Skip to content

Update Message Trace inputs for the Splunk Add-on for Microsoft Office 365

Use this guide to update your Message Trace inputs in the Splunk Add-on for Microsoft Office 365. To use the current Message Trace implementation, upgrade the add-on to version 6.0.0 and update your Microsoft Entra ID application configuration.

Before you begin

Before updating your Message Trace inputs, make sure that you:

Update Microsoft Entra ID permissions

Add the following Microsoft Graph application permission:

  • ExchangeMessageTrace.Read.All (required)

You can also add the following permission if you want the add-on to provision the required Microsoft service principal automatically during the first Message Trace run:

  • Application.ReadWrite.All (optional)

If you do not grant Application.ReadWrite.All, you must complete the Microsoft Graph Message Trace prerequisites manually, as described in Microsoft’s exchangeMessageTrace prerequisites.

After updating the permissions, grant admin consent for the application.

Update tenant settings

Make sure the tenant used by the Splunk Add-on for Microsoft Office 365 is configured with the Worldwide endpoint. Graph Message Trace is supported only in the Global cloud for this add-on.

Update your workflows

Update your searches, dashboards, and downstream workflows to use sourcetype o365:graph:messagetrace.

Treat sourcetype o365:reporting:messagetrace as legacy or historical data only.

Important considerations

Propagation delay

After provisioning or changing permissions, Microsoft tenant-side propagation can take several hours. If Message Trace does not work immediately after the change, wait and try again.

Troubleshooting

If Message Trace returns 401 errors after the update:

  • Verify that ExchangeMessageTrace.Read.All is assigned.
  • Confirm that all Message Trace prerequisites are complete.
  • Check that the tenant endpoint is set to Worldwide.

For additional troubleshooting guidance, see Troubleshoot the Splunk Add-on for Microsoft Office 365.

For configuration details and input parameters, see Configure Message Trace inputs for the Splunk Add-on for Microsoft Office 365.