Message tracking in Microsoft 365 (Exchange Online)

Message tracing in Office 365

Message tracking, or message tracing, as it is called in Microsoft 365, is one of the most basic tools used by administrators to monitor the email flow. As emails travel through Microsoft 365 (Exchange Online, to be exact), some information about them gets stored in logs and is available for administrative purposes. No matter if users delete or purge messages, the administrator is able to view basic information about sent and received emails.

Message tracing does not allow you to peek into a message’s contents. Still, it can provide quite a lot of important data about emails:

  • Sender and recipient
  • Sent and received dates
  • Subject
  • Size
  • Delivery status and details of events
  • IP address used to send the message
  • Message ID and MessageTrace ID

I’ll go into these in more detail a bit later.

There are a few significant differences between message tracking logs in the on-prem Exchange and message tracking in Microsoft 365. The most important one is that message tracking logs are simple text files you can access directly and copy for backup purposes, but also – delete manually.

Differences between message tracking logs and Microsoft 365 message tracing

Message tracking logs (on-prem Exchange)Message tracing (Exchange Online)
AccessPowerShell, alternatively – a text editor.PowerShell, EAC.
Size limitsConfigurable, by default 1000 MB for all message tracking log files in the set directory.In PowerShell, it depends on the cmdlet you use:
Get-MessageTraceV2 – up to 5,000 results,
Start-HistoricalSearch – up to 100,000 results (in a CSV file).
In the EAC, it depends on the type of message trace report:
• Summary report (instant online access) – up to 10,000 results,
• Enhanced summary report – up to 100,000 results (in a CSV file),
• Extended report – up to 1,000 results (in a CSV file).
The size limit for downloadable CSV files in the EAC is 800 MB. If a report exceeds this limit, you won’t be able to open it in Excel or Notepad.
Age limitsBy default, 30 days before the oldest files are overwritten. Can be increased (or decreased.)• 90 days with a maximum selection limit of 10 days of data for the Get-MessageTraceV2 cmdlet or a summary report query in the EAC,
• 90 days with no selection limit for the Start-HistoricalSearch cmdlet or enhanced summary report and extended report queries in the EAC.
AvailabilityAll data about messages is available as soon as they are sent or received.When you use the Get-MessageTraceV2 cmdlet or run the summary report query, all data is available with no significant delay. The Start-HistoricalSearch cmdlet may not display messages that are less than 4 hours old. In the enhanced summary report and extended report, the last 24 hours of archived data tend not to be available.
DelayAll searches start immediately.Searching for emails older than ten days might take up to a few hours. It takes some time before search request even starts to be processed.

Practical application of message tracking

Message tracing makes it possible to learn what happened to certain messages, even if they haven’t been delivered or have been deleted. There are quite a few different uses for this kind of information:

  • Find and fix mail-delivery issues – the most basic and “traditional“ purpose for message tracing. Whenever a user or a client reports that some message seems to be missing, administrators can get to the bottom of the problem. Of course, finding the right message quickly depends on how much info the user provides. Finding a message that “someone was supposed to send me last week” might take a while, especially in larger organizations
  • Monitor mail flow – as message tracing collects data about all messages processed within the organization, the results can be used to gather statistic data.
  • Check if your mail flow rules work the way they should – it is not hard to make a mistake while configuring mail flow rules, especially in a large organization and when there are possible conflicts between different rules. As message tracing details provide granular information about failures, you will be able to pinpoint which mail flow rule is at fault.
  • Message forensics – although message tracking logs and results of message tracing do not let the Administrator into the contents of an email, other information such as the sender, recipients, date, time, and size of the message can prove very valuable, for example, in case of litigation. If an important email is purged before a litigation hold, or a retention policy is activated, logs can act as key evidence.

Permissions required to trace messages

Like any action in Microsoft 365, message trace search requires certain permissions or roles:

  • Security Admin
  • Security Reader
  • View-Only Recipients
  • Compliance Admin
  • Data Loss Prevention

By default, the Organization Management role group has all of the required permissions.

Now, before going through how to run a message trace, it might be useful to learn a bit of theory. Namely, the possible values of the delivery status. Or, to put it more bluntly – what can happen to an email.

Possible delivery statuses

There is a total of 7 values of the delivery status for a message:

  • Delivered – the message reached the recipient. If a user cannot find a message with this status, it might have been deleted or moved by an Outlook rule.
  • Expanded – the email was sent to a distribution group. Then, Exchange Server created separate copies to send them to each distribution group member.
  • Failed – delivery failed. Message trace for such a message should include reasons for delivery failure.
  • Pending – Exchange Online attempts to send the email.
  • Quarantined – the email never reached the mailbox, as it is held in quarantine.
  • Filtered as spam – the server filtered the message, which means it went to the Junk Email folder.
  • Getting status – the delivery status is not known at the moment. It’s best to retry the message trace in a few minutes.

