Using Export-MailboxDiagnosticLogs in Powershell

James Futhey

5 min read
Using Export-MailboxDiagnosticLogs in Powershell

If you're managing Exchange Server or working with Exchange Online, understanding mailbox performance and issue diagnosis is critical. Whether you're troubleshooting calendar issues, analyzing retention policies, or reviewing user mailbox activity, Microsoft provides the Export-MailboxDiagnosticLogs cmdlet in PowerShell for collecting detailed diagnostic information.

This cmdlet generates structured diagnostic reports that can be used for audits, issue analysis, or cross-checking mailbox behavior with internal retention settings, assistant activity, and more.

What is the Export-MailboxDiagnosticLogs Cmdlet?

The Export-MailboxDiagnosticLogs cmdlet allows administrators to extract diagnostic log data from a user mailbox in Exchange Server. It produces an XML output containing deep mailbox properties, events, and assistant history for further analysis.

The cmdlet is especially useful when you're dealing with troubleshooting scenarios, such as understanding retention tag application, checking Managed Folder Assistant activity, or validating if calendar items were processed correctly.

This tool helps you surface diagnostic information like:

  • Retention policy timestamps
  • Calendar item properties
  • Audit-related metadata
  • Assistant process logs
  • Errors related to mailbox processing

Note: This cmdlet is only available in on-premises Exchange Server environments, and only on servers with the Mailbox role installed. It is not available in Exchange Online.

Syntax

Export-MailboxDiagnosticLogs

[-Identity] <GeneralMailboxIdParameter>

-ComponentName <String>

[-Archive]

[-Confirm]

[-Credential <PSCredential>]

[-DomainController <Fqdn>]

[-IncludeInactiveMailboxes]

[-ReadFromDomainController]

[-ResultSize <Unlimited>]

[-WhatIf]

[<CommonParameters>]

Parameters

  • Identity - Specifies the mailbox to extract diagnostics from. Accepts alias, email address, GUID, or distinguished name.
  • ComponentName - Required. The diagnostic component to extract (e.g., CalendarItems, GeneralInfo, MailboxAssistants, etc.).
  • Archive - If included, runs diagnostics against the archive mailbox instead of the primary mailbox.
  • Confirm - Prompts for confirmation before executing the command.
  • Credential - Specifies a user account to run the command under. Useful when the current session doesn’t have needed permissions.
  • DomainController - Specifies the fully qualified domain name (FQDN) of a domain controller to read/write Active Directory data.
  • IncludeInactiveMailboxes - Allows the cmdlet to target inactive mailboxes (e.g., those placed on hold after user deletion).
  • ReadFromDomainController - Ensures that mailbox info is read directly from a domain controller instead of the Global Catalog.
  • ResultSize - Limits the number of results returned. Use Unlimited to return all matching entries.
  • WhatIf - Simulates the command to show what would happen without making changes.

Practical Uses

Investigating Calendar Issues for VIP Mailboxes

In organizations where executive or VIP users frequently experience calendar problems like missing meeting invites, incorrect meeting times, or repeated reminders, administrators often need forensic-level detail to identify the cause.

Export-MailboxDiagnosticLogs can be used to retrieve the CalendarItems component, allowing IT teams to analyze calendar metadata such as GlobalObjectID, DateLastModified, and meeting creation times. This is especially relevant when troubleshooting across different versions of Outlook, Exchange ActiveSync, or Outlook for Mac environments.

Auditing Retention Policy Failures in the Recoverable Items Folder

If retention tags or Microsoft 365 retention policies aren't applying correctly, administrators may suspect the Managed Folder Assistant has failed or not run as expected.

By exporting the ElcFolderStatus and MailboxAssistants components, admins can confirm when the last processing occurred (ElcLastSuccessTimeStamp), what folders were scanned, and whether any errors like StoragePermanentException occurred. This is critical when dealing with compliance teams, legal hold requests, or internal audit escalations.

Identifying Inactive or Unused Mailboxes for Decommissioning

In environments with large numbers of inactive mailboxes, often due to offboarding or license reallocation, IT teams need a reliable way to confirm mailbox activity before archiving or deleting data. Using Export-MailboxDiagnosticLogswith the GeneralInfo and FolderStatistics components gives visibility into the mailbox’s last known activity, folder sizes, and assistant processing history.

This helps in making defensible decisions about mailbox deactivation, archiving, or removal from Microsoft 365 Groups, TeamsChannels, or Exchange Server resources.

