AD0.5 The Admin Centers That Matter

The portal you’ll use most: Entra admin center

The Entra admin center at entra.microsoft.com is where you’ll spend the most time on security work. This is where you configure the identity controls that stop 80% of attacks: MFA methods, conditional access policies, self-service password reset, and user risk policies.

The two pages you’ll visit most are Protection → Conditional Access (where your CA policies live) and Monitoring → Sign-in logs (where you investigate authentication activity). The sign-in log is your primary investigation tool for any identity-related incident. When someone reports a phishing email and you need to check whether the user’s credentials were compromised, you check the sign-in log. When you see an alert for impossible travel, you check the sign-in log. When a user says “I didn’t do that,” you check the sign-in log.

The sign-in log shows every authentication attempt — successful and failed — with the user, IP address, location, device, client application, conditional access policy evaluation, and risk level. Learning to read this log efficiently is one of the most valuable skills you’ll build in this course. Module AD1.8 covers sign-in log investigation in detail.

The portal for threats: Microsoft Defender

The Defender portal at security.microsoft.com is the unified security dashboard. It aggregates alerts from every Defender product — Defender for Office 365 (email), Defender for Endpoint (devices), Defender for Identity (Active Directory), and Defender for Cloud Apps (SaaS). For an IT administrator, the two sections that matter are the incident queue (where you see correlated security alerts) and email & collaboration policies (where you configure Safe Links, Safe Attachments, and anti-phishing).

The incident queue is where you’ll go when you hear “we think something happened.” Incidents group related alerts together — so a phishing email that led to a credential compromise that led to inbox rule creation appears as one incident with three related alerts, not three separate alerts you have to mentally connect. You’ll learn to navigate this in Module AD0.6.

Secure Score also lives in the Defender portal. This is Microsoft’s assessment of your tenant’s security posture, scored against a list of recommended configurations. Module AD0.7 covers how to read it productively without getting overwhelmed by the 200+ recommendations it surfaces.

The portal for devices: Intune

The Intune admin center at intune.microsoft.com is where you manage device compliance and configuration. From a security perspective, the critical section is Devices → Compliance policies — rules that define what makes a device “compliant” (encrypted, up to date, antivirus running, firewall enabled). Compliance status feeds into conditional access: a conditional access policy can require a compliant device, which means only devices meeting your compliance standards can access corporate data.

If you’re already managing devices through Intune for application deployment and configuration, adding compliance policies is a natural extension. If you’re not using Intune at all, Module AD4 (Securing Devices and Endpoints) covers the basics of getting started. For now, know that Intune is the device piece of the security puzzle and that its value for security comes primarily through the compliance + conditional access integration.

The portal for data: Purview

The Purview portal at purview.microsoft.com handles data classification and protection. Sensitivity labels, data loss prevention policies, and the unified audit log live here. For an IT administrator starting security work, Purview is the lowest priority of the five portals — identity and email protection come first.

That said, one feature in Purview is immediately useful: the unified audit log. This is the searchable record of every significant action in your M365 environment — mailbox access, file sharing, admin actions, permission changes. When you need to answer “who did what, and when,” the unified audit log is where you look. You don’t need to configure anything to use it — audit logging is enabled by default for all M365 tenants. You just need to know it exists and how to search it.

The portal you already know: M365 Admin Center

The M365 Admin Center at admin.microsoft.com is where you manage users, groups, and licenses. From a security perspective, it’s context — you go here to check a user’s license tier (to know which security features are available), to verify group membership (to understand which policies apply), and to check service health (to differentiate between “the sign-in failed because of a security policy” and “the sign-in failed because Microsoft is having an outage”).

You won’t configure security controls in the M365 Admin Center. The security settings that exist there (like the legacy per-user MFA page) are being deprecated in favour of the Entra admin center. If someone tells you to go to admin.microsoft.com → Users → Active users → Multi-factor authentication, that’s the old method. Conditional access in the Entra admin center is the current method.

The 5-minute security check you should do every Monday

Here’s the practical workflow that turns portal knowledge into operational habit. Every Monday morning, before you start on helpdesk tickets, run this 5-minute check across two portals.

First, open security.microsoft.com. Click “Incidents & alerts” in the left navigation. Filter by severity: High and Critical. Check if any new incidents appeared since your last check. If the queue shows zero high/critical incidents, you’re done with this portal — total time: 30 seconds. If there are incidents, read the summary tab of each and make the triage decision (act, investigate, or close).

Second, open entra.microsoft.com. Navigate to Monitoring → Sign-in logs. Set the time range to the last 7 days. Add a filter for “Status: Failure” and scan for patterns — are there clusters of failures against specific accounts? That could indicate a password spray. Now remove the failure filter and add a filter for “Location” — check if any sign-ins came from countries where your organisation doesn’t operate. Unexpected locations are the fastest indicator of compromised credentials.

One additional step that takes two minutes and pays off every time: configure email notifications for high-severity alerts. Navigate to security.microsoft.com → Settings → Email notifications → Incidents. Create a notification rule that sends email to your admin address for High and Critical severity incidents. This means you do not have to remember to check the portal — the portal tells you when something needs attention. Most IT administrators set this up and then check the portal only when a notification arrives or during their weekly Monday review.

A practical tip for the Entra sign-in log: the default view shows the last 24 hours. For your weekly Monday review, change the time range to “Last 7 days” so you catch anything that happened over the weekend. Add the columns “IP address,” “Location,” and “Conditional access” to the default view — these three columns tell you the most about each sign-in without clicking into individual entries. You can save this customised view so it loads automatically on your next visit. That’s the entire weekly check: incident queue plus sign-in log scan. Five minutes. The goal is not to investigate every entry — it’s to catch the obvious indicators that something went wrong. As you build confidence with these portals, you’ll naturally start noticing patterns and anomalies that warrant deeper investigation. But the baseline habit is five minutes, every Monday, two portals.