This chapter covers Exchange journaling and mail export in Microsoft 365, two critical features for compliance, eDiscovery, and regulatory retention. For the MS-102 exam, approximately 10-15% of questions in the Tenant Management domain touch on journaling, mail export, or related compliance features. Mastering the differences between journaling, litigation hold, and retention policies, as well as the exact configuration steps and limitations, will help you avoid the common traps the exam sets. You will learn the internal transport pipeline mechanics, how to configure journal rules using the Exchange admin center and PowerShell, and how to export mailbox content using eDiscovery and content search.
Jump to a section
Imagine a large company with 10,000 employees and a central mailroom that handles all incoming and outgoing postal mail. The company is legally required to keep a copy of every piece of mail that any employee sends or receives for compliance purposes. The mailroom has a dedicated recording clerk who sits at a special desk. When any outgoing mail is dropped off, the clerk makes an exact photocopy of the envelope and contents before handing it to the postal carrier. For incoming mail, the clerk intercepts every delivery, photocopies it, and then routes the original to the employee. The clerk maintains a secure filing cabinet with all copies, organized by date and employee. The company cannot tamper with these copies; they are sealed and timestamped. If an employee tries to send a letter privately via a side door, the compliance team will flag it because the recording clerk never saw it. This is exactly how Exchange journaling works: the journaling agent sits in the transport pipeline, copies every message that matches a journal rule (like the recording clerk), and delivers the copy to a special journal mailbox (the filing cabinet). The original message continues unaffected. The journaling agent cannot be bypassed by users, and the journal report is tamper-proof. If a user sends a message directly via SMTP from a client that bypasses the Hub Transport server, that message escapes journaling—just as an employee mailing a letter from home bypasses the company mailroom.
What is Exchange Journaling?
Exchange journaling is a compliance feature that records all email communications in an organization by copying messages that match defined journal rules. The copied messages are delivered to a dedicated journal mailbox for archival and eDiscovery purposes. Unlike retention policies that manage message lifecycle, journaling is a recording mechanism that captures a snapshot of every message at the time it is processed by the Exchange transport pipeline.
Why Journaling Exists
Organizations in regulated industries (finance, healthcare, legal) must retain copies of all electronic communications for a specified period. Journaling provides a tamper-proof record that satisfies legal and regulatory requirements such as SEC Rule 17a-4, FINRA, HIPAA, and Sarbanes-Oxley. The exam expects you to know that journaling is configured per organization or per user/group, and that it captures both internal and external messages.
How Journaling Works Internally
Journaling operates at the transport level in Exchange Online. When a message enters the transport pipeline, the categorizer applies journal rules before the message is routed. The journaling agent intercepts the message, creates a journal report (a special message type) that contains the original message as an attachment, and sends the journal report to the configured journal mailbox. The original message continues unaffected. The journal report includes metadata such as sender, recipients, subject, and message ID. The journal report is signed with a digital signature to ensure integrity.
Key Components
Journal Rule: Defines which messages to journal. Can be scoped to all messages, messages sent to or from a specific user/group, or messages with a specific recipient domain.
Journal Mailbox: A dedicated mailbox that receives all journal reports. Must be a separate mailbox, not a user's primary mailbox. In Exchange Online, the journal mailbox must be a Microsoft 365 mailbox or an on-premises mailbox if you have a hybrid deployment.
Journal Report: The message containing the original email as an attachment. The attachment is in .eml format. The journal report itself is not subject to journaling (to avoid loops).
Defaults and Limitations
Maximum of 10 journal rules per organization in Exchange Online (this is a hard limit).
Journal reports are generated for messages up to 150 MB in size. Larger messages are truncated or not journaled; the journal report will indicate truncation.
The journal mailbox should have a large storage quota; if it becomes full, journal reports will be undeliverable and queued for up to 2 days, then messages are lost.
Journal reports are delivered with a delay of up to 5 minutes under normal conditions.
Configuration Commands
To create a journal rule via Exchange Online PowerShell:
New-JournalRule -Name "All Email Journaling" -JournalEmailAddress journal@contoso.com -Scope Global -Enabled $trueTo view existing rules:
Get-JournalRule | Format-List Name, JournalEmailAddress, Scope, EnabledTo modify scope to a specific recipient:
Set-JournalRule -Identity "All Email Journaling" -Recipient user@contoso.comTo delete a rule:
Remove-JournalRule -Identity "All Email Journaling"Journaling vs. Retention Policies
Journaling captures a copy of every message at the time of sending/receiving. The copy is stored in a journal mailbox. The original message is still subject to retention policies.
