ATP Legacy portal to defeder > missing events in timeline

Copper Contributor

Hello everyone,

after the old ATP portal has has been closed and redirect to Defender portal I can't find the changes that has been done on user or computers.

For example: I was able to see, on an identity, who added that to a group, removed from a group and other changes to attributes, in the Azure timeline I see only activities related to security incident/alerts.

Where do I find those information now?



23 Replies
I still use the old ATP portal to see those changes - they are not available in the new timeline yet.
Interesting! how'd you manage to get there when it automatically redirects to the new portal?

best response confirmed by erregei (Copper Contributor)
You can disable the redirection to the new portal :) I guess this will be removed at some point.
In the Defender portal -> Settings -> Identities -> Portal redirection,
Thank you Kim, worked like a charm.
I guess it will be removed too, I just hope they have, at least, ported everything into defender before doing so.

@erregei In M365D portal, on the identity page you can find the timeline tab. It represents activities and alerts that the user was involved in. There's still work and improvements to the timeline such as extra filters, more details about each activity, export button and so on.

Regarding redirection to M365D portal, you are correct. You can still manually disable the automatic redirection, but from June 30, there will be a forced redirection. If you feel that there are important missing features, please let me know:

Hi Lior,
I believe that most of IT admins who uses ATP would like to keep the classical ATP portal. The defender view of ATP is really poor and has no intuitive UI for the admins to view and troubleshoot the events. I mostly read all comments that people are not happy about this change that will be forced in June 2023. ATP portal is also used by our Service Desk colleagues to troubleshoot the user and computer objects and it is really doing a good job as the interface simple and useful. The success of ATA and ATP is purely based on this interface which Microsoft acquired the product from the other company ( and decided to keep the interface. If we will be forced to use Defender view of ATP, then I have to decommission the product in our environment as we are purely using for the simplistic UI (We have other tools for the anomaly detection). I kindly ask the internal team to reconsider this decision as it is completely against the original ideas of using ATA-ATP. Thank you very much
Since the transition from the old ATP (Advanced Threat Protection) portal to the Microsoft Defender portal, some features may have been restructured or moved. To find information related to changes in user or computer objects, such as group membership changes and attribute modifications, you can check the Azure Active Directory (Azure AD) Audit logs.

Here's how to access the Azure AD Audit logs:
1- In azure portal, Navigate to Azure Active Directory from the left-hand menu or search for it in the search bar.
2- In the Azure Active Directory pane, click on "Monitoring" in the left-hand menu.
3- Select Audit Logs from the list.
4- You can now view and filter the audit logs to find the changes you're looking for.

The Azure AD Audit logs contain various events related to changes in user and computer objects, such as group membership modifications and attribute changes. You can filter the logs by date, event category, or search for specific events to find the information you're interested in.
@josequintino The Azure AD Audit Logs are a much poorer representation of what was in the Defender for Identity classic portal for a user timeline and omit many details, particularly related to on-premise modifications.

For example, in the case of a AD Connect hybrid environment the Azure AD audit log will only show that a sync happened from on-premise, but will not tell you the source account that made the modification. The Identity classic timeline will tell you exactly which on-premise account made the change.

In another case, we had a user who's account password had expired. Azure AD Audit log shows nothing. In Defender for Identity ATP classic portal, it lists the exact time the users' password expired. It is by far the best administrative timeline available overall.
I understand your concerns regarding the differences between the Azure AD Audit Logs and the Defender for Identity (previously known as Azure ATP) classic portal. It's true that there are certain limitations in the Azure AD Audit Logs, especially when it comes to hybrid environments with AD Connect or on-premises details.

Azure AD Audit Logs focus primarily on cloud-based activities and changes within Azure AD. While they do provide valuable information, they might not be as comprehensive when compared to the Defender for Identity portal, which is specifically designed to monitor and provide insights into both cloud-based and on-premises Active Directory activities.

The Defender for Identity portal offers a more detailed timeline of events and includes information about on-premises modifications, password expirations, and other activities. It uses a combination of data from Azure AD and on-premises AD to provide a unified and comprehensive view of user activities, which can be helpful for administrators in various scenarios.

If you find the Defender for Identity portal more useful for your specific use case, you might want to continue using it for your administrative activities. However, it's essential to note that Microsoft is continuously improving the Azure AD Audit Logs and other features, and new capabilities might be added in the future to address the limitations you mentioned.

In the meantime, you could consider using both the Azure AD Audit Logs and Defender for Identity portal in tandem to get a comprehensive view of user activities and modifications across both cloud-based and on-premises environments.
If something isn't working for you or if there's anything you're unable to complete through Microsoft 365 Defender, you can use old portal
To revert to the former Microsoft Defender for Identity portal:

Sign in to Microsoft 365 Defender as a global administrator or using and account with security administrator permissions in Azure Active directory.

Navigate to Settings > Identities > General > Portal redirection or open the page here.

Toggle the Automatic redirection setting to Off.

This setting can be enabled again at any time.

Once disabled, accounts will no longer be routed to
This thing resolved my problem
Yes this thing works . thank you
The portal redirection will be enforced as from today june 30th.
I've submitted countless requests (via the MS form) to not do this and even contact me to discuss. But I never heard back from Microsoft.
The old ATP portal is still major superior in terms of intuitive UI.
We heavily depend on this tool and our ServiceDesk uses this as well.

PLEASE do not enforce the redirection.
I think they are doing what they were always doing. Someone internally who is responsible for Defender have won the war against the team that was defending keeping ATP as it is. Microsoft defender is not covering anything that the current portal is providing. This decision is just non-sense and as always Microsoft do not listen their customers.

Hi @tony87,

I'm Lior from the product group. I've reviewed your survey responses and tried contacting you by mail on June 3rd without success. 
If you didn't receive my email, please send me a private message to so we can discuss your concerns regarding the redirection. 

@SerdarMe Sorry about your feelings about Microsoft in general and MDI in particular. To elaborate more on what you feel is missing in Microsoft 365 Defender, please reach out to me at

Hi, I've the same issue, now we cannot used anymore the old portal, and i'm sorry to said that the defender portal is not efficient for the Identity part as the Old one. It"s amazing you've dismissed a so efficient and easy portal and not permit to have business (security) continuuty for customers, specially with products under licence.
Please to give some details how to retrieive it.
The Defender for Identity portal offers a more detailed timeline of events and includes information about on-premises modifications, password expirations, and other activities. It uses a combination of data from Azure AD and on-premises AD to provide a unified and comprehensive view of user activities, which can be helpful for administrators in various scenarios.
We 've lost these benefits ....
Please to give some details how to retrieive it.

@Fabrice LAIR The user timeline in M365D portal contains the same activities as in the legacy portal. By filtering the Application, you can focus on activities from AD or AAD and we are currently working on improving entries information.
I will be happy to hear more regarding the timeline experience.