| title | Message trace in the Microsoft Defender portal | |||
|---|---|---|---|---|
| f1.keywords |
|
|||
| author | chrisda | |||
| ms.author | chrisda | |||
| manager | bagol | |||
| audience | ITPro | |||
| ms.topic | how-to | |||
| ms.collection |
|
|||
| ms.localizationpriority | medium | |||
| ms.assetid | 3e64f99d-ac33-4aba-91c5-9cb4ca476803 | |||
| ms.custom |
|
|||
| description | Admins can use the Message trace link in the Microsoft Defender portal to find out what happened to messages. | |||
| ms.service | defender-office-365 | |||
| search.appverid | met150 | |||
| ms.date | 10/9/2023 | |||
| appliesto |
|
[!INCLUDE MDO Trial banner]
In all organizations with cloud mailboxes, message trace follows email messages as they travel through your Microsoft 365 organization. You can determine if a message was received, rejected, deferred, or delivered by the service. It also shows what actions were taken on the message before it reached its final status.
You can use the information from message trace to efficiently answer user questions about what happened to messages, troubleshoot mail flow issues, and validate policy changes.
The Summary report in the message trace contains the information that helps you answer user questions and troubleshoot mail flow issues. This Summary report enables you to view the report in a file that can be opened in Windows Explorer (also known as File Explorer).
You can use the View in Explorer option in the Message trace search results page in Exchange admin center. However, to use this option, you must fulfill the following prerequisite:
- You must procure the E5/A5 license to access a feature within the Office 365 Threat Intelligence licensing. This feature only enables you to use the View in Explorer option.
Tip
The Message trace page in the Microsoft Defender portal is a really pass through to Message trace page in the new Exchange admin center (EAC) at https://admin.exchange.microsoft.com/#/messagetrace.
-
The maximum number of messages that are displayed in the results of a message trace depends on the report type you selected (see the Choose report type section for details). The Get-HistoricalSearch cmdlet in Exchange Online PowerShell returns all messages in the results.
-
You need to be assigned permissions before you can do the procedures in this article. You have the following options:
-
Exchange Online permissions: Membership in the Organization Management, Compliance Management or Help Desk role groups.
-
Microsoft Entra permissions: Membership in the Global Administrator* or Compliance Administrator roles gives users the required permissions and permissions for other features in Microsoft 365.
[!IMPORTANT] * Microsoft strongly advocates for the principle of least privilege. Assigning accounts only the minimum permissions necessary to perform their tasks helps reduce security risks and strengthens your organization's overall protection. Global Administrator is a highly privileged role that you should limit to emergency scenarios or when you can't use a different role.
-
In the Microsoft Defender portal at https://security.microsoft.com, go to Email & collaboration > Exchange message trace.
At this point, the Message trace page in the new EAC opens. To go directly to this page, use https://admin.exchange.microsoft.com/#/messagetrace. For more information, see Message trace in the new Exchange admin center.