Objective
Provision the required Microsoft-managed service principal (enterprise application) in a tenant so the Microsoft Graph Message Trace API can authorize requests successfully during integration setup.
Environment
- Microsoft 365 / Exchange Online with Graph-based Message Trace API enabled
- Microsoft Entra ID app registration and service principal used for Message Trace API authentication
- Microsoft Graph Explorer or another Microsoft Graph client
- Cribl Microsoft Graph Message Trace source configuration
Procedure
- Open Microsoft Graph Explorer and sign in with a tenant administrator account that has permission to create enterprise applications/service principals.
- Run the following request to create the tenant-local service principal (enterprise application) for Microsoft’s Graph Message Trace application:
POST https://graph.microsoft.com/v1.0/servicePrincipals Content-Type: application/json { "appId": "8bd644d1-64a1-4d4b-ae52-2e0cbf64e373" } - Submit the request.
- If the request succeeds, Microsoft Graph creates a service principal in that tenant for the Microsoft-managed multi-tenant Message Trace application. This does not create a new user-owned app registration.
- Wait for provisioning and replication to complete. Microsoft notes that the new enterprise application can take time to propagate across Microsoft services. During this period, requests to the Graph-based Message Trace API may fail with authorization-related errors such as 401 Unauthorized or 403 Forbidden until propagation finishes.
- Verify that the service principal now exists in the tenant by querying for the same application ID:
GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId eq '8bd644d1-64a1-4d4b-ae52-2e0cbf64e373'
The returned object represents the enterprise application/service principal. - Once the service principal is present and propagation has completed, retry the Microsoft Graph Message Trace integration.
Additional Information
The application ID 8bd644d1-64a1-4d4b-ae52-2e0cbf64e373 belongs to a Microsoft-managed multi-tenant application used by the Graph-based Message Trace service. Because Microsoft owns this application centrally, the same application ID is used across all Microsoft Entra ID tenants.
The provisioning step does not create a new user-owned app registration. Instead, it creates the tenant-local service principal (enterprise application) for that existing Microsoft-managed application inside the user’s tenant.
This Microsoft-managed service principal is separate from the user’s own app registration and service principal used to authenticate to Microsoft Graph. The user’s application is still used as the calling identity. This provisioning step creates the Microsoft enterprise application required for the backend Message Trace service within the tenant.
A useful way to think about this is:
- The app registration is the global definition of the application managed by Microsoft.
- The service principal (enterprise application) is the local instance of that application within a specific tenant.
The Graph-based Message Trace service expects this tenant-local enterprise application object to exist before requests can be properly authorized. This provisioning step establishes the local representation of Microsoft’s multi-tenant Message Trace application within the tenant.
Users sometimes confuse this with their own application registration or service principal. Their own app/service principal is still used as the calling identity to authenticate to Microsoft Graph. However, the Microsoft-managed Message Trace enterprise application must also exist in the tenant so Microsoft can authorize access to the backend Message Trace service.
If the enterprise application has not been provisioned yet, requests may fail with authorization-related errors such as 401 Unauthorized or 403 Forbidden, depending on the exact authentication and consent state of the tenant.