There are two ways to track messages in Microsoft 365 – using PowerShell and the EAC. Let’s have a look at them.

Microsoft 365 message tracing using PowerShell

You can use PowerShell to search through message tracking logs on on-premises servers as well as to trace messages in Exchange Online. And although the experience is somehow similar, there are some differences worth mentioning.

On-prem Exchange has only one cmdlet used solely for the purpose of getting to the required data: Get-MessageTrackingLog. In Microsoft 365, the corresponding cmdlet is Get-MessageTraceV2. Both cmdlets are executed immediately, but while Get-MessageTrackingLog searches through all existing logs, its Exchange Online counterpart can go back for only 90 days and returns only 10 days’ worth of data per query.

There is also the Start-HistoricalSearch cmdlet available in Microsoft 365. It starts a historical search of up to 90 days as well (with no selection limit, though) and reports data in a CSV file. I’ll get back to this cmdlet later in the article.

Get-MessageTraceV2

Note: The Get-MessageTraceV2 cmdlet is a new version of the legacy Get-MessageTrace cmdlet that was deprecated on September 1, 2025.

Get-MessageTraceV2 does not require any additional parameters; however, if you do not add any, it will return information about all messages processed by your tenant in the last 48 hours. Normally, that would provide you with too much data for diagnostic purposes. To find out what happened to a specific email, you will need to narrow your query down. For example:

Get-MessageTraceV2 -RecipientAddress <user’s address> -StartDate "06/13/2025 7:00 AM" -EndDate "06/14/2025 7:00 AM"

This cmdlet shows all mail flow directed to the user between the defined dates. If it does not give all the required details, change the format of the results and specify the parameters you need, like FromIP or Subject.

Get-MessageTraceV2 -RecipientAddress <user’s address> -StartDate "06/13/2025 7:00 AM" -EndDate "06/14/2025 7:00 AM" | Format-list -Property Received,SenderAddress,Status,MessageTraceId

The list provides you with just enough information to find the right message.

Get-MessageTraceDetailV2

To check what happened to the message (e.g., why the delivery failed), you will need to use the Get-MessageTraceDetailV2 cmdlet. Instead of finding and copying the MessageTraceId from the results of the previous cmdlet, let’s just use it in a pipeline:

Get-MessageTraceV2 -RecipientAddress <user’s address> -StartDate 09/11/2025 -EndDate 09/12/2025 -Status Failed | Get-MessageTraceDetailV2

As you can easily see, the delivery failed because of a mail flow rule. This is one of the reasons you should always take a second to name mail flow rules properly. A name like “Rule 1” probably will not tell you much, even if you were the one to set up the rule in the past.

Start-HistoricalSearch

Running a historical search allows you to generate a CSV report for messages that are up to 90 days old, with no selection limit. To begin such a search, run Start-HistoricalSearch. The required parameters are: StartDateEndDateReportTitle and ReportType (MessageTrace or 
MessageTraceDetail). Make sure you have also specified the 
-NotifyAddress parameter to receive the report as soon as it is ready. If the -NotifyAddress parameter is not specified, the only way to access the report is via the EAC. Also, it is important to narrow down the search to include only the data you need, as a historical search might take up to a few hours.

Start-HistoricalSearch -ReportTitle "Trace1" -ReportType MessageTrace -SenderAddress [email protected] -StartDate 09/09/2025 -EndDate 09/10/2025 -NotifyAddress [email protected]

To check the status of any search started in the last ten days, use Get-HistoricalSearch.

Message tracking in Microsoft 365 using the EAC

Here’s a short video that shows exactly how to run an extended message trace in Exchange Online:

On-prem Exchange did not allow message tracking via the Exchange admin center. In Microsoft 365, the EAC enables message tracing and offers quite a comfortable experience. Although usually I prefer administrating Exchange Online with PowerShell, I must say that in this case, the EAC seems to do its job very efficiently.

To access the Message trace feature, you can either use this link, or go to Exchange admin center > Mail flow > Message trace:

Now, you can either click Start a trace to specify your search criteria from scratch or use one of the templates available below. Templates open the same New message trace window, but they have some fields predefined.

This window lets you define the criteria for the reports you want to generate. You can define the following criteria:

  • Senders – defines senders the tool will incorporate in the reports. The field accepts wildcards, which allows you to easily limit results for a certain domain.
  • Recipients – similar to the Senders fields, it accepts wildcards.
  • Time range – can be configured by using a slider or entering a custom time range.

