Message tracking in Office 365 (Exchange Online)

Message tracking, or message tracing, as it is called in Office 365, is one of the most basic tools used by administrators to monitor the email flow. As emails travel through Office 365, some information about them gets stored in logs and is available for administrative purposes. No matter if users delete or purge messages, the administrator is able to view basic information about sent and received emails.

Message tracing in Office 365

Message tracing does not allow you to peek into a message’s contents. Still, it can provide quite a lot of important data about emails:

  • Sender and Recipient
  • Send and receive dates
  • Subject and size
  • Status and details of events. There are seven possible values in the delivery status field: delivered, failed, pending, expanded, quarantined, filtered as spam and unknown.
  • IP address used to send the message
  • Message ID a unique number identifying a message. If a message is sent to more than one recipient, it will display once for every recipient in the message trace search, but all those entries will have the same Message ID and different Message Trace ID

There are a few significant differences between message tracking logs in the on-prem Exchange and message tracking in Office 365. The most important one is that message tracking logs are simple text files you can access directly and copy for backup purposes, but also – delete manually.

Differences between message tracking logs and Office 365 Message tracing

Message tracking logs (on-prem Exchange)Message tracing (Exchange Online)
AccessPowerShell, alternatively - a text editor.PowerShell, EAC.
Size limitsConfigurable, by default 1000 MB for all message tracking log files in the set directory.No known size limits.
Age limitsBy default, 30 days before the oldest files are overwritten. Can be increased (or decreased.)7 days for easily accessible message trace, 90 days for “Historical Search” – where results can only be viewed in a downloadable CSV file.
AvailabilityAll data about messages is available as soon as they are sent or received.Messages less than 4 hours old might not be available.
DelayAll searches start immediatelySearching for emails older than seven days might take up to a few hours. It takes some time before search request even starts to be processed.

Practical application of message tracking

Message tracing makes it possible to learn what happened to certain messages, even if they are not delivered, or get deleted. There are quite a few different uses for this kind of information:

  • Find and fix mail-delivery issues – the most basic and ‘traditional’ purpose for message tracing. Whenever a user or a client reports that some message seems to be missing, administrators can get to the bottom of the problem. Of course, finding the right message quickly depends on how much info the user provides. Finding a message that “someone was supposed to send me last week” might take a while, especially in larger organizations
  • Monitor mail flow – as message tracing collects data about all messages processed within the organization, the results can be used to gather statistic data.
  • Check if your mail flow rules work the way they should – it is not hard to make a mistake while configuring mail flow rules, especially in a large organization and when there are possible conflicts between different rules. As message tracing details provide detailed information about failures, you will be able to pinpoint which mail flow rule is at fault.
  • Message forensics – although message tracking logs and results of message tracing do not let the Administrator into the contents of an email, information about the sender, recipients, date, time, and size of the message can prove very valuable, for example, in case of litigation. If an important email is purged before a litigation hold, or a retention policy is activated, logs can act as key evidence.

Permissions required to trace messages

Like any action in Office 365, message trace search requires certain permissions or roles

  • Security Admin
  • Security Reader
  • View-Only Recipients
  • Compliance Admin
  • Data Loss Prevention

By default, role group Organization Management has all of the required permissions

There are two ways to track messages in Office 365 – PowerShell and EAC. Let’s have a look at them.

Office 365 message tracing using PowerShell

You can use PowerShell to search through message tracking logs on on-premises servers as well as to trace messages in Exchange Online. And although the experience is somehow similar, there are some differences worth mentioning.

On-prem Exchange had only one cmdlet used for the sole purpose of getting to the data of interest: Get-MessageTrackingLog. In Office 365, the correspondent cmdlet is Get-MessageTrace. Both cmdlets are executed immediately, but while Get-MessageTrackingLog searches through all existing logs, its Exchange Online counterpart can go back for only seven days. For older messages, there is another cmdlet which starts a “historical search” (more about the cmdlet in the further part of the article.)

