Microsoft has been working on improving the message tracking experience in Office 365. In this blog post we’ll look at the new message tracking features that are available in Office 365, and compare how the new interface is different from the old message tracing feature.
Message tracking within your messaging environment is the easy part. Office 365 keeps track of messages as they move around your tenant, and it gives you access to that data. So message tracking is very useful for finding out what happened to messages that were sent to your tenant, or that were sent within your tenant.
The problem with message tracking is it can’t see what happens to messages before they arrive in your tenant, or after they leave your tenant. This means that you won’t be able to tell a user that their outbound email was delivered to a recipient outside your organization. But you can show them that it was delivered to the destination organization.
Classic Message Tracing in the Exchange Admin Center
Let’s take a quick look at the classic message tracking features in the Exchange Admin Center for Office 365. The interface for message trace in EAC is not complicated. Select a date range, and some information about the message you are looking for, and click on Search. Below I searched for all the messages from Paul for the last seven days.
Paul sent me a few messages about writing this article. You can see the messages listed below.
Selecting one of those messages will show you more detailed information about that message.
In the screenshot above we can see this message sent by Paul was delivered to my mailbox, into the Inbox folder. That is possible to know because this message was delivered to me, and my mailbox is in the Office 365 tenant that I am searching on. When I do the opposite search for messages I sent to Paul it doesn’t give me that same level of surety that the message was delivered to the recipients Inbox. I can only see that Office 365 successfully sent the email to the destination organization.
Again, it’s important to understand what message tracking can and cannot do. You can get lots of information about the message within your organization. The information you can get about messages for someone else’s environment is limited.
Message Tracking in the Security and Compliance Center
Microsoft has done some work to improve this message trace experience. They’ve released a new message tracking interface is in the Security and Compliance Center. You can find it under the Mail Flow section. There are two new areas: Dashboard and Message trace.
The dashboard is a quick view of some important information that can be useful for diagnosing problems, such as:
- How many messages are sent and received in my tenant
- How many connections were made with TLS security applied
- How many messages were queued for more than an hour
None of these reports tell you much by themselves. Together with other information you can gain a picture of the health of your environment.
Moving on to what we’re here for, let’s go to the Message Trace tab. The interface for this new message trace is built to be more intuitive for administrators who may not be specialized in email tracking. The first thing you’ll see in the Message trace section is five default queries that Microsoft has provided for you.
These default queries will cover a lot of the information that many administrators will be looking for here. That’s fine and all but let’s look at what you can do yourself.
The first situation I thought to test was the help desk call from a user who did not receive a specific message they were expecting. When I get this question, my first step is always to look for messages being filtered as spam. I did a search on my mailbox for all messages filtered as spam over the last day. Here are the results.
I blacked out the send addresses because some of them weren’t spam. This report is a quick way to verify if a specific message was moved to spam and missed. You can also search for messages to and from specific accounts. That may be more appropriate in the situation where an end-user is looking for a specific message.
At the top of the screenshot above you can also see the Filter results button. This is a handy tool when your original search turns up too many messages for you to scan.
Another great feature of this new interface is the saved queries. The last 10 queries I have run are saved for me in the “autosaved queries” section. Selecting one of those queries gives you the option to save that query with the Save button at the bottom.
There are three report types to choose from:
- Summary report, which provides instant access to view the results in your web browser
- Enhanced summary report
- Extended report
Both Enhanced summary and Extended reports are completed using archived message trace data. This means that they can take several hours to generate results, but also that they provide more detailed information.
Summary reports are limited to data for the last 10 days, while the other two report types can pull from data for the last 90 days. Any query can be run for any report type. Saved queries do not have to be run against one report type or the other.
All the reports run in the Security and Compliance center and the Exchange Admin Center run against the same data and return the same results if run with the same options and selection. The difference between the two portals is the look and feel of the interface, and the format of the results.
What About PowerShell?
Wouldn’t it be great if all this new message trace also worked in PowerShell? I thought so too. Unfortunately, it does not. I connected to my Security and Compliance Center PowerShell session, but I do not have any cmdlets that include “*MessageTrace*” as I do in my regular Exchange Online PowerShell session. Hopefully Microsoft will add these cmdlets soon.
The new message trace in the Office 365 Security and Compliance center is a nifty new interface for tracking messages in your Office 365 tenant. It’s not revolutionary. It’s not going to change your life. It is a nice new interface that is easy to use. If this new interface saves you a few minutes a week, then it’s doing its job.