Blog Post

Exchange Team Blog
6 MIN READ

Announcing Public Preview of the New Message Trace in Exchange Online

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Dec 16, 2024

Update 5/6/2025: We added information about new cmdlet throttling limit.

Today, we are excited to announce that the Public Preview of the new Message Trace in the Exchange admin center (EAC) in Exchange Online will begin rolling out mid-December and is expected to be completed by the end of December 2024. Admins will soon be able to access the new Message Trace and its capabilities by default when navigating to the Exchange admin center > Mail flow > Message Trace.

As illustrated in the image below, the new Message Trace will be toggled “on” by default once the change has been deployed to your tenant. If you wish to disable the preview, you can do so by toggling this setting to “off.”  

Key UI functionality changes

  • Extended Query Range: You can now query up to 90 days of historical data for near real-time queries. However, please note that you can only query 10 days’ worth of data at a time. Please note that you will initially only have 30 days of historical data for near real-time query, and this will build over time to 90 days of historical data.  
  • Subject Filter: The subject filter for Message Trace queries is now available, supporting "starts with""ends with", and "contains" functions. This filter also supports special characters.
  • Delivery Status Filter: The delivery status filter will now support searches for "Quarantined", "Filtered as spam", and "Getting status" statuses.

Additional UI updates based on feedback

  • Customizable Columns: For your search results, we’ve introduced customizable columns and added additional column options that you can select from. Please refer to the image below for the new columns that have been added.
  • Persistent Column Widths: You will be able to customize your column-widths, and these changes will be sticky per logged-on admin account, so they will not have to be reset every time you run a new message trace query. This change is currently in progress and will be made available in early February.
  • Wider Flyout Option: An option for a wider flyout for the Message Trace detail is now available.
  • Time Zone Consistency: Message Trace will now default to the time zone set in the Exchange account settings of the logged-on admin.

Key cmdlet changes from Get-MessageTrace

To utilize the new Message Trace functionality via the new PowerShell cmdlet Get-MessageTraceV2 please ensure you are using version 3.7.0 or later of the Exchange Online PowerShell V3 module.

  • Extended Query Range: Ability to query up to 90 days of historical data. However, please note that you will only be able to query 10 days’ worth of data per query. Please note that you will initially only have 30 days of historical data for near real-time query, and this will build over time to 90 days of historical data.

  • Subject Parameter: The addition of a subject parameter allowing for more specific Message Trace queries.

  • No Page number or Page size parameter:  There will not be pagination support in the new Message Trace cmdlet.

  • Result size parameter: The new Message Trace will support a default value of 1000 results and a maximum of 5000 results (set via the -ResultSize parameter). This change is to ensure fair use of our resources, as pagination can create performance issues for our system.
  • StartingRecipientAddress parameter: This parameter’s main use is to assist in pulling subsequent data while minimizing duplication.

Since pagination will no longer be supported, you can utilize the EndTime parameter with the "Received" time of the last record of the query results and fill in the StartingRecipientAddresss parameter with RecipientAddress of the last record of the previous result. See the example below for more details.

Example of differences between V1 and V2:

For the sample data above, you can pull the first 10 records by either query:

Old Message Trace

Get-MessageTrace -StartDate '2024-11-01T00:00:00Z' -EndDate '2024-11-01T00:10:00Z' -Page 1 -PageSize 10

New Message Trace

Get-MessageTraceV2 -StartDate '2024-11-01T00:00:00Z' -EndDate '2024-11-01T00:10:00Z' -ResultSize 10

To pull the next subsequent records, you could use either of the following queries.  In the V2 example below, we are using the StartingRecipientAddress of last recipient (r_1_010@contoso) from the previous results.

Old Message Trace

Get-MessageTrace -StartDate '2024-11-01T00:00:00Z' -EndDate '2024-11-01T00:10:00Z' -Page 2 -PageSize 10

New Message Trace

Get-MessageTraceV2 -StartDate '2024-11-01T00:00:00Z' -EndDate '2024-11-01T00:10:00Z' -ResultSize 10 -StartingRecipientAddress r_1_010@contoso.com
  • Throttling Limits: To reduce the risk of misuse and abuse of Exchange Online resources, ensure services availability for all users, and provide a predictable experience for our customers, we will implement a rate-based throttling limit based on the number of requests in a time period. For a tenant, a maximum of 100 query requests will be accepted within a 5-minute running window. Throttling is automatically not applied if the request rate is lower than 100 requests in the past 5 minutes. If your tenant has automation set up to query more frequently than the throttling threshold, please update your automation to fit below the throttling limit.

