Permissions Required to Download Message Trace Report in Exchange Admin Center

Gus-0185 45 Reputation points
2024-10-25T13:14:03.3266667+00:00

Hello,

Some users need permissions to download message trace report in EAC. They can use Message Trace and create reports, but encounter a permission error when trying to download them. They are currently assigned "Security Administrator" role group which already contain "Message Tracking", "View-Only Audit Logs", "View-Only Configuration", "View-Only Recipients", "Audit Logs", "Compliance Admin" roles, and a few more.

In the Microsoft documentation, they recommend to use "Organization Management" role group to manage Message Trace (which also mean be able to download Message Trace Report) but there is way to many permission given if I assigned them that role group. (Ex: Migration, Move Mailboxes, pretty sure they don't need those to download a report.)

Does anyone knows what permission (roles, not role group) is really needed to be able to download a report?

Thank you!

Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,565 questions
0 comments No comments
{count} votes

Accepted answer
  1. Alex Zhang-MSFT 1,600 Reputation points Microsoft Vendor
    2024-10-28T02:20:23.05+00:00

    Hello, @Gus-0185,

    Welcome to the Microsoft Q&A platform!

    Based on your description, I understand your concern about assigning appropriate permissions without overly privileging users. Although the Microsoft documentation recommends using the Organization Management role group, it does have the potential to grant too many privileges.

    To manage permissions more granularly, you can create custom role groups that contain only the necessary roles. You can do this by following these steps:

    1.      Create a New Role Group: Open the Exchange Admin Center (EAC), Navigate to Roles>Admin Roles>Add Role Group.

    2.      Name your new role group and add the essential roles that are likely needed. For example, Message Tracking, View-Only Audit Logs, View-Only Configuration, View-Only Recipients, Communication Compliance Admin, Audit Logs, Role Management (allow modifications if needed), Security Reader (access message trace functionalities if needed).

    3.      Add Members: Add the specific users who need access to this functionality to the new role group.

    4.      Save and Test the Role Group: After creating the new role group, test to ensure that the users can successfully download message trace reports without encountering permission errors.

    User's image

    If you need more precise guidance on this process, please click on Manage role groups in Exchange Online | Microsoft Learn for reference.

    If the answer is helpful please click on ACCEPT ANSWER as it could help other members of the Microsoft Q&A community who have similar questions and are looking for solutions.

    Thank you for your support and understanding.

    Best Wishes,

    Alex Zhang

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.