Microsoft O365 Exchange Message Trace Reports

  • Published on Apr 17, 2025

About Microsoft O365 Exchange Message Trace Reports

Table name: microsoft_message_trace_reports

Microsoft 365 Exchange Message Trace reports provide detailed insights into email message flow within your organization. They allow administrators to track messages as they pass through Exchange Online, including information about delivery status, routing, spam filtering actions, and timestamps. These reports help with troubleshooting mail flow issues, auditing communications, and ensuring policy compliance. Message trace data is available for up to 10 days (or 90 days in advanced traces) and can be accessed via the Microsoft 365 admin center, PowerShell, or Microsoft Graph API.

Learn more here.

Sending Data To Hunters

📘 Note

To complete the steps below you’ll need an Azure admin user.

To set up ingestion from Microsoft 365, perform the following steps:

1. Create the application

  1. In the Azure portal home screen, open the side menu and click Microsoft Entra ID.
    image.png

  2. Now, from the side menu click Manage > App registration.
    The App registration menu opens.

  3. From the upper menu, click New registration.
    image
    The Register an application window opens.

  4. Under the Name field, enter a descriptive name.

  5. Under the Redirect URI section, select Web platform and paste http://localhost:5110 in the URL field.

  6. Click Register.
    image
    The application window opens.

2. Provide API permissions

  1. From the side menu, click API permissions.
    The Request API permissions panel opens.

  2. Click Add a permission and then navigate to the APIs my organization uses tab.
    image.png

  3. Search for Office 365 Exchange Online and select it from the results.

  4. Click Delegated permissions and search for the ReportingWebService.Read permission.

  5. Select it and click Add permissions.
    image.png

  6. Now repeat the process to add an Application permission called ReportingWebService.Read.All.

  7. Click Grant admin consent for directory to grant admin permissions.

You should end up with the following:

3. Provide the required role

  1. From the side menu, click Roles and Administrators.

  2. Add the Security Reader role to the application.

4. Create client secret

  1. From the side menu, click Certificates & secrets.

  2. Click New client secret to open the client secret panel.
    image

  3. In the Description field, enter a descriptive title.

  4. From the Expires dropdown list, select 24 months.

  5. Click Add to add the secret.
    image
    The secret now appears under the Client secrets list.

  6. Copy and paste the client secret Value and Secret ID into a notepad for later use.
    image

❗️IMPORTANT

After a while the client secret value will be hidden from view and you will not be able to retrieve it again.

5. Retrieve tenant ID

  1. From the side menu, click Overview.

  2. Locate the application’s tenant ID (Directory tenant ID).

  3. Copy and paste the value into a notepad for later use.

6. Set up the connection on Hunters

Finally, to provide Hunters with the required keys, follow this guide. Make sure to provide the following details:

  • Client ID

  • Client Secret

  • Tenant ID

Sample Data

<?xml version="1.0" encoding="utf-8"?>
<feed xml:base="https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/" xmlns="http://www.w3.org/2005/Atom" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata">
    <id>https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace</id>
    <title type="text">MessageTrace</title>
    <updated>2025-03-13T08:38:39Z</updated>
    <link rel="self" title="MessageTrace" href="MessageTrace" />
    <entry>
        <id>https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/MessageTrace(0)</id>
        <category term="TenantReporting.MessageTrace" scheme="http://schemas.microsoft.com/ado/2007/08/dataservices/scheme" />
        <link rel="edit" title="MessageTrace" href="MessageTrace(0)" />
        <title />
        <updated>2025-03-13T08:38:39Z</updated>
        <author>
            <name />
        </author>
        <content type="application/xml">
            <m:properties>
                <d:Organization>hunterslab.onmicrosoft.com</d:Organization>
                <d:MessageId>&lt;67d07b2fd7f3a_12dbcc37711@workato-jobdispatcher-hpa-shard-0-78458bbc64-5jfhp.mail&gt;</d:MessageId>
                <d:Received m:type="Edm.DateTime">2025-03-11T18:04:35.8685656</d:Received>
                <d:SenderAddress>mailer@eu.workato.com</d:SenderAddress>
                <d:RecipientAddress>e5_user@hunterslab.onmicrosoft.com</d:RecipientAddress>
                <d:Subject>asfdas</d:Subject>
                <d:Status>Delivered</d:Status>
                <d:ToIP m:null="true" />
                <d:FromIP>156.70.17.101</d:FromIP>
                <d:Size m:type="Edm.Int32">29947</d:Size>
                <d:MessageTraceId m:type="Edm.Guid">712783cc-6fd8-4fd6-83d8-08dd60c72eef</d:MessageTraceId>
                <d:StartDate m:type="Edm.DateTime">2025-03-11T08:38:38.0492191Z</d:StartDate>
                <d:EndDate m:type="Edm.DateTime">2025-03-13T08:38:38.0492191Z</d:EndDate>
                <d:Index m:type="Edm.Int32">0</d:Index>
            </m:properties>
        </content>
    </entry>
</feed>
{"Organization":"hunterslab.onmicrosoft.com","MessageId":"<67d07b2fd7f3a_12dbcc37711@workato-jobdispatcher-hpa-shard-0-78458bbc64-5jfhp.mail>","Received":"/Date(1741716275868)/","SenderAddress":"mailer@eu.workato.com","RecipientAddress":"e5_user@hunterslab.onmicrosoft.com","Subject":"asfdas","Status":"Delivered","ToIP":null,"FromIP":"156.70.17.101","Size":29947,"MessageTraceId":"712783cc-6fd8-4fd6-83d8-08dd60c72eef","StartDate":"/Date(1741392000000)/","EndDate":"/Date(1741824000000)/","Index":0}
{"Organization":"hunterslab.onmicrosoft.com","MessageId":"<20250310180119.9649cb9799c62114@azns.microsoft.com>","Received":"/Date(1741629690893)/","SenderAddress":"azure-noreply@microsoft.com","RecipientAddress":"e5_user@hunterslab.onmicrosoft.com","Subject":"Retirement notice: Transition to DCR-based custom log ingestion by 13 September 2026","Status":"Delivered","ToIP":null,"FromIP":"52.101.62.142","Size":136485,"MessageTraceId":"ef87dc54-46ac-4b28-d587-08dd5ffd9644","StartDate":"/Date(1741392000000)/","EndDate":"/Date(1741824000000)/","Index":1}
{"Organization":"hunterslab.onmicrosoft.com","MessageId":"<20250310160712.8efab5155789ce83@azns.microsoft.com>","Received":"/Date(1741622914550)/","SenderAddress":"azure-noreply@microsoft.com","RecipientAddress":"e5_user@hunterslab.onmicrosoft.com","Subject":"Default outbound access for VMs in Azure will be retired—transition existing VMs to a new method of internet access","Status":"Delivered","ToIP":null,"FromIP":"52.101.46.124","Size":132405,"MessageTraceId":"55020069-4352-4221-eb65-08dd5fedcf40","StartDate":"/Date(1741392000000)/","EndDate":"/Date(1741824000000)/","Index":2}