Cmdlet

Tenant level limit

Get-MesesageTraceV2  

100 requests per 5 min  

Get-MessageTraceDetailV2  

100 requests per 5 min  

Best practices

To improve query performance, specify as many and as precise filters as possible.
We highly recommend that admins narrow the gap between StartDate and EndDate whenever possible. It is also advisable to set additional parameters, such as SenderAddress, when the sender is known.

Use MessageTraceId when applicable for PowerShell queries. Note that this is required when querying data for messages sent to over 1,000 recipients. This is also supported in EAC now.
 
Set the MessageTraceId (also known as NetworkMsgId in the message tracking log) when investigating a specific message or when a message is sent to many recipients (e.g., over 1,000). This is required to obtain complete results. When used together with StartingRecipientAddress, you can retrieve the full dataset in multiple rounds. See the FAQ section for more details on StartingRecipientAddress.

Frequently asked questions

How can we tell if partial results are displayed?

For Exchange Admin Center (EAC) users, scroll down to get more results until the data is complete. Users don't have to take any additional action, and V2 will load it automatically as user scrolls down to get additional results. For Exchange Online PowerShell cmdlet users, we are working on providing a hint in the output for the next query if the data is partial (expected within next few weeks). For now, users can utilize the sample script below to gather results continuously.

Sample script:

$mt = Get-MessageTraceV2 -<filters>
$nextRound = Get-MessageTraceV2 -<filters> -EndDate $mt[-1].Received.ToString(“O”)

How could pagination from V1 be achieved in V2?

Pagination is deprecated in V2 to ensure fair use of resources and query performance for all users. Instead, you can get results round by round. The results are ordered by Received in descending order first, then RecipientAddress in ascending order (case-insensitive). To get the next round of results, update the EndDate parameter to the Received value of the last data from the current round. Refer to the sample scripts in the previous section.

When and how could we use the parameter: StartingRecipientAddress?

The StartingRecipientAddress parameter is used to get the next round of data. StartingRecipientAddress,together with Received, can get the results round by round to get the complete results. In the next round, data that shares the same Received as the last result in the current round but has RecipientAddress that is alphabetically larger than the StartingRecipientAddress(case-insensitive), or older than the last result in the current round, will be output.

Sample script:

$mt = Get-MessageTraceV2 -<filters>
$nextRound = Get-MessageTraceV2 -<filters> -EndDate $mt[-1].Received.ToString(“O”) -StartingRecipientAddress $mt[-1].RecipientAddress

Known differences

  • Message trace V1 normalizes all recipients to lowercase, while V2 keeps them the same as in Message Tracking Logs.
  • When displaying the results, V2 will order by Received in descending order first, then RecipientAddress in ascending order(case-insensitive).
  • V2 retrieves the most up-to-date email size from the email system, providing a more accurate reflection of the current status, whereas V1 returns the earliest recorded size.
  • For messages with over 1000 recipients, admins must include the MessageTraceId in both the EAC and PowerShell cmdlet queries to avoid partial results.
  • For quarantine scenarios, V2 will display the latest status while V1 displayed the original status. So if the email is quarantined initially and then released by the administrator later, Message Trace v2 will show the latest status which is delivered to Mailbox.

We plan to eventually deprecate the old message trace UI and PowerShell command; we will share more details when the feature reaches General Availability.

Microsoft 365 Messaging Team

Updated Aug 27, 2025
Version 13.0
announcements
exchange online
tools
transport

43 Comments

Show More
  • Michael_Chalmers's avatar
    Michael_Chalmers
    Copper Contributor
    Jan 13, 2025

    Update - Found the issue - Clicking "Search" returns the results - please ignore and apologies for misunderstanding! Hi, we appear to have lost the ability to carry out a "summary report - instant online access" via EAC.  The "next" button is greyed out unless selecting enhanced report or extended report option. "Try New Message Trace" is toggled on but same problem if we revert to original. Wondering if this is related to recent changes? Thanks, Michael

  • Dzmitry82's avatar
    Dzmitry82
    Copper Contributor
    Jan 10, 2025

    ok, we have 2 mln emails during a day how to export all tracking logs in this case?

