Items sent to external and internal recipients cannot be found with "NOT recipients" by eDiscovery in Exchange 2013

Taikoma: Exchange Server 2013 EnterpriseExchange Server 2013 Standard Edition


Assume that you create an In-Place eDiscovery search in Exchange Admin Center (EAC) to return items that are sent to external recipients by specifying the NOT recipients:"internalDomain" criteria in the search. In this situation, the search syntax returns items that are sent to only external recipients, but excludes items that have internal and external recipients.


This issue occurs because eDiscovery uses Keyword Query Language (KQL) that uses the Boolean logic. Therefore, the NOT recipients:"internalDomain" excludes all items that contain an internal recipient, even the items that also have an external recipient.

Note The current design does not provide a more refined functionality through the EAC.


To work around this issue, you can use one of the following methods.

Method 1: Use EWSEditor

A free-ware EWSEditor application is available to work around this issue. There is an eDiscovery window which can be used to search for items.

Note You have to set up the account being used to have the Audit RBAC role to do these searches.

Method 2: Use a different API

Use a different API that does not rely on KQL. You have to build a custom solution by using other programs, such as Exchange Web Services (EWS). The solution can retrieve some parts of the data (a bigger dataset). The solution can further process the received result by using external logic to arrive at the desired set of messages that match the NOT recipients:"internalDomain" criteria as you would interpret it.
Also, for identification of such messages going forward, a better solution would be to use a transport rule that could send copies of such items (internal and external recipients) to an auditing mailbox.

The following is a sample code to work around this issue by using EWS Managed API.

Note In this code sample, replace,, with your internal domain name. This placeholder appears in three locations in the code. 

Method 3: Preventive monitoring

For identification of items that have internal and external recipients, create a transport rule that can send copies of such items to an auditing mailbox.


Microsoft has confirmed that this is by design.

More Information

For more information about In-Place eDiscovery, go to the following Microsoft website:For more information about KQL, go to the following Microsoft website: