I tried the MS recommended documentation it didn't work for me. Our helpdesk users were already assigned the "Global READER" role and this prevented me from adding the security reader role to them. It turns out that global reader isn't quite as global as you think. I added the security reader role to a group containing these users, waited 24 hours and things worked. I suspect I had already tried this solution previously but didn't wait long enough for the MS permissions to apply.
Requirements in order to be able to submit emails to MS submissions from Message trace
These roles have been assigned to a group in our environment https://security.microsoft.com/securitypermissions?
You need to be assigned permissions before you can do the procedures in this article. You have the following options:
Microsoft Defender XDR Unified role based access control (RBAC) (Affects the Defender portal only, not PowerShell): Security operations/Security data/Response (manage) or Security operations/Security data/Read-only.
Email & collaboration permissions in the Microsoft Defender portal: Membership in the Security Administrator or Security Reader role groups.
Microsoft Entra permissions: Membership in the Security Administrator or Security Reader roles gives users the required permissions and permissions for other features in Microsoft 365.