    • Qingjun_Chen's avatar
      Qingjun_Chen
      Icon for Microsoft rankMicrosoft
      Jan 13, 2025

      The new Message Trace feature focuses on message trace and message trace details. If you need to obtain the status of the 2 million emails sent in a day, you can divide the day into smaller intervals, such as 5 minutes, and run Get-MessageTraceV2 to get the traces for each interval, which would be approximately 7,000 emails per interval. We are developing a feature to display the next query command if there are more results. Please refer to the "Frequently Asked Questions" section for further details.

      Additionally, could you please share the purpose of exporting all the traces or logs? How do you currently achieve this?

      Thanks,

      Qingjun

      M365 Messaging Team

      • Dzmitry82's avatar
        Dzmitry82
        Copper Contributor
        Jan 24, 2025

        Ok.. the real task we have daily routine 2 min email and additional 2 or 3 notifications to global DLs which include more than 100 000 users.. 

        how can I export all message traces in this case? 

  • woods_sj's avatar
    woods_sj
    Copper Contributor
    Jan 07, 2025

    I'm not seeing the toggle button at all.  There is no mention of New Message Trace anywhere on the page.

    • ericacho's avatar
      ericacho
      Icon for Microsoft rankMicrosoft
      Jan 08, 2025

      Hi woods_sj , this issue should be resolved now. Please let us know if you are still facing the same issue. 

       

      Thanks, 

      Erica 

      M365 Messaging Team

      • woods_sj's avatar
        woods_sj
        Copper Contributor
        Jan 08, 2025

        Erica, Thank you.  I can see the toggle now and the options to search by subject.  

  • SkySwim's avatar
    SkySwim
    Copper Contributor
    Jan 06, 2025

    I saw the new message trace toggle button for about 1 day and now its gone...

    Any one else has this issue?

    • ericacho's avatar
      ericacho
      Icon for Microsoft rankMicrosoft
      Jan 08, 2025

      Hi SkySwim , this should be resolved now. Please let us know if you are still having this issue. 

       

      Thanks, 

      Erica 

      M365 Messaging Team

  • JeremyTBradshaw's avatar
    JeremyTBradshaw
    Iron Contributor
    Dec 27, 2024

    I'm finding even while "New Message Trace" is showing in the initial flyout after clicking "Start a trace", it's still limited to 10 days back in time, rather than just 10 days' worth in total.  I've gone back less than 20 days and 4 days' worth starting from the 20 days ago mark, still must queue up an enhanced summary, no instant results.

    Would be nice if somehow there was just another table like EmailEvents that was just MessageTrackingLogs.  And then we could use KQL in either some new interface, or the Defender portal > Hunting.

    • Qingjun_Chen's avatar
      Qingjun_Chen
      Icon for Microsoft rankMicrosoft
      Jan 13, 2025

      Thanks JeremyTBradshaw for the comments.

      Are you still experiencing this issue on EAC? 

      Could you please specify the events and properties you need in MessageTrackingLogs?

      Thanks,

      Qingjun

      M365 Messaging Team

      • JeremyTBradshaw's avatar
        JeremyTBradshaw
        Iron Contributor
        Jan 17, 2025

        Hi Qingjun_Chen,

        No, thanks, I am no longer having that issue, the New Message Trace has been fixed and seems to behave as advertised now.  In hindsight, when I posted that comment, the only new thing about it was the title at the top that stated "New Message Trace", everything else was still "old" message trace.  Now both the title and the rest are the "new" variation.  It's pretty good.  Nonetheless, the KQL stuff would be nice still and from having looked around message tracking logs just now, these are the fields I feel would be required or essential/nice to have:

        Timestamp
        SourceContext
        ConnectorId (assuming we'd see our Inbound/Outbound connectors there, when applicable)
        Source
        EventId
        MessageId
        NetworkMessageId
        Recipients
        RecipientStatus
        TotalBytes
        RecipientCount
        MessageSubject
        Sender
        ReturnPath
        Directionality
        OriginalClientIp
        MessageInfo

        Will be great if this actually comes along.  Thanks!

