Review user-reported emails

Arctic Wolf Managed Security Awareness® (MA) Portal administrators can review emails that were reported using the Report Email button.

These actions are required:

  • Obtain these Microsoft Entra ID credentials used when you configured the Report Email button:
    Tip:

    For more information about the Report Email button for Outlook, see Configure the Report Email button for Microsoft 365.

    • Application (client) ID
    • Directory (tenant) ID
    • Client Secret value
      Note:

      This is the Client Secret value that you created when configuring the Report Email button, not the secret ID found in Microsoft Entra ID settings.

  • Obtain these details from the email you want to review:
    • The email address that reported the email.
    • The Graph Message ID for the message.

      For more information about copying a Graph Message ID, see Track a suspicious email using a Graph Message ID.

      Note:

      If the email is moved to another folder, the Graph Message ID changes and the ID from the Reported Emails tab is no longer valid.

Download the file

  1. Navigate to the Microsoft Graph CLI download page.
  2. For the latest release of Microsoft Graph CLI, click Assets.
  3. Download the file specific to the OS that Microsoft Graph CLI will run on.
  4. Extract the files.

    A file with the filename mgc is included in the extracted content.

Retrieve the message

Based on your environment, retrieve the message using one of these CLI options:

Retrieve the message using PowerShell

  1. Open Powershell.
  2. Run this command to set the environment variable for AZURE_CLIENT_SECRET:
    POWERSHELL 
    $Env:AZURE_CLIENT_SECRET = "<secret_id>"

    Where:

    • secret_id is your Client Secret value.
  3. Run this command to sign in to the Azure application and specify the directory (tenant) and application (client) IDs:
    POWERSHELL 
    ./mgc login --tenant-id <tenant_id> `
    --client-id <client_id> `
    --strategy Environment `
    --scopes .default

    Where:

    • tenant_id is the Directory (tenant) ID value.
    • client_id is the Application (client) ID value.
  4. Run one of these commands to set the email address and Graph Message ID:
    • If you want the output to include headers, body, and attachments, run this command:
      POWERSHELL 
      ./mgc users messages get `
   --user-id <user_email> `
   --message-id '<message_id>/$value'

      Where:

      • user_email is the user email address.
      • message_id is the Graph Message ID. The Graph Message ID includes an equals ( =) character at the end. Surround 'message_id/$value' with single quotes. For example, 'abcd1234=/$value'.
    • If you do not want the output to include headers, body, and attachments, run this command:
      POWERSHELL 
      ./mgc users messages get `
   --user-id <user_email> `
   --message-id <message_id>

      Where:

      • user_email is the user email address.
      • message_id is the Graph Message ID. The Graph Message ID includes an equals ( =) character at the end.

Retrieve the message using Windows Command Prompt

  1. Open Windows Command Prompt.
  2. Run this command to set the environment variable for AZURE_CLIENT_SECRET:
    BASH 
    set AZURE_CLIENT_SECRET=<secret_id>

    Where:

    • secret_id is your Client Secret value.
  3. Run this command to sign in to the Azure application and specify the directory (tenant) and application (client) IDs:
    BASH 
    mgc.exe login --tenant-id <tenant_id> --client-id <client_id> --strategy Environment --scopes .default

    Where:

    • tenant_id is the Directory (tenant) ID value.
    • client_id is the Application (client) ID value.
  4. Run one of these commands to set the email address and Graph Message ID.
    • If you want the output to include headers, body, and attachments, run this command:
      BASH 
      mgc.exe users messages get --user-id <user_email> --message-id <message_id>/$value

      Where:

      • user_email is the user email address.
      • message_id is the Graph Message ID. The Graph Message ID includes an equals ( =) character at the end.
    • If you do not want the output to include headers, body, and attachments, run this command:
      BASH 
      mgc.exe users messages get --user-id <user_email> --message-id <message_id>

      Where:

      • user_email is the user email address.
      • message_id is the Graph Message ID. The Graph Message ID includes an equals ( =) character at the end.

Retrieve the message using the macOS or Linux CLI

  1. Open the macOS or Linux CLI.
  2. Run this command to set the environment variable for AZURE_CLIENT_SECRET:
    BASH 
    export AZURE_CLIENT_SECRET='<secret_id>'

    Where:

    • secret_id is your Client Secret value. Surround 'secret_id' with single quotes.
  3. Run this command to sign in to the Azure app and specify the directory (tenant) and application (client) IDs:
    BASH 
    ./mgc login \
 --tenant-id <tenant_id> \
 --client-id <client_id> \
 --strategy Environment \
 --scopes .default

    Where:

    • tenant_id is the Directory (tenant) ID value.
    • client_id is the Application (client) ID value.
  4. Run one of these commands to set the email address and Graph Message ID.
    • If you want the output to include headers, body, and attachments, run this command:
      BASH 
      ./mgc users messages get \
 --user-id '<user_email>' \
 --message-id '<message_id>/$value'

      Where:

      • user_email is the user email address.
      • message_id is the Graph Message ID. The Graph Message ID includes an equals ( =) character at the end. Surround 'message_id/$value' with single quotes. For example, 'abcd1234=/$value'.
    • If you do not want the output to include headers, body, and attachments, run this command:
      BASH 
      ./mgc users messages get \
 --user-id '<user_email>' \
 --message-id '<message_id>'

      Where:

      • user_email is the user email address.
      • message_id is the Graph Message ID. The Graph Message ID includes an equals ( =) character at the end.