Microsoft Defender Portals and Where to Access Log Data
Andrew Posted on 7:00 am

Where to find Incident Investigation Artifacts in M365 – Part 2 – The Portals

A common challenge that security teams face is simply not knowing where all the artifacts can be found during an investigation. Microsoft Defender tools are capable of collecting a lot of data, and that can create questions during investigations of where is all this data and how do I find it quickly? Join me for Part 2 of our tour on where to find this great Defender log data.

In the last article (here), we looked at data types, retention, some high-level license differences, and what types of information are in the different logs. Refresh your memory if you like, there was a lot to take in.

Today, let’s take a quick look at the different portals that we will use to perform our investigations.

The Portals

The most common or top 3 portals that are used to review and investigate incidents are:

Azure AD Portal

Located at and contains sign-ins, risk events and Azure AD admin activity. Data is displayed in a custom interface and can be filtered and exported as needed.

Microsoft 365 Defender Portal

Located at, this portal gives us two primary interfaces for viewing log data, Advanced Hunting, and access to the Unified Audit Log via the Audit Search. This is important! Take a look at the previous article if you are unsure of which data flows into the UAL.

Defender for Cloud Apps 

Located at, this portal does not include any Office 365 data unless explicitly configured. When configured, data is stored in the Activity log and multiple alert templates are available to help detect and respond to security events in your tenant.

Bonus Comprehensive Portal List

Curious where you can find all the portals quickly for portals that you may not use every day? Check out this awesome list of Microsoft Admin Portals:

My most used:

Exchange Admin Center (EAC) New
Exchange Admin Center (EAC) Old
Microsoft Purview compliance portal
Microsoft 365 network connectivity test
Microsoft 365 Network Insights Preview
Microsoft Call Quality Dashboard (Teams)
Microsoft Endpoint Manager Admin Console Intune