  • Satyajit321's avatar
    Satyajit321
    Iron Contributor
    Dec 20, 2024

    Glad to see improvements coming to this area, can't recall when it was last time!

    90 days and subject filtering is something which will surely add value from OnPrem times.

    We do understand sometimes MS might run into performance issues due to pagination, however the solution needs to be simple and workable. Instead of making it more difficult to get the dump.

    The current options like commented by alexandruliviunita are confusing and doesn't appear to be able to provide the same results.

    • StartingRecipientAddress - Unclear how it continues without causing duplications
    • "For messages with over 1000 recipients, admins must include the MessageTraceId in both the EAC and PowerShell cmdlet queries to avoid partial results." - While running a bulk query, how a admin is suppose to keep track or be aware, if there are 1000+ recipients or not. Is EXO going to warn that the data is partial before of xzy reason. Pagination never had such issues, just give the sender and it kept going on.
    • We could even jump and get total counts without having to traverse one by one. How do we get this done using the new PS. I can count upto a 5M emails in few seconds for a query.
    Get-MessageTrace -SenderAddress <emailaddress> -PageSize 5000 -Page 1000 | measure

     

    • "Enhanced summary report: Available only as a downloadable CSV file. The report returns up to 100,000 results." - What's with Historical data exports where we can download bulk results, any changes to them or they just stay the same, supports more filters as above.
    • "Result size parameter: The new Message Trace will support a default value of 1000 results and a maximum of 5000 results (set via the -ResultSize parameter), which is a significant increase." - What's the significant increase here, appears to be just same as what PageSize supported.

    "The PageSize parameter specifies the maximum number of entries per page. Valid input for this parameter is an integer between 1 and 5000. The default value is 1000."

     

    • Qingjun_Chen's avatar
      Qingjun_Chen
      Icon for Microsoft rankMicrosoft
      Dec 24, 2024

      Thank you, Satyajit321for your thoughtful comments and feedback. This is Qingjun from Microsoft 365 Messaging Team. We're pleased to hear that you're glad about the improvements coming to the Message Trace feature. We'd like to address each of your points to provide clarity:

       

      • StartingRecipientAddress - Unclear how it continues without causing duplications

       

      We will update the blog post to provide a more detailed explanation of how this parameter works and how it helps in retrieving subsequent records while minimizing duplication.

       

      • "For messages with over 1000 recipients, admins must include the MessageTraceId in both the EAC and PowerShell cmdlet queries to avoid partial results." - While running a bulk query, how a admin is suppose to keep track or be aware, if there are 1000+ recipients or not. Is EXO going to warn that the data is partial before of xzy reason. Pagination never had such issues, just give the sender and it kept going on.

       

      You raised a valid concern about how admins can be aware of messages with over 1000 recipients to avoid partial results. We plan to implement a warning notification in such cases. This warning will inform admins when a message has more than 1000 recipients, so they can query that specific message using the MessageTraceId to retrieve all recipient data.

       

      • We could even jump and get total counts without having to traverse one by one. How do we get this done using the new PS. I can count upto a 5M emails in few seconds for a query.

       

      We appreciate your feedback on this matter. Could you please clarify why it is necessary to count up to 5M directly without knowing the results of previous pages? In the new message trace, we recommend narrowing down the query duration and specifying filters to achieve the expected results more efficiently. For data dumping, narrowing down the query duration will also enhance query performance. We will update the blog with more details.

       

      • "Enhanced summary report: Available only as a downloadable CSV file. The report returns up to 100,000 results." - What's with Historical data exports where we can download bulk results, any changes to them or they just stay the same, supports more filters as above.

       

      No plan for enhanced summary report.

       

      • "Result size parameter: The new Message Trace will support a default value of 1000 results and a maximum of 5000 results (set via the -ResultSize parameter), which is a significant increase." - What's the significant increase here, appears to be just same as what PageSize supported.

