Message Trace Extended for 90 Days in Exchange Online

The lack of Message Tracking Logs in Exchange Online has been a concern for some organizations in their adoption of Office 365. Although Message Trace provided a good source of data for investigations, it was limited to the last 7 days of e-mail traffic, meaning administrators would have to frequently extract this data so it could be used later if needed.

 

Not anymore! Exchange Online Protection (EOP) and Exchange Online administrators can now check message trace information for the last 90 days.

 

To access this feature, in the Exchange admin center, click Mail flow and then click on Message trace. When we search for a message sent in the past seven days, we can view the results immediately. However, when searching for older messages, we have to submit a request for an extended message trace. To do this, simply choose the custom date range option and specify any date range in the past 90 days:

 

 

When we create a new extended trace request, we opt to receive an e-mail notification when the trace has been completed by entering an e-mail address in the Notification email address field:

 

 

 We can also choose to receive a summary list report or a detailed message trace report:

• Summary list report displays basic information about the messages traced, such as time, whether it was delivered, its subject, number of bytes, and so on;
• Detailed message trace report provides more details about messages than the summary list. To get a detailed report, when creating a new trace request, select the Include message events and routing details with report check box. In a detailed trace, all key events with all details that are available in the message tracking logs are exposed, providing an excellent data source for detailed investigations.

 

Typically, trace requests are processed within hours. The list of submitted requests and their status is displayed on the pending or completed traces page in the Exchange admin center (by clicking on View pending or completed traces under message trace) making it easy to check if a request has been completed:

 

 

Once a message trace request has completed processing, you can click Download this report in the right-hand side to view the results in a downloadable CSV file.