Enable Azure ATP


There are several prerequisites you need before proceeding:

  • This is an Azure service, so you need an Azure tenant with Azure AD configured.
    Microsoft M365 E5 (enterprise) or A5 (education) licensing, or M365 E3/A3 + EMS E5/A5 licensing.
  • On-prem AD user account with read access to all AD objects. This can be a regular user account – it does not have to have any elevated access, it just needs to be able to read all objects. Best practice is to use a service account created just for this purpose.
  • An account in Azure AD that is a global administrator. This account will be needed to enable the Azure ATP instance. This is only to create the instance; after the instance is created, access to Azure ATP can be delegated.
  • A domain admin account. This account will be needed to install the Azure ATP sensor on your domain controllers. The sensor will need to be installed on all domain controllers. After the sensors are installed, domain admin access is no longer needed.
  • Your domain controllers will need access to *.atp.azure.com. This traffic can be routed through a proxy server: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/configure-proxy.

Create the Instance

Creating the Azure ATP instance is fairly straightforward. This process will need to be completed by an Azure AD global administrator.

  1. Create your on-prem AD service account mentioned in bullet point 3 of Prerequisites. For this guide, it is named svc_azureatp.
  2. Go to https://portal.atp.azure.com/ and sign-in with the Azure AD global admin account.
  3. Click the “Create” button.
  1. Wait for the service to be created (it could take a minute or two).
  2. Click “Provide a username and password.”

Provide the username of your Azure ATP service account, it’s password, and the AD domain name.

  1. Click Save.

Install the Azure ATP Sensor

Now we need to install the sensor on the domain controllers.

  1. From the setup screen, click “Download Sensor Setup.”
  1. Click the blue Download button to download the sensor. Don’t close the webpage, as we’ll need to come back to get the Access key.
  2. Copy the ZIP file to your domain controller and unzip it.
  3. Run the “Azure ATP Sensor Setup” installer.
  4. Accept the defaults, and when prompted, provide the Access key from the Azure ATP portal.
  1. Click Install.

After installation is complete, you should see the domain controller in the Azure ATP portal.

Run through the same steps on the rest of your domain controllers.


Most of the triggers and alerts in Azure ATP take time to start showing up. This is because the service spends some time learning your environment. For a full list of default alerts and the learning period, see the Azure ATP Security Alerts guide: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/suspicious-activity-guide?tabs=external. Clicking the alert name will give you detailed information, including the learning period.

Testing Functionality

The quickest way to test functionality and communication is to create a group in AD, mark it as sensitive in Azure ATP, then change it’s membership. To do this, follow these steps:

  1. Create a test group in AD. For this guide, it is called atp_test.
  2. In the Azure ATP portal, go to Configuration > Entity Tags, and expand Sensitive.

Type the name of the test group in the “Sensitive groups” box and click the + sign.

  1. Click Save.
  2. Wait a minute or two, then go back to AD and add a user to the test group.
  3. After another minute or two, you should be able to look at reports and see that you now have a modification to sensitive groups report available.

That’s it. You now have a functional Azure ATP instance that will start learning your environment to help keep your accounts secure.

All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.



Contact Us

On Key

More Posts

WME Security Briefing 27 May 2024

Kinsing Hacker Group Exploits Docker Vulnerabilities Overview Recent investigations have shown that the hacker group Kinsing is actively exploiting Docker vulnerabilities to gain unauthorized access to systems. The modified hacker group targets misconfigured Docker API ports deployed with cryptocurrency mining malware.

Read More »
WME Cybersecurity Briefings No. 010
Cyber Security

WME Security Briefing 20 May 2024

Advanced Persistent Threats: North Korean Hackers Launch Golang Malware Overview A new malware strain, called Titan Stealer, is currently actively circulating in the threat landscape, targeting a variety of personal data and linked to North Korean state-sponsored cyber espionage

Read More »
WME Cybersecurity Briefings No. 009
Cyber Security

WME Security Briefing 08 May 2024

Exploitable vulnerability in Microsoft Internet Explorer, used to deploy VBA Malware Overview Cybersecurity researchers discovered a severe exploitation targeting a bug that had already been patched in the Microsoft Internet Explorer browser. Their report added that

Read More »
WME Cybersecurity Briefings No. 008
Cyber Security

WME Security Briefing 03 May 2024

Security Bulletin: MITRE Corporation Targeted by Nation-State Cyber Attack Overview The MITRE Corporation, a prominent security and cybersecurity researcher in the USA, has fallen prey to compromise in its environment because of a sophisticated cyberattack from

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.