation- Include Additional Filters: Enhance the filter criteria to narrow down results based on date range, sender, or specific subject keywords to focus on high-priority messages.
$emailsWithAttachments = Get-MgUserMessage -UserId $UserId -Filter "hasAttachments eq true and receivedDateTime ge 2023-10-01"- Retrieve Detailed Attachment Information: Modify the script to retrieve the details of the attachments themselves, such as file names, types, and sizes for more in-depth analysis.
- Automate Monitoring: Set up the script to run at regular intervals using Task Scheduler or Azure Automation to continuously monitor for emails with attachments.
Possible Errors & Solutions
| Error | Cause | Solution |
| Insufficient privileges to complete the operation. | The account running the script does not have the required permissions. | Ensure the account has the Mail.Read permission in Azure AD and that admin consent has been granted if necessary. |
| Invalid filter clause | The filter condition might be incorrect or not properly formatted. | Double-check that the filter condition is correctly written (hasAttachments eq true) and that property names are accurately spelled. |
| No emails with attachments found | The mailbox might not have any emails with attachments that match the criteria. | Adjust the filter criteria or verify that the mailbox contains messages with attachments. |
| The term 'Get-MgUserMessage' is not recognized. | The Microsoft Graph PowerShell module might not be installed or updated. | Install or update the Microsoft Graph PowerShell module using the following command: Install-Module Microsoft.Graph |
Conclusion
Monitoring emails with attachments using Microsoft Graph PowerShell is an effective way for administrators to track and audit data exchanges in user mailboxes. By automating the process of identifying emails with attachments, you can quickly find and review potentially sensitive files or important communications.
This script lays the groundwork for a comprehensive data monitoring solution, and with a few enhancements, it can be tailored to suit your organization's specific needs. Implement this automation today to ensure that your organization’s email security and data management processes are more robust and efficient.