Get-MessageTrace does not require any additional parameters; however, if you do not add any, it will return information about all messages processed by your tenant in the last 48 hours. Normally, that would provide you with too much data for diagnostic purposes. To find out what happened to a specific email, you will need to narrow your query down. For example:

Get-MessageTrace -RecipientAddress <user’s address> -StartDate 11/07/2017 -EndDate 11/14/2017

Message tracking in Office 365 PowerShell

This cmdlet shows all mail flow directed to the user between the defined dates. If it does not give all the required details, change the format of the results and specify the properties you need, like FromIP or Size

Get-MessageTrace -RecipientAddress <user’s address> -StartDate 11/07/2017 -EndDate 11/14/2017 | Format-list -Property Received,SenderAddress,Status,MessageTraceId

Message tracking in Office 365 PowerShell

The list provides you with just enough information to find the right message. To check what happened to it, for example, why did the delivery fail, you will need the Get-MessageTraceDetail. Instead of finding and copying Message Trace ID from the results of the previous cmdlet, let’s just use it in a pipeline:

Get-MessageTrace -RecipientAddress <user’s address> -StartDate 11/07/2017 -EndDate 11/14/2017 -Status Failed | Get-MessageTraceDetail

Message tracking in Office 365 PowerShell

As you can easily see, the delivery failed because of a mail flow rule. This is one of the reasons you should always take a second to name mail flow rules properly. Name like “Rule 1” probably will not tell you much, even if you were the one to set up the rule in the past.

Running a message trace for emails older than a week is not possible directly, it requires running a Historical Search. To begin the search, run Start-HistoricalSearch. The required parameters are: StartDate, EndDate, ReportTitle and ReportType (MessageTrace or MessageTraceDetail). Make sure you have also specified the -NotifyAddress field, to receive the report as soon as it is ready. If the -NotifyAddress parameter is not specified, the only way to access the report is via EAC. Also, it is important to narrow down the search to include only the data you need, as historical search might take up to a few hours.

Start-HistoricalSearch -ReportTitle "Trace1" -ReportType MessageTrace -SenderAddress j.stone@mod099.onmicrosoft.com -StartDate 11/01/2017 -EndDate 11/07/2017 -NotifyAddress j.stone@mod099.onmicrosoft.com

To check the status of any search started in the last ten days, use Get-HistoricalSearch.

Message tracking in Office 365 using EAC

On-prem Exchange did not allow message tracking via Exchange Admin Center. In Office 365, EAC enables message tracing and offers quite a comfortable experience. Although usually I prefer administrating Exchange Online with PowerShell, I must say that in this case, EAC seems to do its job very efficiently.

To access Message trace, enter the Exchange Admin Center:

Accessing Exchange admin center from the Office 365 admin center

In EAC, go to Mail flow > Message trace

Office 365 EAC message trace start

In this window, you can input your criteria for the reports you want to generate. To search for information on emails sent or received earlier than seven days ago, you need to choose Custom in the Date range field. Then, enter the Start and the End date and time accordingly. Remember, tracing older messages is treated like a Historical Search, no matter if you use EAC or PS. It means that you will have to wait for your reports either way. Generating the reports might take up to a few hours. If you trace messages from the past seven days, clicking search will open a window with the results:

Message tracing reports list

If you want to see details for a chosen email, double-click it, and a new window will open:

Message trace result details

In this window, you can check what happened to the message. In the example above, you can see that the delivery failed because of a transport rule. You can easily check which transport rule caused the problem and fix the issue.

Back in the main message trace window, clicking view pending or completed traces will show a list of the historical searches you have performed. If you have started a Historical Search using PowerShell and failed to specify the –NotifyAddress parameter, this is the only way to download the csv file with your report.

EAC message trace Download Reports

The downloaded report is in the CSV format. Each row displays information about a single email. To make your report more readable, you can open it in Excel or another spreadsheet.

Further reading

How to prevent internal email spoofing in an Exchange organization

Back up Office 365/Exchange emails before it is too late!

One thought on “Message tracking in Office 365 (Exchange Online)


Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

*