I am attempting to do a content search through Exchange on O365 to return mail between [email protected] and anyone at outsidedomain.com
I thought that this should work in the KQL:
(ParticipantDomains:outsidedomain.com) AND ((Sender:[email protected]) OR (Recipients:[email protected]))
However, this seems to include all mail to/from [email protected]
- No matter who it is sent from/to
- Also if [email protected] is in a group to whom it was sent.
What do I need to put, to only find direct email conversations between [email protected] and anyone at outsidedomain.com?
Thanks
Another suggested answer, from outside this site was the following:
This appears to result in the data I was looking for.
To the best of my knowledge, it's not feasible to exclude this kind of mails from the results. A thought is to export the search result report file (.csv), open it in Excel to filter out mails sent to groups.
Although "participantdomains" looks like the most suitable property for your requirement, I cannot find any introduction about it in this official document. Also based on my test, I can reproduce that all mails would be included in the result when using "ParticipantDomains:outsidedomain.com".
Given this situation, I'd suggest using Partifipants:"outsidedomain.com" instead. You can choose to search within the [email protected]'s Exchange mailbox only so that no other conditions need to be included in the query.