Enter the Shell. On-Premise Exhange Search.

I had the chance to experiment with Exchange mailbox search and have outlined a process for it using PowerShell.  If you do this for real ensure you have the proper approvals before proceeding as generally looking through someone's email isn't an approved activity, even if you have the privileges to do so. Something in writing from your management is always a good idea.

On-premise Exchange is disappearing as more organizations migrate to the cloud.  However, the discovery process using PowerShell in the cloud is similar assuming you have the proper access.  Microsoft's PowerShell cmdlet documentation specifies environmental compatibility. For instance, here's what it says for the Search-Mailbox cmdlet:

This cmdlet is available in on-premises Exchange and in the cloud-based service. Some parameters and settings may be exclusive to one environment or the other.

Background

Important note: a lot of this is not original work and mostly copied from Microsoft's documentation. I'm editing and organizing it to my liking and for reference.

Microsoft Exchange Server uses management roles that are part of a Role Based Access Control (RBAC) permissions model.  Roles give permissions to perform tasks to administrators and users by making cmdlets available to those who are assigned the roles.  Roles are combined to create Role Groups which are a special Universal Security Group.  Every administrator that manages Exchange must be assigned at least one or more roles.

To use the Search-Mailbox cmdlet you need to be assigned, unsurprisingly, the MailboxSearch role which is part of the Discovery Management role group.

Non-PowerShell Search

With the proper Exchange roles, you can now search someone’s mailbox by granting yourself Full Access permissions to your normal, mail-enabled user account.  You can then mount that mailbox within Outlook.  Note that if someone has deleted email you will not find it here.  Using the PowerShell method potentially will find it.

WARNING: this is the same as opening that person’s mailbox!  If you Mark as Read, send, delete, etc. email this is the same as the user performing the task.  I haven’t tested this, but if the user mailbox is open and sees real time changes to the mailbox that's likely an opsec fail. The recommendation would be to wait until they have logged off for the evening.  Proceed with care, caution, and the appropriate approvals.

It’s trivial to mount another mailbox in Outlook:

-> File
  -> Account Settings
    -> Account Settings
      -> E-mail (tab)
        -> Change
          -> More Settings
            -> Add (under Mailboxes)
              -> OK
                -> Next
                  -> Finish

If you do proceed with this method, remember to clean up after yourself and unmount the mailbox in Outlook when you’re done.  Remove the full access permissions you granted yourself as well (see below).

PowerShell Search

Besides getting the required roles mentioned above you also need local admin on the Exchange server where the mailbox of interest resides.  This usually means you have a non-mail-enabled admin account that is a member of Exchange Server local administrator’s security group.  Once you have that, RDP to the Exchange server and launch the Exchange Management Shell.  This is PowerShell but includes Exchange specific cmdlets, functions, etc.  Also note that if you had just added yourself to the Exchange Administrators group this will probably take a bit to replicate and/or may require that you to log back out/in.

Before granting yourself Full Access permissions I like to see a baseline of what permissions are currently assigned to a user’s mailbox.  For example purposes, I’ll use a fictitious user named Eve R. Evil with a user account name of eviler.

Get-MailboxPermission eviler

Note that you can run this command without any new Exchange roles.  Depending on your Active Directory Forest structure you'll potentially see results from several of your organizations domains, NT AUTHORITY, and orphaned or unresolvable SIDs starting with S-1-5-21*.  Focus on the results from your org's mail-enabled regional or organizational domains.

Your privileged admin account should not be mail enabled, which is a good thing.  Your normal user account should be mail enabled, which is all that’s needed.  Using the privileged rights of your admin account, you’ll need to assign Full Access permissions to your normal user account, not your admin account.  In this example I will use an account called Bob B. Good with a user account name of goodbb as my normal email-enabled user account.

Add-MailboxPermission -Identity eviler
                      -User goodbb
                      -AccessRights FullAccess

The search functionality is designed to return results to a different mailbox than the one you are searching.  You can’t return search results of a mailbox to itself.

Search-Mailbox -Identity eviler
               -SearchQuery "<search_criteria>"
               -TargetMailbox goodbb
               -TargetFolder “Disovery”
               -LogLevel Full

After you run the search command it will return the results of interest to a folder of your choosing within your mailbox (meaning it shows up in Outlook).  Optionally, it includes some logging and summary information.  When running Search-Mailbox you specify the mailbox to search, the search query, the destination mailbox to send the search results, the name of the folder to save the results, and several other options which I’ll explain (and are also included in the cmdlet documentation).  One thing that is powerful about this method is its ability to search a category called Recoverable Items.  This includes deleted emails.  It won’t necessary recover all deleted items as this depends on your Exchange retention policy and how long ago the item was deleted.

If you’re reviewing search results within Outlook it may only return a subset of all the results.  If that’s the case you’ll see an option that says:

There are more items in this folder on the server.  Click here to view more on Microsoft Exchange”.

Clicking that will populate the rest of the results in that folder from the Exchange server.  If logging is used it will show the complete listing of all emails but only includes metadata like the sender, subject, date sent, and several other fields.

Remember to clean up after yourself and remove the Full Access permissions.  Confirm you want to do so when prompted ([Y] Yes).

Remove-MailboxPermission -Identity eviler
                         -User goodbb
                         -AccessRights FullAccess

You may see this warning (similar to what happens when you remove your permissions from a folder and its sub-folders):

WARNING: Can't remove the access control entry on the object "CN=xxx,OU=yyy,OU=zzz,DC=aaa,bbb,DC=ccc" for account "Domain\GoodBB" because the ACE doesn't exist on the object.

To ensure you have successfully removed the permissions, double check.

Get-MailboxPermission eviler

Search-Mailbox Options

Taken from the Microsoft documentation here.

• The –SearchQuery option allows for specific search capabilities and can provide a lot of granular control over your desired search results.  The Microsoft documentation has specific options with examples.
• The search can also generate a log with your search results using the –LogLevel option and specifying the desired level.  Alternatively, you can have your search generate only the log using the –LogOnly option.  Using this, any messages returned by the search will not be copied to the target mailbox.
• By default, search will not search for items that were not indexed by Exchange search.  If you want to search this as well set –IncludeUnsearchableItems $true.
• The archive mailbox will be searched unless you use the –DoNotIncludeArchive option to disable it.
• The Search Dumpster controls whether you search the Recoverable Items folder.  This is the storage location where items deleted from the Deleted Items folder or hard-deleted items are stored until they're purged from the mailbox database.  This is searched by default or you can disable it by setting –SearchDumpster $false.  Or if you only want to search the Search Dumpster you can use the –SearchDumpsterOnly option.
• The –DeleteContent option can permanently delete messages from the source mailbox that are returned by the search. When used with the -TargetMailbox parameter, messages are copied to the target mailbox before removing them. I'd tread carefully using this option and ensure you know what you're doing before proceeding.