Message trace in the Microsoft Defender portal

Tip

Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, message trace follows email messages as they travel through your Microsoft 365 organization. You can determine if a message was received, rejected, deferred, or delivered by the service. It also shows what actions were taken on the message before it reached its final status.

You can use the information from message trace to efficiently answer user questions about what happened to messages, troubleshoot mail flow issues, and validate policy changes.

The Summary report in the message trace contains the information that helps you answer user questions and troubleshoot mail flow issues. This Summary report enables you to view the report in a file that can be opened in Windows Explorer (also known as File Explorer).

You can use the View in Explorer option in the Message trace search results page in Exchange admin center. However, to use this option, you must fulfill the following prerequisite:

  • You must procure the E5/A5 license to access a feature within the Office 365 Threat Intelligence licensing. This feature only enables you to use the View in Explorer option.

Tip

The Message trace page in the Microsoft Defender portal is a really pass through to Message trace page in the new Exchange admin center (EAC) at https://admin.exchange.microsoft.com/#/messagetrace.

What do you need to know before you begin?

  • The maximum number of messages that are displayed in the results of a message trace depends on the report type you selected (see the Choose report type section for details). The Get-HistoricalSearch cmdlet in Exchange Online PowerShell or standalone EOP PowerShell returns all messages in the results.

  • You need to be assigned permissions before you can do the procedures in this article. You have the following options:

    • Exchange Online permissions: Membership in the Organization Management, Compliance Management or Help Desk role groups.

    • Microsoft Entra permissions: Membership in the Global Administrator* or Compliance Administrator roles gives users the required permissions and permissions for other features in Microsoft 365.

      Important

      * Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

Open message trace

In the Microsoft Defender portal at https://security.microsoft.com, go to Email & collaboration > Exchange message trace.

At this point, the Message trace page in the new EAC opens. To go directly to this page, use https://admin.exchange.microsoft.com/#/messagetrace. For more information, see Message trace in the new Exchange admin center.