Entra / Microsoft 365 · Exchange Online
Get large mailbox items
Find large items in a mailbox Inbox over a size threshold within a date range using Microsoft Graph app-only authentication.
Connect & set up
Run these once per session. All scopes are read-only unless the script makes changes.
Connect-MgGraph -App $AppId -TenantId $TenantId -CertificateThumbprint $CertThumbprint -NoWelcome
Run it
The main script. Copy it, or download the .ps1 and run it from your console.
param([string] $TenantId = "",[string] $AppId = "",[string] $CertThumbPrint = "",[string] $StartDate = (Get-Date $Start -ErrorAction Stop).ToString('s') + "Z,[string] $EndDate = (Get-Date $End -ErrorAction Stop).ToString('s') + "Z)[CmdletBinding()]param([Parameter(Mandatory)][string] $Mailbox,[Parameter(Mandatory)][int32] $Threshold,[Parameter(Mandatory)][string] $Start,[Parameter(Mandatory)][string] $End)# Change these values to match your app registration and your tenant!!!$CertThumbprint = "0CF6CE3F3548FD73E7AC8CF20226ED447E125C71"Connect-MgGraph -App $AppId -TenantId $TenantId -CertificateThumbprint $CertThumbprint -NoWelcomeTry {} Catch {Write-Host "$Start is not a valid date" -ForegroundColor RedBreak}Try {} Catch {Write-Host "$End is not a valid date" -ForegroundColor RedBreak}# Attempt to find account for the mailbox to check that it existsTry {$User = Get-MgUser -UserId $Mailbox -ErrorAction Stop} Catch {Write-Host "Cannot find mailbox for $Mailbox" -ForegroundColor RedBreak}# Run server-side filter to find large items in the target folder within the date rangeTry {[array]$LargeItems = Get-MgUserMailFolderMessage -UserId $User.Id -MailFolderId Inbox -All `-PageSize 500 -Property Sender,ReceivedDateTime,BodyPreview,Subject,ToRecipients `-Filter "(hasattachments eq true and receivedDateTime ge $startdate and receivedDateTime le $enddate) AND singleValueExtendedProperties/any(ep:ep/id eq 'Integer 0x0E08' and cast(ep/value, 'Edm.Int32') gt $Threshold)" -expand "singleValueExtendedProperties(`$filter=(id eq 'Integer 0x0e08'))" -ErrorAction Stop} Catch {Write-Host "Error retrieving mailbox items for $Mailbox. $_" -ForegroundColor RedBreak}If (!($LargeItems)) {Write-Host "No items larger than $Threshold bytes found in the Inbox of $Mailbox" -ForegroundColor YellowBreak}$Report = [System.Collections.Generic.List[Object]]::new()# Client-side size check$LargeItems | ForEach-Object {$Size = [int64]$_.SingleValueExtendedProperties[0].ValueIf ($Size -gt $Threshold) {$ReportLine = [PSCustomObject][Ordered]@{Subject = $_.SubjectFrom = $_.Sender.EmailAddress.AddressReceivedDateTime = $_.ReceivedDateTimeSizeMB = [math]::Round($Size / 1MB, 2)Id = $_.Id}$Report.Add($ReportLine)}}$Report = $Report | Sort-Object {$_.ReceivedDateTime -as [datetime]} -DescendingWrite-Host ""Write-Host ("{0} item(s) largher than the threshold of {1} bytes were found in {2}'s mailbox" -f $LargeItems.Count, $Threshold, $User.DisplayName) -ForegroundColor CyanWrite-Host "------------------------------------------------------------------------------------------" -ForegroundColor Cyan$Report | Select-Object Subject,From,ReceivedDateTime,SizeMB | Format-Table -AutoSize$Report | Sort-Object SizeMB -Descending | Out-GridView -Title "Large Emails in Inbox over $($Threshold / 1MB) MB"
Parameters
ParameterDefaultNotes
-TenantId""Microsoft Entra tenant ID for app-only Graph authentication.-AppId""Application (client) ID for the app registration used to connect.-CertThumbPrint""Certificate thumbprint for app-only Graph authentication.-StartDate(Get-Date $Start -ErrorAction Stop).ToString('s') + "ZStart of the reporting window.-EndDate(Get-Date $End -ErrorAction Stop).ToString('s') + "ZEnd of the reporting window.Attribution
Author
Office365itpros