cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

ATP Legacy portal to defeder > missing events in timeline

erregei
Copper Contributor

‎Mar 07 2023 12:10 AM

‎Mar 07 2023 12:10 AM

ATP Legacy portal to defeder > missing events in timeline

Hello everyone,

after the old ATP portal has has been closed and redirect to Defender portal I can't find the changes that has been done on user or computers.

For example: I was able to see, on an identity, who added that to a group, removed from a group and other changes to attributes, in the Azure timeline I see only activities related to security incident/alerts.

Where do I find those information now?

 

Thanks
CC

3,321 Views
0 Likes
23 Replies
Reply
23 Replies
Kim Kristensen

‎Mar 07 2023 04:05 AM

‎Mar 07 2023 04:05 AM

Re: ATP Legacy portal to defeder > missing events in timeline

I still use the old ATP portal to see those changes - they are not available in the new timeline yet.
0 Likes
Reply
Manoj Karunarathne

‎Mar 07 2023 06:34 AM

‎Mar 07 2023 06:34 AM

Re: ATP Legacy portal to defeder > missing events in timeline

Interesting! how'd you manage to get there when it automatically redirects to the new portal?

Cheers!
0 Likes
Reply
best response confirmed by erregei (Copper Contributor)
Kim Kristensen

‎Mar 07 2023 10:17 PM

‎Mar 07 2023 10:17 PM

Solution

Re: ATP Legacy portal to defeder > missing events in timeline

You can disable the redirection to the new portal :) I guess this will be removed at some point.
In the Defender portal -> Settings -> Identities -> Portal redirection,
3 Likes
Reply
erregei

‎Mar 07 2023 11:56 PM

‎Mar 07 2023 11:56 PM

Re: ATP Legacy portal to defeder > missing events in timeline

Thank you Kim, worked like a charm.
I guess it will be removed too, I just hope they have, at least, ported everything into defender before doing so.
1 Like
Reply
Manoj Karunarathne

‎Mar 08 2023 05:19 PM

‎Mar 08 2023 05:19 PM

Re: ATP Legacy portal to defeder > missing events in timeline

Thanks Kim !
0 Likes
Reply
LiorShapira

‎Mar 09 2023 01:10 PM

‎Mar 09 2023 01:10 PM

Re: ATP Legacy portal to defeder > missing events in timeline

@erregei In M365D portal, on the identity page you can find the timeline tab. It represents activities and alerts that the user was involved in. There's still work and improvements to the timeline such as extra filters, more details about each activity, export button and so on.

Regarding redirection to M365D portal, you are correct. You can still manually disable the automatic redirection, but from June 30, there will be a forced redirection. If you feel that there are important missing features, please let me know: t-lshapira@microsoft.com

0 Likes
Reply
SerdarMe

‎Mar 28 2023 01:48 AM

‎Mar 28 2023 01:48 AM

Re: ATP Legacy portal to defeder > missing events in timeline

Hi Lior,
I believe that most of IT admins who uses ATP would like to keep the classical ATP portal. The defender view of ATP is really poor and has no intuitive UI for the admins to view and troubleshoot the events. I mostly read all comments that people are not happy about this change that will be forced in June 2023. ATP portal is also used by our Service Desk colleagues to troubleshoot the user and computer objects and it is really doing a good job as the interface simple and useful. The success of ATA and ATP is purely based on this interface which Microsoft acquired the product from the other company (https://blogs.microsoft.com/blog/2014/11/13/microsoft-acquires-aorato-give-enterprise-customers-bett...) and decided to keep the interface. If we will be forced to use Defender view of ATP, then I have to decommission the product in our environment as we are purely using for the simplistic UI (We have other tools for the anomaly detection). I kindly ask the internal team to reconsider this decision as it is completely against the original ideas of using ATA-ATP. Thank you very much
1 Like
Reply
josequintino

‎Mar 29 2023 06:47 AM

‎Mar 29 2023 06:47 AM

Re: ATP Legacy portal to defeder > missing events in timeline

Since the transition from the old ATP (Advanced Threat Protection) portal to the Microsoft Defender portal, some features may have been restructured or moved. To find information related to changes in user or computer objects, such as group membership changes and attribute modifications, you can check the Azure Active Directory (Azure AD) Audit logs.

Here's how to access the Azure AD Audit logs:
1- In azure portal, Navigate to Azure Active Directory from the left-hand menu or search for it in the search bar.
2- In the Azure Active Directory pane, click on "Monitoring" in the left-hand menu.
3- Select Audit Logs from the list.
4- You can now view and filter the audit logs to find the changes you're looking for.

The Azure AD Audit logs contain various events related to changes in user and computer objects, such as group membership modifications and attribute changes. You can filter the logs by date, event category, or search for specific events to find the information you're interested in.
0 Likes
Reply
ph_ly

‎Apr 12 2023 09:51 PM

‎Apr 12 2023 09:51 PM

Re: ATP Legacy portal to defeder > missing events in timeline

@josequintino The Azure AD Audit Logs are a much poorer representation of what was in the Defender for Identity classic portal for a user timeline and omit many details, particularly related to on-premise modifications.

For example, in the case of a AD Connect hybrid environment the Azure AD audit log will only show that a sync happened from on-premise, but will not tell you the source account that made the modification. The Identity classic timeline will tell you exactly which on-premise account made the change.

