Message trace in the Microsoft 365 Defender portal
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.
- Exchange Online Protection
- Microsoft Defender for Office 365 plan 1 and plan 2
- Microsoft 365 Defender
Message trace follows email messages as they travel through your Exchange Online organization. You can determine if a message was received, rejected, deferred, or delivered by the service. It also shows what actions were taken on the message before it reached its final status.
You can use the information from message trace to efficiently answer user questions about what happened to messages, troubleshoot mail flow issues, and validate policy changes.
Message trace in the Microsoft 365 Defender portal is just a pass through to Message trace in the Exchange admin center. For more information, see Message trace in the modern Exchange admin center.
What do you need to know before you begin?
You need to be a member of the Organization Management, Compliance Management or Help Desk role groups in Exchange Online to use message trace. For more information, see Permissions in Exchange Online.
Notes: Membership in the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions and permissions for other features in Microsoft 365. For more information, see About admin roles.
The maximum number of messages that are displayed in the results of a message trace depends on the report type you selected (see the Choose report type section for details). The Get-HistoricalSearch cmdlet in Exchange Online PowerShell or standalone EOP PowerShell returns all messages in the results.
Open message trace
In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Email & collaboration > Exchange message trace. To go directly to the message trace page, use https://admin.exchange.microsoft.com/#/messagetrace.
At this point, message trace in the EAC opens. For more information, see Message trace in the modern Exchange admin center.