Prerequisites

To run Export-MailboxDiagnosticLogs, you need:

  • Exchange Server (on-premises) - The cmdlet is not available in Exchange Online.
  • Mailbox server role - The cmdlet is only available on servers with the Mailbox role installed.
  • Assigned permissions - You must be assigned the Mailbox Search or equivalent role-based access control (RBAC) role.
  • ComponentName parameter - This is mandatory; the command fails if not included.
  • Exchange Management Shell - The cmdlet must be run from the Exchange Management Shell, not standard PowerShell.

How to Use Export-MailboxDiagnosticLogs

Below are the most common and practical ways to use Export-MailboxDiagnosticLogs for troubleshooting and analysis in Exchange Server environments.

1. Diagnose mailbox store issues for a specific user

When you suspect mailbox corruption, synchronization problems, or issues with item delivery, exporting the Storecomponent diagnostic logs provides detailed insights into the mailbox database's internal operations.

Export-MailboxDiagnosticLogs -Identity "[email protected]" -ComponentName Store

These logs reveal information about item processing, storage errors, and mailbox state that can help pinpoint root causes for sync failures or data inconsistencies.

2. Investigate archive mailbox health and data integrity

For users reporting missing emails or performance issues specifically with their archive mailbox, extracting diagnostics from the archive helps isolate problems separate from the primary mailbox data.

Export-MailboxDiagnosticLogs -Identity "[email protected]" -ComponentName Store -Archive

The data returned highlights how the archive store is functioning, showing folder stats and errors related to archived content that may affect user access or retention.

3. Audit mailboxes that are inactive or soft-deleted

During compliance audits or when preparing to reclaim licenses, it’s important to examine mailboxes that have been deactivated but still retain data. Including inactive mailboxes in your diagnostic export enables you to assess these hidden mailboxes accurately.

Export-MailboxDiagnosticLogs -Identity "[email protected]" -ComponentName Store -IncludeInactiveMailboxes

This command gathers diagnostic information from mailboxes no longer active, helping to verify their status and content before deletion or archiving actions.

4. Run diagnostics with alternative credentials

In cases where your administrative account lacks the necessary permissions, or when auditing mailboxes under delegated access, running the cmdlet with explicit credentials ensures you have the required authorization.

$cred = Get-Credential

Export-MailboxDiagnosticLogs -Identity "[email protected]" -ComponentName Store -Credential $cred

Using this approach, you gain the flexibility to troubleshoot across different user scopes without needing to elevate your current session.

5. Control the volume of diagnostic output to manage system impact

When working with large mailboxes or environments where performance impact must be minimized, limiting the result size prevents the system from returning excessively large diagnostic data sets.

Export-MailboxDiagnosticLogs -Identity "[email protected]" -ComponentName Store -ResultSize 100

This parameter confines the output to 100 entries, which is often sufficient for initial diagnostics while reducing load on mailbox servers and network traffic.

6. Safely preview command effects before execution

Before running the diagnostic extraction in a production environment, you can simulate the command to verify parameters and expected behavior without making any changes.

Export-MailboxDiagnosticLogs -Identity "[email protected]" -ComponentName Store -WhatIf

This simulation provides a risk-free way to confirm that your command syntax and scope are correct, preventing unintended disruptions.

Conclusion

The Export-MailboxDiagnosticLogs cmdlet is a powerful tool for Exchange Server administrators to extract detailed mailbox diagnostics. Whether you’re troubleshooting calendar issues, auditing retention policy application, or analyzing mailbox assistant activity, this cmdlet provides granular visibility into mailbox internals.

Proper use of parameters like ComponentName, Archive, and IncludeInactiveMailboxes tailors the output for precise needs. When combined with careful permission management and awareness of mailbox state, it enables effective troubleshooting and compliance auditing across Exchange environments.

Frequently Asked Questions (FAQ)

1. Can I use Export-MailboxDiagnosticLogs in Exchange Online?

No. Export-MailboxDiagnosticLogs is only available in on-premises Exchange Server environments on servers with the Mailbox role installed. For Exchange Online, Microsoft does not provide this cmdlet. Instead, you need to use Microsoft Graph API or other compliance and audit tools specific to Microsoft 365.

2. What diagnostic components should I use to troubleshoot calendar issues?

For calendar-specific troubleshooting, use the CalendarItems component. It provides detailed metadata such as GlobalObjectID, creation times, and reminder settings that help identify problems like missing appointments or synchronization errors between Outlook clients and Exchange.

3. What permissions are required to run Export-MailboxDiagnosticLogs?

You must have the appropriate role-based access control (RBAC) permissions, typically the Mailbox Search role or equivalent, assigned to your account. Without the necessary permissions, the cmdlet will fail or return insufficient data. Running the cmdlet with the -Credential parameter allows you to specify alternate credentials if your current session lacks rights.