Retention Policies (via Microsoft 365 compliance center) manage message lifecycle—delete or retain after a period. They do not create a separate copy; they act on the original message.
Litigation Hold preserves all mailbox content (including deleted items) for eDiscovery. It does not copy messages to a separate mailbox.
The exam often tests the distinction: journaling is for recording, retention is for lifecycle management, litigation hold is for preservation.
Mail Export via eDiscovery and Content Search
Mail export in Microsoft 365 is primarily done through Content Search in the Microsoft 365 compliance center. You can search for emails based on criteria (sender, date, keywords) and export the results to a PST file or as individual messages. The export process involves: 1. Creating a Content Search. 2. Previewing results. 3. Exporting results to a PST or individual messages. 4. Downloading the export using the Microsoft 365 compliance center or via PowerShell.
Key limitations:
Maximum of 2 exports per search per day.
Export size limit: 1 TB per export (if larger, split into multiple exports).
PST files are limited to 10 GB each; larger exports are split into multiple PSTs.
Export speed: approximately 1-2 GB per hour per export.
You can export from a single mailbox or all mailboxes.
PowerShell for Content Search
New-ComplianceSearch -Name "Q1 Audit" -ExchangeLocation all -ContentMatchQuery 'received>=01/01/2023 AND received<=03/31/2023'
Start-ComplianceSearch -Identity "Q1 Audit"
New-ComplianceSearchAction -SearchName "Q1 Audit" -Export -Format FxStream
Get-ComplianceSearchAction -Identity "Q1 Audit_Export"The export generates a shared access signature (SAS) URL to download the results.
Interaction with Related Technologies
Azure Information Protection: Journal reports may contain encrypted or rights-protected messages. Journaling copies the message as-is; the journal mailbox needs decryption rights to read the content.
Microsoft Purview Compliance Portal: Journal rules are managed in the Exchange admin center, but exports and eDiscovery are in the compliance portal. The exam expects you to know the correct admin center for each task.
Hybrid Deployments: In hybrid scenarios, journaling can be configured on-premises to copy messages to Exchange Online, or vice versa. The journal mailbox can be on-premises or in the cloud, but the rule must be created in the environment where the mailbox resides.
Common Exam Traps
Journaling vs. Retention Policy: Candidates often think journaling deletes original messages—it does not. Journaling copies, retention policies delete or retain.
Journal Mailbox Requirements: The journal mailbox must not be a user's primary mailbox; it should be a dedicated shared mailbox. Using a user mailbox can cause unintended consequences like the user seeing all journal reports.
Scope Confusion: 'Global' scope journals all messages; 'Internal' only internal; 'External' only external. The exam may ask which scope to use for compliance with external communications.
Limit of 10 Rules: Many candidates assume there is no limit or a higher limit. The hard limit is 10.
Journal Report Size: If a message exceeds 150 MB, it is not journaled; the report indicates truncation. Candidates may think the entire message is journaled.
Verification and Monitoring
Use Get-JournalRule to verify rules are enabled.
Use Get-MessageTrackingLog (if on-premises) or Get-MessageTrace in Exchange Online to see if journal reports were generated.
Check the journal mailbox for delivery failures.
Set up alerts for journal mailbox size and rule changes.
Create a Journal Rule
In the Exchange admin center (EAC), navigate to Mail flow > Journal rules. Click '+'. Enter a rule name. Specify the journal mailbox (e.g., journal@contoso.com). Choose the scope: 'All messages' (Global), 'Internal messages only', or 'External messages only'. Optionally, specify a recipient to journal only messages to/from that user. Click Save. The rule is enabled by default. In PowerShell, use New-JournalRule with the -Scope parameter. The rule is applied immediately to new messages; existing messages are not retroactively journaled.
Configure the Journal Mailbox
The journal mailbox must exist before creating the rule. Create a shared mailbox via EAC or PowerShell: New-Mailbox -Shared -Name JournalMailbox -DisplayName 'Journal Mailbox' -PrimarySmtpAddress journal@contoso.com. Ensure the mailbox has sufficient storage (at least 50 GB recommended). The mailbox should not have any journal rules applied to it (to avoid loops). In the compliance center, you can set a retention policy to delete old journal reports after a period. The journal mailbox must not be a user mailbox; otherwise, the user will receive all journal reports, which is a security risk.
