Message trace in the Microsoft 365 Defender portal

Important

The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. Learn what's new.

Applies to

Message trace in the Microsoft 365 Defender portal follows email messages as they travel through your Exchange Online organization. You can determine if a message was received, rejected, deferred, or delivered by the service. It also shows what actions were taken on the message before it reached its final status.

You can use the information from message trace to efficiently answer user questions about what happened to messages, troubleshoot mail flow issues, and validate policy changes.

Note

Message trace in the Microsoft 365 Defender portal is just a pass through to Message trace in the Exchange admin center. For more information, see Message trace in the modern Exchange admin center.

What do you need to know before you begin?

  • You need to be a member of the Organization Management, Compliance Management or Help Desk role groups in Exchange Online to use message trace. For more information, see Permissions in Exchange Online.

    Notes: Membership in the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions and permissions for other features in Microsoft 365. For more information, see About admin roles.

  • The maximum number of messages that are displayed in the results of a message trace depends on the report type you selected (see the Choose report type section for details). The Get-HistoricalSearch cmdlet in Exchange Online PowerShell or standalone EOP PowerShell returns all messages in the results.

Open message trace

In the Microsoft 365 Defender portal, go to Email & collaboration > Exchange message trace. Or, to go directly to the message trace page, use https://admin.exchange.microsoft.com/#/messagetrace.

At this point, message trace in the EAC opens. For more information, see Message trace in the modern Exchange admin center.