📢 Read the latest Release Notes to learn what's new on Hunters! 💡

STEP 1: Register application (microsoft-message-trace-report)

  • Updated on Mar 17, 2026
  • Published on Dec 21, 2025
Prev Next

In this step you will register a new application on Azure with appropriate permissions, create client secrets and gather information in your notepad for the next steps.

1. Create the application

  1. In the Azure portal home screen, open the side menu and click Microsoft Entra ID.
    image.png

  2. Now, from the side menu click Manage > App registration.
    The App registration menu opens.

  3. From the upper menu, click New registration.
    image
    The Register an application window opens.

  4. Under the Name field, enter a descriptive name.

  5. Click Register.

2. provide API permissions

  1. From the side menu, click API permissions > + Add a permission.
    image
    The Request API permissions panel opens.

  2. Scroll down to locate the Microsoft Graph tile and click on it.
    Select the Delegated permissions type and
    Search for ExchangeMessageTrace and select ExchangeMessageTrace.Read.All.

  3. In Microsoft Graph again, Now select the Application permissions type and
    Search for ExchangeMessageTrace and select ExchangeMessageTrace.Read.All.

  4. Click Add permissions to close the panel and return to the application window.

  5. Click Grant admin consent for directory to grant admin permissions.

Provision the service principal (required)

The Message Trace API requires a service principal for the Microsoft Transport Data Platform app in your tenant.
Without it, the API returns 401 and ingestion will not work.

  1. Install the [Microsoft Graph PowerShell SDK](https://learn.microsoft.com/en-us/powershell/microsoftgraph/installation) and run:
    powershell Connect-MgGraph -Scopes "Application.ReadWrite.All"

  2. Create the service principal:
    powershell New-MgServicePrincipal -AppId 8bd644d1-64a1-4d4b-ae52-2e0cbf64e373

  3. Disconnect when done: Disconnect-MgGraph.


    Provisioning can take some time to take effect (up to a few hours in large tenants).
    If you get 401 after completing the rest of the setup, wait and retry, or confirm the service principal exists in Microsoft Entra IDEnterprise applications (search for the app ID 8bd644d1-64a1-4d4b-ae52-2e0cbf64e373).

3. Create client secret

  1. From the side menu, click Certificates & secrets.

  2. Click New client secret to open the client secret panel.
    image

  3. In the Description field, enter a descriptive title.

  4. From the Expires dropdown list, select 24 months.

  5. Click Add to add the secret.
    image
    The secret now appears under the Client secrets list.

  6. Copy the client secret Value and Secret ID to a notepad for later use.
    image

❗️IMPORTANT

After a while, the client secret value will be hidden from view and you will not be able to retrieve it again.

4. Retrieve Tenant ID and Application ID

  1. From the side menu, click Overview.

  2. Locate the Application (client) ID and Directory (tenant) ID.

  3. Copy and paste these values into a notepad for later use.

Finally, to provide Hunters with the required keys, follow this guide. Make sure to provide the following details:

  • Client ID

  • Client Secret

  • Tenant ID