Verify Journal Rule is Working
After creating the rule, send a test email from one user to another. Wait a few minutes. Check the journal mailbox for a new journal report. The report should contain the original email as an attachment (.eml). Use Get-MessageTrace in Exchange Online PowerShell: Get-MessageTrace -Recipient journal@contoso.com -StartDate (Get-Date).AddDays(-1). You should see messages with MessageSize less than 150 MB. If the journal mailbox is full, you will see event ID 1036 in the transport logs indicating delivery failure.
Export Mailbox Content via Content Search
In the Microsoft 365 compliance center (compliance.microsoft.com), go to Content search. Click 'New search'. Name the search. Choose locations (e.g., all mailboxes or specific users). Define search criteria (keywords, date range, sender). Submit the search. After completion, preview results. Click 'Export results'. Choose format: 'PST files' or 'Individual messages'. Set output options (e.g., include unsearchable items). Submit the export. Download the export using the provided SAS URL. The export is available for 30 days.
Download Export Using PowerShell
After creating the export action, get the export details: Get-ComplianceSearchAction -Identity 'SearchName_Export'. The output includes a SAS URL. Use Invoke-WebRequest to download the export package. Example: $sasUrl = (Get-ComplianceSearchAction -Identity 'MySearch_Export').Results; Invoke-WebRequest -Uri $sasUrl -OutFile 'export.zip'. Extract the zip to get PST files. Each PST is up to 10 GB. If the export is large, multiple PSTs are created. The download can resume if interrupted.
In a global financial services firm with 20,000 users, regulatory compliance requires journaling all external email communications. The compliance team creates a journal rule with scope 'External messages only' and a dedicated journal mailbox with 200 GB storage. They also set up a retention policy on the journal mailbox to delete reports older than 7 years. The journal mailbox is monitored for size; alerts are configured when it exceeds 90% capacity. A common issue is that the journal mailbox fills up quickly because internal messages are also being journaled if the scope is set to 'Global'. The team learns to use 'External' scope to reduce volume. Another scenario: a law firm needs to journal all emails from senior partners. They create a journal rule with scope 'Global' and specify the recipient as a distribution group containing the partners. However, they discover that messages sent by the partners to internal recipients are journaled twice if another global rule exists. The solution is to use a single rule with specific recipients. Performance considerations: journaling adds minimal latency (milliseconds) to message delivery. The journal mailbox should be on a separate database to avoid I/O contention. In production, the journal mailbox is often placed in a separate geo-location for disaster recovery. Misconfiguration: if the journal mailbox is deleted, journal reports are queued for 2 days and then lost. The compliance team must ensure the mailbox is never removed without disabling the rule first. Another misconfiguration: setting the journal mailbox as a user mailbox causes the user to see all journal reports, potentially exposing confidential communications. The exam emphasizes that the journal mailbox must be a dedicated shared mailbox. In hybrid deployments, journaling can be configured on-premises to send copies to Exchange Online, but the journal mailbox must be in the cloud. This requires a connector from on-premises to Exchange Online. The team must ensure the connector is authenticated and encrypted.
The MS-102 exam tests Exchange journaling and mail export under objective 1.4: 'Manage tenant compliance and security'. Specifically, you should know: - Journal Rule Limits: Maximum 10 journal rules per organization. This is a direct question: 'How many journal rules can you create?' The answer is 10. - Journal Mailbox Requirements: Must be a dedicated shared mailbox, not a user mailbox. The exam will present a scenario where a user mailbox is used as the journal mailbox—this is incorrect. - Scope Options: 'Global', 'Internal', 'External'. Know which scope journals all messages (Global) and which journals only messages between internal users (Internal). - Journal Report Content: The original message is attached as an .eml file. The journal report includes metadata. The exam may ask what format the attachment is in. - Message Size Limit: Messages over 150 MB are not journaled; the report indicates truncation. Candidates often think the limit is 10 MB or 25 MB. - Export Limits: Maximum 2 exports per search per day. Export size limit 1 TB. PST files limited to 10 GB each. The exam may ask how many PSTs will be created for a 25 GB export (answer: 3). - Common Wrong Answers: 1. 'Journaling deletes the original message after copying.' Reality: Journaling copies, does not delete. 2. 'You can create unlimited journal rules.' Reality: 10 maximum. 3. 'The journal mailbox can be any mailbox.' Reality: Must be a dedicated shared mailbox. 4. 'Journaling can be configured in the Microsoft 365 compliance center.' Reality: Journal rules are in Exchange admin center; only eDiscovery and exports are in compliance center. - Edge Cases:
If a journal rule is disabled, it stops journaling new messages, but existing queued reports may still be delivered.
Journaling does not apply to messages sent via Teams chat or external connectors unless they go through Exchange transport.