Additionally, you can click Detailed search options to make your query even more granular:

  • Subject – lets you find messages whose subject matches or contains a specific phrase.
  • Delivery status – lets you search only for the emails which were, for example, successfully delivered or quarantined. For a list of all available statuses and what they mean, see this section of the article.
  • Message ID – lets you find a specific message. Message ID can be found in the email’s headers.
  • MessageTrace ID – lets you search for an instance of a message, e.g., when multiple copies of the same message have been created because of bifurcation (message splitting). The MessageTrace ID is required when you’re searching for data of messages sent to more than 1,000 recipients.
  • Direction – lets you choose from InboundOutbound and All.
  • Original client IP address.

Generating the reports might take up to a few hours. If the time range of your traced messages is no more than ten days, clicking Search will open a window with the results:

If you want to see details for a chosen email, click it, and a pane will open:

On this pane, you can check what happened to the message. In the example above, you can see that the delivery failed because of a transport rule. You can easily check which transport rule caused the problem and fix the issue.

Back in the main Message trace window, you can go to Downloadable reports tab to see a list of the historical searches and extended reports you have requested. If you have started a historical search using PowerShell and failed to specify the –NotifyAddress parameter, this is the only place to learn if the message trace is finished and to download the CSV file with your report.

In the CSV file, each row displays information about a single email. To make your report more readable, you can open it in Excel or another spreadsheet editor.

Further reading

Tools for Microsoft 365

Recommended articles

How to connect and remotely manage Microsoft 365 with PowerShell

How to connect and remotely manage Microsoft 365 with PowerShell

Microsoft 365 web interface was designed to make it easier to manage your tenant right down to its administrative bowels. On the one hand it really is quick and simple to navigate, on the other it definitely lacks some advanced configuration options so loved by sysadmins. Luckily there is the mighty PowerShell coming to the rescue! You should already know its potential, which can also be utilized in Microsoft 365. Find out how.
New-ComplianceSearch: how to use the newer version of Search-Mailbox

New-ComplianceSearch: how to use the newer version of Search-Mailbox

Microsoft retired the Search-Mailbox cmdlet – now what? Discover how to use New-ComplianceSearch, its key advantages and how to make the switch seamlessly.
How to start remote PowerShell session to Exchange or Microsoft 365

How to start remote PowerShell session to Exchange or Microsoft 365

One of many features of the PowerShell command line tool is its ability to connect with and manage the Exchange Server remotely. The procedure described below applies to the classic on-prem Exchange server and to the Microsoft 365/Exchange Online version.

Comments

    • avatar
      Adam the 32-bit Aardvark says:

      As mentioned in this article, the maximum size of the trace file in case of Exchange Online is not known. According to this Microsoft article, the maximum size for a downloadable report is 500MB. However, Microsoft also states that if the downloadable report exceeds 500 MB, it can’t be opened in Excel or Notepad.

    • avatar
      Adam the 32-bit Aardvark says:

      When you generate an enhanced summary report, the connector_id points to the right connector.

    • avatar
      Adam the 32-bit Aardvark says:

      I’m afraid there is no way to do this. The best you can do to help is export a list of failed items to let the senders know which items to resend.

    • avatar
      Adam the 32-bit Aardvark says:

      Yes, you can use PowerShell. But it still requires having the right permissions.

    • avatar
      Adam the 32-bit Aardvark says:

      Hi Michael,
      You can export the contents of message tracking logs to csv, which is widely supported. Whether you can import them or not, depends on the solution you use.

  1. Nice article, is there any way to clear ‘View pending and completed’ traces? Because it will difficult to search desire trace report if we have very big list of message trace report under ‘View pending and completed trace’ section.

    • avatar
      Adam the 32-bit Aardvark says:

      Unfortunately, there is no option to manualy clear the list. That is why it is so important to always give descriptive report titles.

    • avatar
      Adam the 32-bit Aardvark says:

      Hi Jonatan,
      As far as I know, there is no separate API for the message trace in Office 365. There is a feature request for this functionality at UserVoice, but it is not the most upvoted one, to say the least: https://office365.uservoice.com/forums/264636-general/suggestions/18835285-message-tracing-api

  2. I am getting more than 3lakh entries in historical search for past one month. But portal has limitations to download only 2000 entries. Any way to pull all the entries?

    • avatar
      Adam the 32-bit Aardvark says:

      Hi Alex,
      The quickest workaround would be to split your query into two separate 15-day date ranges.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

CodeTwo sp. z o.o. sp. k. is a controller of your personal data.
See our Privacy Policy to learn more.