Finding more details on the client (and app) that sent a particular email in the Sent Items folder using the Microsoft Graph
Administrators or developers often face the question of identifying the email sending method for emails in a specific mailbox (X). The approach and level of detail required to answer this depend on the requester and their purpose, potentially leading to follow-up questions. For instance, if a high-level statistical overview of client usage for a mailbox is needed, then the admin activity report from the m365 portal can be used or the Microsoft Graph equivalent of this report can be used
https://learn.microsoft.com/en-us/microsoft-365/admin/activity-reports/email-apps-usage-ww?view=o365-worldwide in the PowerShell Graph sdk the equivalent looks something like this
Import-Module Microsoft.Graph.Reports Get-MgReportEmailAppUsageAppUserCount -Period $periodId
This report provides a basic overview of client usage but lacks detailed information about specific clients and their context. To investigate further, you could examine audit logs (Microsoft Purview or Microsoft Defender), particularly for send events, or review Mail flow reports to identify relevant email activity. If these options don't yield the necessary insights, consider this alternative.
Leveraging Sent Items Folder Item Properties: When an email is successfully sent and saved to the sender's "Sent Items" folder (which is optional), the Exchange Server writes additional properties to that copy. One of these properties includes the userAgent or clientInfo, which directly identifies the sending client for example this is what MFC Mapi shows for a message in the SentItems folder where this property has been set
In this example it was a message that was sent from the EwsEditor another example
This one came from NewOutlook identifiable by the OneOutlook moniker which you don’t get in Outlook on the Web. Client=OWA is interesting here but looks more a software misnomer in the way the server see’s new Outlook. The more interesting examples however is when it comes to applications that might be using a Mailbox to send as you see something like
The example above shows a web browser application utilizing Microsoft Graph to send an email. It includes the application's AppId, which can be used with Microsoft Graph to identify the corresponding Service Principal or Enterprise Application. For example:
Get-MgServicePrincipal -Filter "AppId eq 'de8bc8b5-d9f9-48b1-a8ad-b748da725064'" | select DisplayName
In practice
So i can see from the above that the email was sent using the Graph Explorer. Another interesting one I’ve used before in scripts is the Originating Ip address property eg in this example it was
but for other examples where I was sending using a local client it will reflect my local IpAddress or if I’ve used a VPN etc.
Putting this together in a script that will scan the SentItems folder of a Mailbox and then do a grouped report of all the senders resolved to the AppId ServicePrincipal is pretty easy and looks something like the following. I’ve put a copy of this script on GitHub here https://github.com/gscales/Powershell-Scripts/blob/master/Graph101/GraphSDK/SendVersions.ps1. Some interesting Results from it
Email sent from the .net Graph SDK
Email Sent using the PowerShell Graph SDK
While i’ve just used this property here in a reporting type context you could also use it in an App context where you need to do post processing of messages sent from a particular application. Or just moving or categorizing messages that particular apps have sent. Anyway the script looks like.