       

      Thanks for pointing it out. We initially planned to support a larger result size but encountered issues that prevented this. We will update the blog post to accurately reflect this information and avoid any confusion.

      We truly appreciate your feedback, as it helps us improve both our communication and the features we offer. Your input is valuable in ensuring that the new Message Trace meets the needs of admins. Please feel free to share any additional thoughts or questions you might have.

      • Satyajit321's avatar
        Satyajit321
        Iron Contributor
        Dec 27, 2024

        Qingjun_Chenthank you for your detailed response and planned actions. Please find the addtional information as requested and few more questions.

        • "Could you please clarify why it is necessary to count up to 5M directly without knowing the results of previous pages?" - We currently use it to quickly determine impact for a specific troubleshooting case, where a sender or application has triggered lots of emails, * in order for us to determine the impact in volumes, * or sometimes to push back on the application of being non-compliant of the M365 service limits, * this figure allows a us a strong evidence to keep our ground.  * Also helps determine what's the overall output, so that we can determine if we want to loop to extract the data/report or not.
        • "No plan for enhanced summary report." - Just to be clear, you mean no changes to existing ones either. They remain intact, as we use it for several other reporting including spam reporting etc.
  • alexandruliviunita's avatar
    alexandruliviunita
    Brass Contributor
    Dec 18, 2024

    These updates sound good, especially having 90 days eventually available, but some questions naturally appear around loss of pagination.


    I'm a bit confused about StartingRecipientAddress replacing pagination.
    We will not have unique recipients for the results of the first query, how will using this recipient as an anchor help in ensuring we get a true continuation of Message Trace logs with no entries skipped and minimum duplication?
    I'm sure there is a good reason behind this, but I cant find an explanation why the choice for this continuation anchor was not NetworkMessageID of last entry of an incomplete query output.

    Does the service somehow cache my last query output and knows where to pickup on next query as long as it has a StartingRecipientAddress that matches the last returned entry?

    • scaph01's avatar
      scaph01
      Copper Contributor
      Dec 18, 2024

      yeah I agree here.  We have use cases where we collect the message trace for the journal service.  All emails are send to the same recipient (journal address).  I am thinking that we will have to make a request for a time window and for the next "page" is to move the start time parameter up to the last timestamp on the previous response.  

      • Qingjun_Chen's avatar
        Qingjun_Chen
        Icon for Microsoft rankMicrosoft
        Dec 24, 2024

        Thanks alexandruliviunita and scaph01 for the feedbacks. Regarding StartingRecipientAddress, we will update the blog post to provide a more detailed explanation of how this parameter works and how it helps in retrieving subsequent records while minimizing duplication.

         scaph01, In the new message trace, we recommend narrowing down the query duration and specifying filters to achieve the expected results more efficiently, which aligns with your thoughts.

  • PS_Exchange_Adm's avatar
    PS_Exchange_Adm
    Copper Contributor
    Dec 16, 2024

    I appreciate the level of work put into updating the message trace UI and capabilities, but it still feels very basic in terms of the data returned.  Can a future update add valuable information such as the connector used to receive the message, the TLS version used in the SMTP conversation, and whether or not the message contained an attachment?  It would be very helpful also to add a condition to the search query as to whether or not the message had an attachment.

    • MiguelG1470's avatar
      MiguelG1470
      Copper Contributor
      Dec 18, 2024

      Some of them, if not all, can be found on Explorer within Microsoft Defender.

      • PS_Exchange_Adm's avatar
        PS_Exchange_Adm
        Copper Contributor
        Dec 20, 2024

        MiguelG1470Agreed, but having to jump over to a second tool and conduct a second search to obtain this information is cumbersome.  Additionally, Defender only shows 30 days of data, and not everyone that has the permission to execute message traces in Exchange Online have permission is Defender to search messages in mailboxes.

  • GerodSerafin's avatar
    GerodSerafin
    Brass Contributor
    Dec 16, 2024

    Nice work! As someone who has used another product with excellent message tracking for a while, I’m really glad to see this improvement in Exchange Online's tracking. I’m hopeful that this update will make it much quicker and easier to get message tracking details. Thanks for working on this!