- Microsoft 365 mail flow reports in the Exchange Admin Center - Tue, Jul 20 2021
- Understanding Microsoft 365 Attack simulation training - Wed, Jun 23 2021
- Reply All Storm Protection settings in Microsoft 365 - Wed, Jun 16 2021
- Locating the Mailflow report in the Exchange Admin Center
- Inbound and Outbound messages report
- Top domain mailflow status report
- Auto forwarded messages report
- Non-accepted domain report
- Non-delivery report
- Mailboxes exceeding receiving limits report
- Queued messages report
- SMTP AUTH clients
Access to a Microsoft 365 tenant. If you don't have one, you can always sign up for a trial version here.
The following roles are required to view the reports in the Exchange Admin Center (EAC):
- Organization Management
- Security Administrator (assigned from the Azure portal)
- Security Reader
- View-Only Organization Management
- View-Only Recipients
Locating the Mailflow report in the Exchange Admin Center ^
Mail flow reports are available in multiple locations. Let's explore the ones available in the Exchange Admin Center. These reports can be found at this path: Exchange Admin Center > Reports > Mail Flow. Note that this is applicable to the new Microsoft 365 Admin portal only.
Inbound and Outbound messages report ^
The Inbound messages report displays the number of emails received by your tenant. It divides the emails according to how they were received: from the internet or from your on-premises servers (in hybrid Exchange); they are further categorized according to the TLS version used. Hence, this can serve as the first step for you to identify the load of TLS 1.0 or 1.1, which will be deprecated.
The overview is as follows:
You can also export the report to an Excel file. The maximum duration of this report is 90 days. It provides more information than the GUI, as it shows the connector name and type, as well as the percentage of emails using TLS 1.0, 1.1, or 1.2.
The Outbound messages report is the opposite of what we just discussed. It shows the details of the emails that were sent from your tenant, including the volume of outbound emails and the breakup of the TLS versions used. Again, you can export this report to an Excel file.
If you have any connectors configured to send emails to your partners and also to your on-premises servers, they would be displayed here.
Top domain mailflow status report ^
This report shows the status of your domains in Microsoft 365. It's particularly helpful to detect any misconfigurations in MX records for your domains. The information displayed here includes the domain name, its status, previous and current MC records, and whether the domain has received emails in the last six hours.
Domains marked as "erroneous" will also display recommended checks and steps when clicked.
Faulty domains must be checked for MX record issues. This will help you avoid major mailflow issues.
Auto forwarded messages report ^
Auto-forwarding of emails from your tenant to external domains can be a security threat. If you have this enabled in your tenant, you must analyze this report regularly.
You can export the report to Excel. It displays the first forward date, number of forwards, forwarding type, recipient domain and name, and the sender address.
Forwarding can also be set up via mailbox rules. The report will display which method was used. This report can help you determine which users are forwarding the most emails from your tenant. You can then verify whether the emails are valid or whether you need to block the user as potentially compromised.
Non-accepted domain report ^
This report is applicable to Exchange hybrid setups. The report captures emails that originate from your on-premises Exchange Servers and are sent to your Microsoft 365 tenant using connectors where the sender domain is not an accepted domain. If your Exchange Servers are being used to send emails using non-accepted domains, then it is possible some of them are being sent from compromised accounts. Such emails may even be blocked or marked as junk if EOP suspects anything.
You can export the report. It will show you the connector name, date the emails were sent, sender domain, a few sample message IDs, and the message count.
This report could serve as the first step in regulating email traffic from your on-premises servers. There may not be any reason for anyone to send emails using nonaccepted domains from your on-premises servers; hence, this could be suspicious activity, and you must investigate it to determine whether it's a legitimate case or not.
Non-delivery report ^
Non-delivery reports (NDR) are common occurrences in Exchange. Microsoft 365 provides you with this NDR report so that you can track these failures. In the NDR report panel, you will see the following graph with the DSN codes. These are the NDRs that senders receive when they try to email your tenant's users. There could be several reasons for this failure, as shown here.
You can download the report and analyze it in Excel.
Mailboxes exceeding receiving limits report ^
This is an interesting report that shows you the mailboxes that have hit the limit for the maximum number of emails that can be received in a specified amount of time. As per Exchange Online limits, a mailbox can receive 3600 messages/hour. The report is displayed as follows:
"Exceeded" status in the report means that the mailbox has hit the maximum receiving limit. "At risk" implies that the mailbox has received huge volumes of emails and is about to hit the throttling limit. The consequence of crossing the threshold is that the mailbox won't be able to receive emails for at least an hour.
The report is also available in tabular format, displaying the hours a mailbox exceeded the limits or was at risk, top email sender, proportion of spam emails, and emails received per hour.
In most cases, there won't be any data in this report, as there may be no mailbox near the email receiving limit.
Queued messages report ^
In a hybrid Exchange environment, emails from your Microsoft 365 tenant to your Exchange on-premises servers are sent using connectors. These emails might get queued up in Microsoft 365 if, say, your on-premises servers are unreachable due to some network issues or the connectors are misconfigured. Such emails will be retried for 24 hours, after which the senders will start receiving NDRs.
As Exchange admins, you will want to be notified immediately once emails start getting queued up. You can set this in the Alert Policies tab in the Mail flow section in EAC. The alert policy "Messages have been delayed" is the one that triggers the mail queue alerts. It's created by default.
You must decide on the recipients for this alert. The number of queued emails after which this alert would be triggered is also set here.
SMTP AUTH clients ^
SMTP AUTH is a legacy protocol that uses basic authentication; hence, it is vulnerable to compromise. As a result, it's important to know which mailboxes send emails using this protocol. This report helps you do exactly that. You can view the information classified by sender, domain, and TLS protocol.
The report can be exported to Excel.
Using this report, you can investigate the reason why these mailboxes still use the SMTP AUTH protocol.
Subscribe to 4sysops newsletter!
Now that you have in-depth knowledge of all the mail flow reports in EAC, you are better equipped to handle the vagaries of Exchange Online. In the next post when we explore mail flow reports available in the security center in Microsoft 365.