In hybrid, journal rules created on-premises do not affect Exchange Online mailboxes unless a connector is configured.
Eliminating Wrong Answers: Use the underlying mechanism. If a question asks about preserving a copy for legal reasons, look for 'journaling' vs 'retention policy' vs 'litigation hold'. Journaling creates a separate copy; retention policy does not. Litigation hold preserves existing data but does not copy. If the question mentions 'export to PST', the answer is Content Search export, not journaling.
Journaling creates a separate copy of every message that matches a journal rule and sends it to a dedicated journal mailbox.
Maximum 10 journal rules per Exchange Online organization.
The journal mailbox must be a dedicated shared mailbox, not a user mailbox.
Journal rules have three scopes: Global (all messages), Internal (internal senders/recipients), External (external senders/recipients).
Journal reports contain the original message as an .eml attachment and are digitally signed.
Messages over 150 MB are not journaled; the report indicates truncation.
Content Search export is limited to 2 exports per search per day, 1 TB per export, and PST files are split at 10 GB each.
Journaling does not capture Teams chats or messages that bypass the Exchange transport pipeline.
Journaling is configured in Exchange admin center; retention policies and eDiscovery exports are in Microsoft 365 compliance center.
Journal reports are queued for up to 2 days if the journal mailbox is unavailable; then they are dropped.
These come up on the exam all the time. Here's how to tell them apart.
Journaling
Creates a copy of each message in a journal mailbox.
Operates at transport time; captures messages as they are sent/received.
Does not delete the original message.
Managed in Exchange admin center (mail flow rules).
Maximum 10 rules per organization.
Retention Policies
Tags the original message for deletion or retention after a period.
Operates on existing mailbox content; does not capture in real-time.
Can delete or preserve the original message.
Managed in Microsoft 365 compliance center (data lifecycle management).
Can create many policies (no hard limit, but practical limits apply).
Mistake
Journaling and retention policies are the same thing.
Correct
Journaling creates a separate copy of each message in a journal mailbox for recording. Retention policies manage the lifecycle of the original message (delete or retain after a period). They serve different purposes: journaling for archival/compliance, retention for data governance.
Mistake
You can use any mailbox as the journal mailbox, including a user's primary mailbox.
Correct
The journal mailbox must be a dedicated shared mailbox. Using a user mailbox exposes all journal reports to that user, which is a security and privacy violation. The exam expects you to choose a dedicated shared mailbox.
Mistake
Journaling captures all messages including those sent via Teams or external services.
Correct
Journaling only captures messages that pass through the Exchange transport pipeline. Teams chat messages, external SMTP relays, and direct SMTP submissions may bypass journaling unless they are routed through Exchange.
Mistake
If a journal report is not delivered, the original message is held until delivery succeeds.
Correct
The original message is delivered immediately; only the journal report is queued. If the journal mailbox is full, journal reports are queued for up to 2 days, then dropped. The original message is unaffected.
Mistake
You can create more than 10 journal rules if you use PowerShell.
Correct
The limit of 10 journal rules is enforced regardless of the method used (EAC or PowerShell). Attempting to create an 11th rule will result in an error.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Journaling copies messages to a separate mailbox at the time of transport. Litigation hold preserves all mailbox content (including deleted items) in place for eDiscovery. Journaling is proactive recording; litigation hold is reactive preservation. Both are compliance features, but journaling creates a separate copy, while litigation hold does not.
No. The journal mailbox must be an individual mailbox, preferably a shared mailbox. Distribution groups cannot receive journal reports because they are not mailboxes. The journal mailbox must have a primary SMTP address and be able to receive mail.
Use Content Search in the Microsoft 365 compliance center. Create a search with the user's mailbox as the location. Use no keywords to include all emails. After the search completes, export the results as PST files. You can also use PowerShell with New-ComplianceSearch and New-ComplianceSearchAction -Export.
Journal reports are queued in the transport pipeline for up to 2 days. If the mailbox remains full after 2 days, the reports are dropped and lost. The original messages are still delivered. To prevent this, monitor the journal mailbox size and set a retention policy to delete old reports.
Yes. Set the journal rule scope to 'External messages only'. This journals only messages where the sender or all recipients are external to the organization. Internal messages are not journaled.
You can create a maximum of 10 journal rules in Exchange Online. This is a hard limit enforced by the service. Attempting to create more will result in an error.
Messages up to 150 MB are journaled in full. Messages larger than 150 MB are not journaled; the journal report will indicate that the message was truncated or not included. There is no way to increase this limit.
You've just covered Exchange Journaling and Mail Export — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?