Review user-reported emails

Arctic Wolf Managed Security Awareness® (MA) Portal administrators can review emails that were reported using the Report Email button.

These actions are required:

Obtain these Microsoft Entra ID credentials used when you configured the Report Email button:
Tip:
For more information about the Report Email button for Outlook, see Configure the Report Email button for Microsoft 365.
- Application (client) ID
- Directory (tenant) ID
- Client Secret value
  Note:
  This is the Client Secret value that you created when configuring the Report Email button, not the secret ID found in Microsoft Entra ID settings.
Obtain these details from the email you want to review:
- The email address that reported the email.
- The Graph Message ID for the message.
  For more information about copying a Graph Message ID, see Track a suspicious email using a Graph Message ID.
  
  Note:
  If the email is moved to another folder, the Graph Message ID changes and the ID from the Reported Emails tab is no longer valid.

Download the file

Navigate to the Microsoft Graph CLI download page.
For the latest release of Microsoft Graph CLI, click Assets.
Download the file specific to the OS that Microsoft Graph CLI will run on.
Extract the files.

A file with the filename mgc is included in the extracted content.

Retrieve the message

Based on your environment, retrieve the message using one of these CLI options:

Retrieve the message using PowerShell

Open Powershell.
Run this command to set the environment variable for AZURE_CLIENT_SECRET:
POWERSHELL
$Env:AZURE_CLIENT_SECRET = "<secret_id>"
```
$Env:AZURE_CLIENT_SECRET = "<secret_id>"
```
Where:
- secret_id is your Client Secret value.
Run this command to sign in to the Azure application and specify the directory (tenant) and application (client) IDs:
POWERSHELL
./mgc login --tenant-id <tenant_id> ` --client-id <client_id> ` --strategy Environment ` --scopes .default
```
./mgc login --tenant-id <tenant_id> `
    --client-id <client_id> `
    --strategy Environment `
    --scopes .default
```
Where:
- tenant_id is the Directory (tenant) ID value.
- client_id is the Application (client) ID value.
Run one of these commands to set the email address and Graph Message ID:
- If you want the output to include headers, body, and attachments, run this command:
  POWERSHELL
  ./mgc users messages get ` --user-id <user_email> ` --message-id '<message_id>/$value'
  ./mgc users messages get ` --user-id <user_email> ` --message-id '<message_id>/$value'
  Where:
  - user_email is the user email address.
  - message_id is the Graph Message ID. The Graph Message ID includes an equals ( =) character at the end. Surround 'message_id/$value' with single quotes. For example, 'abcd1234=/$value'.
- If you do not want the output to include headers, body, and attachments, run this command:
  POWERSHELL
  ./mgc users messages get ` --user-id <user_email> ` --message-id <message_id>
  ./mgc users messages get ` --user-id <user_email> ` --message-id <message_id>
  Where:
  - user_email is the user email address.
  - message_id is the Graph Message ID. The Graph Message ID includes an equals ( =) character at the end.

Retrieve the message using Windows Command Prompt

Open Windows Command Prompt.
Run this command to set the environment variable for AZURE_CLIENT_SECRET:
BASH
set AZURE_CLIENT_SECRET=<secret_id>
```
set AZURE_CLIENT_SECRET=<secret_id>
```
Where:
- secret_id is your Client Secret value.
Run this command to sign in to the Azure application and specify the directory (tenant) and application (client) IDs:
BASH
mgc.exe login --tenant-id <tenant_id> --client-id <client_id> --strategy Environment --scopes .default
```
mgc.exe login --tenant-id <tenant_id> --client-id <client_id> --strategy Environment --scopes .default
```
Where:
- tenant_id is the Directory (tenant) ID value.
- client_id is the Application (client) ID value.
Run one of these commands to set the email address and Graph Message ID.
- If you want the output to include headers, body, and attachments, run this command:
  BASH
  mgc.exe users messages get --user-id <user_email> --message-id <message_id>/$value
  mgc.exe users messages get --user-id <user_email> --message-id <message_id>/$value
  Where:
  - user_email is the user email address.
  - message_id is the Graph Message ID. The Graph Message ID includes an equals ( =) character at the end.
- If you do not want the output to include headers, body, and attachments, run this command:
  BASH
  mgc.exe users messages get --user-id <user_email> --message-id <message_id>
  mgc.exe users messages get --user-id <user_email> --message-id <message_id>
  Where:
  - user_email is the user email address.
  - message_id is the Graph Message ID. The Graph Message ID includes an equals ( =) character at the end.

Retrieve the message using the macOS or Linux CLI

Open the macOS or Linux CLI.
Run this command to set the environment variable for AZURE_CLIENT_SECRET:
BASH
export AZURE_CLIENT_SECRET='<secret_id>'
```
export AZURE_CLIENT_SECRET='<secret_id>'
```
Where:
- secret_id is your Client Secret value. Surround 'secret_id' with single quotes.
Run this command to sign in to the Azure app and specify the directory (tenant) and application (client) IDs:
BASH
./mgc login \ --tenant-id <tenant_id> \ --client-id <client_id> \ --strategy Environment \ --scopes .default
```
./mgc login \
 --tenant-id <tenant_id> \
 --client-id <client_id> \
 --strategy Environment \
 --scopes .default
```
Where:
- tenant_id is the Directory (tenant) ID value.
- client_id is the Application (client) ID value.
Run one of these commands to set the email address and Graph Message ID.
- If you want the output to include headers, body, and attachments, run this command:
  BASH
  ./mgc users messages get \ --user-id '<user_email>' \ --message-id '<message_id>/$value'
  ./mgc users messages get \ --user-id '<user_email>' \ --message-id '<message_id>/$value'
  Where:
  - user_email is the user email address.
  - message_id is the Graph Message ID. The Graph Message ID includes an equals ( =) character at the end. Surround 'message_id/$value' with single quotes. For example, 'abcd1234=/$value'.
- If you do not want the output to include headers, body, and attachments, run this command:
  BASH
  ./mgc users messages get \ --user-id '<user_email>' \ --message-id '<message_id>'
  ./mgc users messages get \ --user-id '<user_email>' \ --message-id '<message_id>'
  Where:
  - user_email is the user email address.
  - message_id is the Graph Message ID. The Graph Message ID includes an equals ( =) character at the end.

Managed Security Awareness (MA)