This guide walks you through creating the configuration needed to access Exchange Online [message traces](https://learn.microsoft.com/en-us/graph/api/resources/exchangemessagetrace?view=graph-rest-1.0) using the Exchange Online Email Security integration.

## 1. Create an application

1. In the [Azure portal](https://portal.azure.com), navigate to **App registrations**.
2. Select **+ New registration**.
3. Configure a name for the registration, for example "Exchange Online Integration".
4. Configure **Supported account types** as needed for your tenant.
5. Select **Register**.
6. On the **Overview** page for your new app registration, note down the **Application (client) ID** and the **Directory (tenant) ID**. You will need these values later.


## 2. Configure permissions for the application

1. Within the app registration you created in the previous step, navigate to **Manage → API permissions**.
2. Select **+ Add a permission**.
3. In the **Request API permissions** dialog, select **Microsoft Graph → Application permissions**. Locate the **ExchangeMessageTrace.Read.All** permission, check the box next to it, then select **Add permissions**.
4. Select **Grant admin consent for {your tenant name}**. Follow the dialog that appears to finish granting admin consent.
5. In the **Configured permissions** table, find **Microsoft Graph → ExchangeMessageTrace.Read**. Verify that the **Type** column reads **Application**, and that the **Status** column reads **✅ Granted for {your tenant name}**.


## 3. Create an application client secret

1. Within the app registration you created in the previous step, navigate to **Manage → Certificates & secrets**.
2. Navigate to the **Client secrets** tab.
3. Select **+ New client secret**.
4. In the **Add a client secret** dialog that appears, enter a description and expiration appropriate for your tenant, then select **Add**.
5. Find your new secret in the **Client secrets** table. Note down the secret value from the **Value** column. Store this in a safe place.


The secret value will not be shown again after you leave this page. Make sure you record it in a secure location.

## 4. Configure the integration

Create your integration by supplying the following configuration values:

**Client ID**: use the **Application (client) ID** gathered in step 1.

**Tenant ID**: use the **Directory (tenant) ID** gathered in step 1.

**Client Secret**: use the **Client secrets → Value** gathered in step 3.