Update Message Trace inputs for the Splunk Add-on for Microsoft Office 365¶
Use this guide to update your Message Trace inputs in the Splunk Add-on for Microsoft Office 365. To use the current Message Trace implementation, upgrade the add-on to version 6.0.0 and update your Microsoft Entra ID application configuration.
Government cloud tenants (USGovGCC, USGovGCCHigh)
This guide describes the migration for Worldwide tenants to the Microsoft Graph Message Trace API. If your tenant uses the USGovGCC or USGovGCCHigh endpoint, the add-on continues to use the Exchange Online Reporting Web Service (RWS) API with sourcetype o365:reporting:messagetrace. No migration steps are required for government cloud tenants — RWS collection is active and unchanged.
Before you begin¶
Before updating your Message Trace inputs, make sure that you:
- Upgrade the Splunk Add-on for Microsoft Office 365 to version 6.0.0. For upgrade instructions, see Upgrade the Splunk Add-on for Microsoft Office 365.
- Review the current Message Trace configuration requirements in Configure Message Trace inputs for the Splunk Add-on for Microsoft Office 365.
Update Microsoft Entra ID permissions¶
Add the following Microsoft Graph application permission:
ExchangeMessageTrace.Read.All(required)
You can also add the following permission if you want the add-on to provision the required Microsoft service principal automatically during the first Message Trace run:
Application.ReadWrite.All(optional)
If you do not grant Application.ReadWrite.All, you must complete the Microsoft Graph Message Trace prerequisites manually, as described in Microsoft’s exchangeMessageTrace prerequisites.
After updating the permissions, grant admin consent for the application.
Update tenant settings¶
Make sure the tenant used by the Splunk Add-on for Microsoft Office 365 is configured with the Worldwide endpoint. Graph Message Trace is supported only in the Global cloud for this add-on.
Update your workflows¶
Update your searches, dashboards, and downstream workflows to use sourcetype o365:graph:messagetrace for Worldwide tenants.
Do not treat sourcetype o365:reporting:messagetrace as legacy-only. It is the active sourcetype for USGovGCC and USGovGCCHigh tenants.
Important considerations¶
Propagation delay¶
After provisioning or changing permissions, Microsoft tenant-side propagation can take several hours. If Message Trace does not work immediately after the change, wait and try again.
Troubleshooting¶
If Message Trace returns 401 errors after the update (Worldwide tenants):
- Verify that
ExchangeMessageTrace.Read.Allis assigned. - Confirm that all Message Trace prerequisites are complete.
- Check that the tenant endpoint is set to
Worldwide.
For USGovGCC or USGovGCCHigh tenants, verify that ReportingWebService.Read.All is granted in Exchange Online.
For additional troubleshooting guidance, see Troubleshoot the Splunk Add-on for Microsoft Office 365.
Related documentation¶
For configuration details and input parameters, see Configure Message Trace inputs for the Splunk Add-on for Microsoft Office 365.