Email Message Tracking in Microsoft 365 (Exchange Online)

Like on-prem Exchange, the cloud Exchange Online has powerful built-in features to track email messages sent or received by users. Message tracking allows you to get full details on any email in your Exchange organization. Using a trace, you can tell whether your company received a specific email, if it was delivered to a user’s mailbox or a remote mail system, or it was filtered by antispam filters/transport rules. In this article, we’ll cover the basic ways to track (trace) sent or received emails in Exchange Online (Microsoft 365) using the Exchange Admin Center (EAC) and PowerShell.

How to Trace a Message in the Exchange Admin Center?

You can trace messages through the Exchange Admin Center web interface. Sign-in to the modern EAC portal (https://admin.exchange.microsoft.com) and go to Mail Flow -> Message Trace.

In the next window, some predefined message tracing options are available. To do a new search, click Start a trace.

Fill in the request fields. You can specify:

• A sender and/or a recipient. In this case, I want to get information about all email messages sent to my company from the external domain gmail.com (*@gmail.com);
• A search period. A report for the last 10 days will be generated interactively. If you want to search logs older than 10 days, will be sent to the specified email address;
• In the Detailed Search Options, you can specify extra search criteria (Message ID, IP address, Delivery Status).

Click the Search button to start searching.

You will see the information about all email messages meeting your criteria.

You can click any email and view detailed information. In this example, the email has been successfully delivered to the recipient’s mailbox (Status: The message was delivered to the recipient’s Inbox folder).

The last 10 trace queries are automatically saved in the EAC console. You can save tracking queries you use often.

Search Message Tracking Logs in Exchange Online (Microsoft 365) with PowerShell

Get-MessageTrackingLog cmdlet used in the on-premises Exchange Server to search sent/received email messages in the MessageTracking transport logs. In Exchange Online, the Get-MessageTrace and Get-MessageTraceDetail cmdlets are used to track messages.

Connect to your Microsoft 365 tenant using the Exchange Online PowerShell module:

Connect-ExchangeOnline -UserPrincipalName maxbak@woshub.onmicrosoft.com -ShowProgress $true

If you run the Get-MessageTrace cmdlet without parameters, it returns information about all emails in your Microsoft 365 tenant for the last 48 hours. You can specify the date range for your search using -StartDate and -EndDate options. Let’s display the information about all messages sent to a user (RecipientAddress) for the last 5 days:

Get-MessageTrace -RecipientAddress maxmak@woshub.onmicrosoft.com -StartDate 12/17/21 -EndDate 12/21/21| select Received,SenderAddress,RecipientAddress, Subject,Size,Status|ft

You can search both RecipientAddress and SenderAddress fields in a single trace query.

Use the -Status option to search by the message delivery status (Failed, Pending, Delivered, Expanded, Quarantined, FilteredAsSpam).

To display detailed information on the found events, use a pipe with Get-MessageTraceDetail cmdlet:

Get-MessageTrace -SenderAddress maxbak@woshub.onmicrosoft.com -StartDate 12/19/21 -EndDate 12/21/21|Get-MessageTraceDetail|fl

The following commands show information about the delivery status of the email message sent to multiple recipients.

Get the MessageID first for any of the recipients:

Get-MessageTrace -RecipientAddress maxbak@woshub.onmicrosoft.com|fl

Then copy the message ID and use it as an argument of the MessageID option:

Get-MessageTrace -MessageID '<PR3PR03MB666621C6A63FC01EBCE8C730F46F9@PR3PR03MB6666.eurprd03.prod.outlook.com>' | select Received, RecipientAddress, Subject, Status

As you can see, a summary message delivery status report appeared.

You can export MessageTrace output to a CSV file for further analysis in Excel:

Get-MessageTrace -SenderAddress maxbak@woshub.onmicrosoft.com|Export-Csv c:\ps\reports\m365_tracking_log.csv

Unlike the on-prem Get-MessageTrackingLog cmdlet that searches all available logs, Get-MessageTrace allows to search messages for the last 10 days only. If you want to get information about emails sent/delivered over 10 days ago, run historical queries using the Start-HistoricalSearch cmdlet.

When using Start-HistoricalSearch, specify the email address to send a report to in the NotifyAddress option:

Start-HistoricalSearch -ReportTitle "Trace2021-20-12" -ReportType MessageTrace -SenderAddress maxbak@woshub.onmicrosoft.com -StartDate 12/01/2021 -EndDate 07/18/2021 -NotifyAddress adele@woshub.onmicrosoft.com

You can get the message status for the historical trace requests using this command:

Get-HistoricalSearch

Invalid StartDate value. The StartDate can't be greater than 90 days from today.