Forum Discussion
erregei
Mar 07, 2023Copper Contributor
ATP Legacy portal to defeder > missing events in timeline
Hello everyone, after the old ATP portal has has been closed and redirect to Defender portal I can't find the changes that has been done on user or computers. For example: I was able to see, on an ...
- Mar 08, 2023You can disable the redirection to the new portal 🙂 I guess this will be removed at some point.
In the Defender portal -> Settings -> Identities -> Portal redirection,
josequintino
Iron Contributor
Since the transition from the old ATP (Advanced Threat Protection) portal to the Microsoft Defender portal, some features may have been restructured or moved. To find information related to changes in user or computer objects, such as group membership changes and attribute modifications, you can check the Azure Active Directory (Azure AD) Audit logs.
Here's how to access the Azure AD Audit logs:
1- In azure portal, Navigate to Azure Active Directory from the left-hand menu or search for it in the search bar.
2- In the Azure Active Directory pane, click on "Monitoring" in the left-hand menu.
3- Select Audit Logs from the list.
4- You can now view and filter the audit logs to find the changes you're looking for.
The Azure AD Audit logs contain various events related to changes in user and computer objects, such as group membership modifications and attribute changes. You can filter the logs by date, event category, or search for specific events to find the information you're interested in.
Here's how to access the Azure AD Audit logs:
1- In azure portal, Navigate to Azure Active Directory from the left-hand menu or search for it in the search bar.
2- In the Azure Active Directory pane, click on "Monitoring" in the left-hand menu.
3- Select Audit Logs from the list.
4- You can now view and filter the audit logs to find the changes you're looking for.
The Azure AD Audit logs contain various events related to changes in user and computer objects, such as group membership modifications and attribute changes. You can filter the logs by date, event category, or search for specific events to find the information you're interested in.
ph_ly
Apr 13, 2023Steel Contributor
josequintino The Azure AD Audit Logs are a much poorer representation of what was in the Defender for Identity classic portal for a user timeline and omit many details, particularly related to on-premise modifications.
For example, in the case of a AD Connect hybrid environment the Azure AD audit log will only show that a sync happened from on-premise, but will not tell you the source account that made the modification. The Identity classic timeline will tell you exactly which on-premise account made the change.
In another case, we had a user who's account password had expired. Azure AD Audit log shows nothing. In Defender for Identity ATP classic portal, it lists the exact time the users' password expired. It is by far the best administrative timeline available overall.
For example, in the case of a AD Connect hybrid environment the Azure AD audit log will only show that a sync happened from on-premise, but will not tell you the source account that made the modification. The Identity classic timeline will tell you exactly which on-premise account made the change.
In another case, we had a user who's account password had expired. Azure AD Audit log shows nothing. In Defender for Identity ATP classic portal, it lists the exact time the users' password expired. It is by far the best administrative timeline available overall.
- josequintinoApr 13, 2023Iron Contributorph_ly
I understand your concerns regarding the differences between the Azure AD Audit Logs and the Defender for Identity (previously known as Azure ATP) classic portal. It's true that there are certain limitations in the Azure AD Audit Logs, especially when it comes to hybrid environments with AD Connect or on-premises details.
Azure AD Audit Logs focus primarily on cloud-based activities and changes within Azure AD. While they do provide valuable information, they might not be as comprehensive when compared to the Defender for Identity portal, which is specifically designed to monitor and provide insights into both cloud-based and on-premises Active Directory activities.
The Defender for Identity portal offers a more detailed timeline of events and includes information about on-premises modifications, password expirations, and other activities. It uses a combination of data from Azure AD and on-premises AD to provide a unified and comprehensive view of user activities, which can be helpful for administrators in various scenarios.
If you find the Defender for Identity portal more useful for your specific use case, you might want to continue using it for your administrative activities. However, it's essential to note that Microsoft is continuously improving the Azure AD Audit Logs and other features, and new capabilities might be added in the future to address the limitations you mentioned.
In the meantime, you could consider using both the Azure AD Audit Logs and Defender for Identity portal in tandem to get a comprehensive view of user activities and modifications across both cloud-based and on-premises environments.