Enable Azure ATP


There are several prerequisites you need before proceeding:

  • This is an Azure service, so you need an Azure tenant with Azure AD configured.
    Microsoft M365 E5 (enterprise) or A5 (education) licensing, or M365 E3/A3 + EMS E5/A5 licensing.
  • On-prem AD user account with read access to all AD objects. This can be a regular user account – it does not have to have any elevated access, it just needs to be able to read all objects. Best practice is to use a service account created just for this purpose.
  • An account in Azure AD that is a global administrator. This account will be needed to enable the Azure ATP instance. This is only to create the instance; after the instance is created, access to Azure ATP can be delegated.
  • A domain admin account. This account will be needed to install the Azure ATP sensor on your domain controllers. The sensor will need to be installed on all domain controllers. After the sensors are installed, domain admin access is no longer needed.
  • Your domain controllers will need access to *.atp.azure.com. This traffic can be routed through a proxy server: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/configure-proxy.

Create the Instance

Creating the Azure ATP instance is fairly straightforward. This process will need to be completed by an Azure AD global administrator.

  1. Create your on-prem AD service account mentioned in bullet point 3 of Prerequisites. For this guide, it is named svc_azureatp.
  2. Go to https://portal.atp.azure.com/ and sign-in with the Azure AD global admin account.
  3. Click the “Create” button.
  1. Wait for the service to be created (it could take a minute or two).
  2. Click “Provide a username and password.”

Provide the username of your Azure ATP service account, it’s password, and the AD domain name.

  1. Click Save.

Install the Azure ATP Sensor

Now we need to install the sensor on the domain controllers.

  1. From the setup screen, click “Download Sensor Setup.”
  1. Click the blue Download button to download the sensor. Don’t close the webpage, as we’ll need to come back to get the Access key.
  2. Copy the ZIP file to your domain controller and unzip it.
  3. Run the “Azure ATP Sensor Setup” installer.
  4. Accept the defaults, and when prompted, provide the Access key from the Azure ATP portal.
  1. Click Install.

After installation is complete, you should see the domain controller in the Azure ATP portal.

Run through the same steps on the rest of your domain controllers.


Most of the triggers and alerts in Azure ATP take time to start showing up. This is because the service spends some time learning your environment. For a full list of default alerts and the learning period, see the Azure ATP Security Alerts guide: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/suspicious-activity-guide?tabs=external. Clicking the alert name will give you detailed information, including the learning period.

Testing Functionality

The quickest way to test functionality and communication is to create a group in AD, mark it as sensitive in Azure ATP, then change it’s membership. To do this, follow these steps:

  1. Create a test group in AD. For this guide, it is called atp_test.
  2. In the Azure ATP portal, go to Configuration > Entity Tags, and expand Sensitive.

Type the name of the test group in the “Sensitive groups” box and click the + sign.

  1. Click Save.
  2. Wait a minute or two, then go back to AD and add a user to the test group.
  3. After another minute or two, you should be able to look at reports and see that you now have a modification to sensitive groups report available.

That’s it. You now have a functional Azure ATP instance that will start learning your environment to help keep your accounts secure.

All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.



Contact Us

On Key

More Posts

Mastering Azure AD Connect - A Comprehensive Guide by WME
Active Directory

Mastering Azure AD Connect – A Comprehensive Guide

Modern businesses are fast moving toward cloud-based infrastructure. In fact, cloud-based business is not just a trend anymore but a strategic necessity. Microsoft’s Azure Active Directory (Azure AD) has become a frontrunner in this domain. It

Read More »
Security Best Practices in SharePoint
Office 365

Security Best Practices in SharePoint

Microsoft SharePoint is an online collaboration platform that integrates with Microsoft Office. You can use it to store, organize, share, and access information online. SharePoint enables collaboration and content management and ultimately allows your teams to

Read More »
The Ultimate Guide to Microsoft Intune - Article by WME
Active Directory

The Ultimate Guide to Microsoft Intune

The corporate world is evolving fast. And with that, mobile devices are spreading everywhere. As we venture into the year 2024, they have already claimed a substantial 55% share of the total corporate device ecosystem. You

Read More »
Protecting Microsoft 365 from on-Premises Attacks
Cloud Security

How to Protect Microsoft 365 from On-Premises Attacks?

Microsoft 365 is diverse enough to enrich the capabilities of many types of private businesses. It complements users, applications, networks, devices, and whatnot. However, Microsoft 365 cybersecurity is often compromised and there are countless ways that

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.