Reporting and message trace in EOP


Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.

Applies to

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, EOP offers many different reports that can help you determine the overall status and health of your organization. There are also tools to help you troubleshoot specific events (such as a message not arriving to its intended recipients), and auditing reports to aid with compliance requirements.

Usage reports

Security reports in the Microsoft 365 defender portal

These enhanced reports provide an interactive reporting experience for EOP admins, which includes summary information, and the ability to drill down for more details.

Mail flow insights in the Security & Compliance Center

For more information, see Mail flow insights in the Security & Compliance Center.

Custom reports using Microsoft Graph

Programmatically create reports that are available in the admin center by using Microsoft Graph. For more information, see Overview of Microsoft Graph and Working with Office 365 usage reports in Microsoft Graph.

Message trace

Follows email messages as they travel through EOP. You can determine if an email message was received, rejected, deferred, or delivered by the service. It also shows what actions were taken on the message before it reached its final status.

You can use this information to efficiently answer your user's questions, troubleshoot mail flow issues, validate policy changes, and alleviates the need to contact technical support for assistance.

See Message trace in the Microsoft 365 Defender portal.

Audit logging

Tracks specific changes made by admins to your organization. These reports can help you troubleshoot configuration issues or find the cause of security or compliance-related problems. See Auditing reports in Exchange Online.

Reporting and message trace data availability and latency

The following table describes when EOP reporting and message trace data is available and for how long.

Report type Data available for (look back period) Latency
Mail protection summary reports 90 days Message data aggregation is mostly complete within 24-48 hours. Some minor incremental aggregated changes may occur for up to 5 days.
Mail protection detail reports 90 days For detail data that's less than 7 days old, data should appear within 24 hours but may not be complete until 48 hours. Some minor incremental changes may occur for up to 5 days.

To view detail reports for messages that are greater than 7 days old, results may take up to a few hours.

Message trace data 90 days When you run a message trace for messages that are less than 7 days old, the messages should appear within 5-30 minutes.

When you run a message trace for messages that are greater than 7 days old, results may take up to a few hours.


Data availability and latency is the same whether requested via the admin center or remote PowerShell.