This procedure creates the items Expel needs to make requests to the O365 Message Trace API on your behalf. Onboarding your O365 Message Trace helps Expel investigate your phishing submissions.
Step 1: Create an API user for O365 Message Trace access
Login to the Microsoft 365 admin center (https://admin.microsoft.com), navigate to the Active users list view, and click Add a user.
Fill in the required fields. Note the username and password for use in a later step. Click Next.
Select Create a user without product license and then click Next.
- Click Next again to skip Optional settings.
- On the Review and finish screen, click Finish adding.
Login to the Exchange admin center (https://admin.exchange.microsoft.com), navigate to Roles > Admin roles, scroll to the bottom of the page, and select View-Only - Audit Logs.
With View Only - Audit Logs highlighted, click Copy role group.
- Name the role and provide a description, then click Next.
- In the Permissions form, scroll all the way to the bottom and select View-Only Recipients.
Make sure only View-Only Recipients permission is selected and click Next.
- Search for the user created at the beginning of this guide. Select the user and click Next.
- Verify the information on screen, edit as necessary, and then click Add role group.
Step 2: Configure your technology in Workbench
Now that we have all the correct access configured and noted the credentials, we can integrate O365 Message Trace with Expel Workbench.
Register device in Expel Workbench
- In a new browser tab, log into https://workbench.expel.io.
- On the console page, navigate to Settings and click Security Devices.
- At the top right of the page, select Add Security Device.
- Search for and select your technology Message Trace.
- Fill in the fields as follows:
- Click Save.
To confirm this device is functioning, report/send a test email to Expel and ask the SOC to promote to investigation. The automatic workflow will run against your new device to confirm it's working. Afterward, the report/test email can be closed.
Office365, O365, messagetrace, MessageTrace