Skip to main content

Office 365 Message Trace getting started guide

Scott Dewbre
  • Updated

This procedure creates the items Expel needs to make requests to the O365 Message Trace API on your behalf. Onboarding your O365 Message Trace helps Expel investigate your phishing submissions.

Step 1: Create an API user for O365 Message Trace access

  1. Login to the Microsoft 365 admin center (https://admin.microsoft.com), navigate to the Active users list view, and click Add a user.
    mceclip0.png
  2. Fill in the required fields. Note the username and password for use in a later step. Click Next.
    mceclip0.png
  3. Select Create a user without product license and then click Next.
    mceclip2.png
  4. Click Next again to skip Optional settings.
  5. On the Review and finish screen, click Finish adding.
    mceclip1.png
  6. Login to the Exchange admin center (https://admin.exchange.microsoft.com), navigate to Roles > Admin roles, scroll to the bottom of the page, and select View-Only - Audit Logs.
    mceclip5.png
  7. With View Only - Audit Logs highlighted, click Copy role group.
    mceclip6.png
  8. Name the role and provide a description, then click Next.
    mceclip7.png
  9. In the Permissions form, scroll all the way to the bottom and select View-Only Recipients.
    mceclip8.png
  10. Make sure only View-Only Recipients permission is selected and click Next.
    mceclip9.png
  11. Search for the user created at the beginning of this guide. Select the user and click Next.
    mceclip10.png
  12. Verify the information on screen, edit as necessary, and then click Add role group.
    mceclip11.png

Step 2: Configure your technology in Workbench

Now that we have all the correct access configured and noted the credentials, we can integrate O365 Message Trace with Expel Workbench.

Register device in Expel Workbench

    1. In a new browser tab, log into https://workbench.expel.io.
    2. On the console page, navigate to Settings and click Security Devices.
    3. At the top right of the page, select Add Security Device.
      image-1
    4. Search for and select your technology Message Trace.
      mceclip2.png
    5. Fill in the fields as follows:
        • Name: the name of the plugin, for example: "Phishing O365 Message Trace."
        • Location: the location of the device within your organization, for example: "Cloud."
        • O365 account username: the username created in Step 1.
        • O365 account password: the password created in Step 1.
          mceclip1.png
    6. Click Save.

To confirm this device is functioning, report/send a test email to Expel and ask the SOC to promote to investigation. The automatic workflow will run against your new device to confirm it's working. Afterward, the report/test email can be closed.

Related terms

Office365, O365, messagetrace, MessageTrace

Related articles

Comments

0 comments

Please sign in to leave a comment.