In another case, we had a user who's account password had expired. Azure AD Audit log shows nothing. In Defender for Identity ATP classic portal, it lists the exact time the users' password expired. It is by far the best administrative timeline available overall.
0 Likes
Reply
josequintino

‎Apr 13 2023 01:54 AM

‎Apr 13 2023 01:54 AM

Re: ATP Legacy portal to defeder > missing events in timeline

@ph_ly
I understand your concerns regarding the differences between the Azure AD Audit Logs and the Defender for Identity (previously known as Azure ATP) classic portal. It's true that there are certain limitations in the Azure AD Audit Logs, especially when it comes to hybrid environments with AD Connect or on-premises details.

Azure AD Audit Logs focus primarily on cloud-based activities and changes within Azure AD. While they do provide valuable information, they might not be as comprehensive when compared to the Defender for Identity portal, which is specifically designed to monitor and provide insights into both cloud-based and on-premises Active Directory activities.

The Defender for Identity portal offers a more detailed timeline of events and includes information about on-premises modifications, password expirations, and other activities. It uses a combination of data from Azure AD and on-premises AD to provide a unified and comprehensive view of user activities, which can be helpful for administrators in various scenarios.

If you find the Defender for Identity portal more useful for your specific use case, you might want to continue using it for your administrative activities. However, it's essential to note that Microsoft is continuously improving the Azure AD Audit Logs and other features, and new capabilities might be added in the future to address the limitations you mentioned.

In the meantime, you could consider using both the Azure AD Audit Logs and Defender for Identity portal in tandem to get a comprehensive view of user activities and modifications across both cloud-based and on-premises environments.
0 Likes
Reply
SABBIR_RUBAYAT

‎Apr 13 2023 03:11 AM

‎Apr 13 2023 03:11 AM

Re: ATP Legacy portal to defeder > missing events in timeline

If something isn't working for you or if there's anything you're unable to complete through Microsoft 365 Defender, you can use old portal
To revert to the former Microsoft Defender for Identity portal:

Sign in to Microsoft 365 Defender as a global administrator or using and account with security administrator permissions in Azure Active directory.

Navigate to Settings > Identities > General > Portal redirection or open the page here.

Toggle the Automatic redirection setting to Off.

This setting can be enabled again at any time.

Once disabled, accounts will no longer be routed to security.microsoft.com.
3 Likes
Reply
shafiul155

‎Apr 16 2023 04:18 AM

‎Apr 16 2023 04:18 AM

Re: ATP Legacy portal to defeder > missing events in timeline

This thing resolved my problem
0 Likes
Reply
Ayajul_Islam1998

‎Apr 17 2023 02:47 AM

‎Apr 17 2023 02:47 AM

Re: ATP Legacy portal to defeder > missing events in timeline

Yes this thing works . thank you
0 Likes
Reply
tony87

‎Jun 30 2023 01:32 AM

‎Jun 30 2023 01:32 AM

Re: ATP Legacy portal to defeder > missing events in timeline

Hi,
The portal redirection will be enforced as from today june 30th.
I've submitted countless requests (via the MS form) to not do this and even contact me to discuss. But I never heard back from Microsoft.
The old ATP portal is still major superior in terms of intuitive UI.
We heavily depend on this tool and our ServiceDesk uses this as well.

PLEASE do not enforce the redirection.
0 Likes
Reply
SerdarMe

‎Jun 30 2023 01:52 AM

‎Jun 30 2023 01:52 AM

Re: ATP Legacy portal to defeder > missing events in timeline

I think they are doing what they were always doing. Someone internally who is responsible for Defender have won the war against the team that was defending keeping ATP as it is. Microsoft defender is not covering anything that the current portal is providing. This decision is just non-sense and as always Microsoft do not listen their customers.
0 Likes
Reply
LiorShapira

‎Jul 02 2023 06:14 AM

‎Jul 02 2023 06:14 AM

Re: ATP Legacy portal to defeder > missing events in timeline

Hi @tony87,

I'm Lior from the product group. I've reviewed your survey responses and tried contacting you by mail on June 3rd without success. 
If you didn't receive my email, please send me a private message to t-lshapira@microsoft.com so we can discuss your concerns regarding the redirection. 

0 Likes
Reply
LiorShapira

‎Jul 02 2023 06:21 AM

‎Jul 02 2023 06:21 AM

Re: ATP Legacy portal to defeder > missing events in timeline

@SerdarMe Sorry about your feelings about Microsoft in general and MDI in particular. To elaborate more on what you feel is missing in Microsoft 365 Defender, please reach out to me at t-lshapira@microsoft.com.

0 Likes
Reply
Fabrice LAIR

‎Jul 11 2023 08:16 AM

‎Jul 11 2023 08:16 AM

Re: ATP Legacy portal to defeder > missing events in timeline

Hi, I've the same issue, now we cannot used anymore the old portal, and i'm sorry to said that the defender portal is not efficient for the Identity part as the Old one. It"s amazing you've dismissed a so efficient and easy portal and not permit to have business (security) continuuty for customers, specially with products under licence.
Please to give some details how to retrieive it.
The Defender for Identity portal offers a more detailed timeline of events and includes information about on-premises modifications, password expirations, and other activities. It uses a combination of data from Azure AD and on-premises AD to provide a unified and comprehensive view of user activities, which can be helpful for administrators in various scenarios.
We 've lost these benefits ....
Please to give some details how to retrieive it.
0 Likes
Reply
LiorShapira

‎Jul 14 2023 03:14 AM

‎Jul 14 2023 03:14 AM

Re: ATP Legacy portal to defeder > missing events in timeline

@Fabrice LAIR The user timeline in M365D portal contains the same activities as in the legacy portal. By filtering the Application, you can focus on activities from AD or AAD and we are currently working on improving entries information.
I will be happy to hear more regarding the timeline experience. 

0 Likes
Reply