How to Check and Analyze Message Traces in Microsoft 365 Exchange Online

Why Message Tracing Matters for Microsoft 365 Administrators

Tracing messages is a crucial task for Microsoft 365 administrators to diagnose mail delivery issues, audit activity, and maintain compliance. This guide covers three up-to-date methods to perform message traces using Exchange Online and CoreView.

Tracing messages is a crucial task for Microsoft 365 administrators to diagnose mail delivery issues, audit activity, and maintain compliance. This guide covers three up-to-date methods to perform message traces using Exchange Online and CoreView.

How to Run a Message Trace Using the Exchange Admin Center

To run a message trace, you need to be a member of one of the following role groups:

• Global Administrator
• ‍Exchange Administrator

For more information, see the following Microsoft guides:

• Manage role groups in Exchange Online ‍
• Permissions in Exchange Online ‍
• Feature permissions in Exchange Online.

Step-by-Step Guide to Message Tracing in Exchange Admin Center [H3]

• Navigate to the Exchange Admin Center.
• In the left pane, expand “Mail flow”, and then select “Message trace”.
• Click “Start a trace”.

• Specify your desired search criteria (sender, recipient, and date range).
• Click “Search”.

• Review results, view details, and download reports as needed.

For more detailed information on Message Trace using Exchange Admin Center, please refer to the Message trace in the modern Exchange admin center in Exchange Online article.

How to Perform Message Traces with PowerShell

Leverage PowerShell for automated or advanced message tracing using the Exchange Online PowerShell V2 Module (EXO V2).

Setting Up PowerShell for Exchange Online Tracing

Open PowerShell and connect to Exchange Online:

Connect-ExchangeOnline 

Basic message trace:

Get-MessageTrace 

This returns messages from the last 48 hours if no parameters are specified.

Example:

# Trace messages sent by john@contoso.com within a specific date range
Get-MessageTrace -SenderAddress john@contoso.com -StartDate 12/20/2022 -EndDate 12/30/2022 

Notes:

• Get-MessageTrace retrieves data from the past 10 days only. Searching further back will produce an error.
• To search for data older than 10 days, use the following:

Start-HistoricalSearch
Get-HistoricalSearch 

• By default, up to 1,000 results are returned.
• For large searches, consider dividing the query by using smaller -StartDate and -EndDate intervals.
• All output is in UTC, which may differ from the time format used for the -StartDate and -EndDate parameters.
• Ensure your account has appropriate Exchange Online roles.

For more, see Get-MessageTrace on Microsoft Learn.

How to Use CoreView for Message Trace

• Go to the CoreView portal.
• Go to Reports > Exchange > Message Trace. Or use the search bar at the top—type “Trace” to find the report.

Specify your criteria:

• Sender or Recipient (type email addresses to select)
• Date range (typically limited to 10 days; your tenant may require date selection before searching to improve performance).
• Use Advanced Filters for further refinement (e.g., subject, status).

• Once completed, click on the “Search” option to run the query.

• Click on the “MessageTraceID” arrow to view message details.

Understanding Key Terms and Message Status Definitions

Key terms

• Senders: Enter or select one or multiple senders from your organization. ‍
• Recipients: Enter or select one or multiple recipients.

Message statuses

• Delivered: the message was successfully sent to the recipient. ‍
• Expanded: a distribution group was expanded before delivery to members. ‍
• Failed: the message wasn't delivered. ‍
• Pending: delivery of the message is being attempted or reattempted. ‍
• Quarantined: the message was quarantined (as spam, bulk mail, or phishing). For more information, please refer to Quarantined email messages in EOP. ‍
• Filtered as spam: The message was identified as spam, and was rejected or blocked (not quarantined).

Operators will only be able to view and manage mailboxes that are part of their defined V-Tenant scope.

‍