Forum Discussion

Mali_Stane's avatar
Mali_Stane
Copper Contributor
Aug 21, 2025

RBAC role to allow you to see in Exchange admin portal messagetrace

I’m trying to build management role, that will allow Admin to access and run messagetrace

https://admin.exchange.microsoft.com/#/messagetrace

I already add Message Tracking role Assignment, but messagetrace is not available in GUI.

I saw recommendation  for View-Only Recipients , which has Default recipient scope None and Default configuration None. I believe the role is  not correct one.

admin
exchange online

4 Replies

  • VasilMichev's avatar
    VasilMichev
    MVP
    Aug 31, 2025

    Message Tracking has nothing to do with Message trace actually, won't help you here. To find out which roles you can use for any specific cmdlet, use this:

    Get-ManagementRole -Cmdlet Get-MessageTrace

    In this case, View-Only Recipients is indeed a match, so it should do. 

     

    • Mali_Stane's avatar
      Mali_Stane
      Copper Contributor
      Sep 01, 2025

      I have fix the issue, now I can run in gui extended report, and see download.

      Now when I click on download report, I get popup to select account.  And then I can see working and nothing happens for 2 hours. So what is now correct role to successfully download report.  Exist a list, a real list, with features. 

      I takes several hours before modifications are active, and I real don’t want to try  and error for next  few months to go through combinations…

      Reason that I ask is, because  specific role, should not have any global  view of infrastructure : I remove commands like…Get-MigrationEndpoint, Get-PhishSimOverridePolicy, Get-ProtectionAlert, Get-ScopeEntities, New-IntraOrganizationConnector,etc…

      Role that i create have the following modified groups :

      Transport Rules- Copy
      Public Folders- Copy
      Mail Enabled Public Folders- Copy
      Message Tracking- Copy
      Audit Logs- Copy
      PlacesBuildingManagement- Copy
      PlacesDeskManagement- Copy
      View-Only Recipients- Copy

      • Mali_Stane's avatar
        Mali_Stane
        Copper Contributor
        Sep 02, 2025

        Tday i get

        Today I did another test.

        When click on Download the report.

        I have to authenticated

        Then receive an error (cca 30sec) : Sorry! Access denied. You don't have permission to open this page. If you're a new user or were recently assigned credentials, please wait 15 minutes and try again.

         

        Need to know, that i remove some cmled from  upper copy roles. 

        For example : MessageTracking I removed :

        Add-AvailabilityAddressSpace
        Get-AvailabilityAddressSpace
        Get-ScopeAdmins
        Get-ScopeEntities
        New-IntraOrganizationConnector
        New-OrganizationRelationship

        Remove-AvailabilityAddressSpace

         

        Set-AvailabilityConfig
        Set-IntraOrganizationConnector
        Set-OrganizationRelationship
        Set-UnifiedAuditSetting
        Start-AuditAssistant
        Test-DatabaseEvent
  • Martin-Apps4Rent's avatar
    Martin-Apps4Rent
    Iron Contributor
    Aug 29, 2025

    In Exchange Online, access to the Message Trace in the EAC is not controlled only by the Message Tracking role. That role gives PowerShell access, but the GUI in the Exchange admin portal is tied to broader built-in roles.

    To see Message Trace in the portal, the account needs to be in a role group that includes both Message Tracking and View-Only Recipients (for directory lookup). The easiest way is to add the user to the Compliance Management or View-Only Organization Management role groups, which surface the GUI option. If you want a custom RBAC role, you must include Message Tracking, View-Only Recipients, and View-Only Configuration to replicate the necessary access.

Resources