Azure ATP is a cloud-based service that monitors your on-prem Active Directory domain controllers for signs of an intruder and compromised accounts. It can alert on possible pass-the-hash style attacks and account compromises. It’s a very easy service to setup, and one you should enable immediately if you haven’t already. It will only take you about 10 minutes of time to enable it, assuming you have everything you need.
Azure ATP works by placing a sensor in your on-prem environment that monitors your AD. This sensor can either be installed directly on all of your domain controllers, or installed on a standalone server. This guide is going to install the sensor directly on the domain controllers. If you need information on the standalone server option, you can start here: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-capacity-planning#choosing-the-right-sensor-type-for-your-deployment.
There are several prerequisites you need before proceeding:
- This is an Azure service, so you need an Azure tenant with Azure AD configured.
Microsoft M365 E5 (enterprise) or A5 (education) licensing, or M365 E3/A3 + EMS E5/A5 licensing.
- On-prem AD user account with read access to all AD objects. This can be a regular user account – it does not have to have any elevated access, it just needs to be able to read all objects. Best practice is to use a service account created just for this purpose.
- An account in Azure AD that is a global administrator. This account will be needed to enable the Azure ATP instance. This is only to create the instance; after the instance is created, access to Azure ATP can be delegated.
- A domain admin account. This account will be needed to install the Azure ATP sensor on your domain controllers. The sensor will need to be installed on all domain controllers. After the sensors are installed, domain admin access is no longer needed.
- Your domain controllers will need access to *.atp.azure.com. This traffic can be routed through a proxy server: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/configure-proxy.
Create the Instance
Creating the Azure ATP instance is fairly straightforward. This process will need to be completed by an Azure AD global administrator.
- Create your on-prem AD service account mentioned in bullet point 3 of Prerequisites. For this guide, it is named svc_azureatp.
- Go to https://portal.atp.azure.com/ and sign-in with the Azure AD global admin account.
- Click the “Create” button.
- Wait for the service to be created (it could take a minute or two).
- Click “Provide a username and password.”
- Provide the username of your Azure ATP service account, it’s password, and the AD domain name.
- Click Save.
Install the Azure ATP Sensor
Now we need to install the sensor on the domain controllers.
- From the setup screen, click “Download Sensor Setup.”
- Click the blue Download button to download the sensor. Don’t close the webpage, as we’ll need to come back to get the Access key.
- Copy the ZIP file to your domain controller and unzip it.
- Run the “Azure ATP Sensor Setup” installer.
- Accept the defaults, and when prompted, provide the Access key from the Azure ATP portal.
- Click Install.
After installation is complete, you should see the domain controller in the Azure ATP portal.
Run through the same steps on the rest of your domain controllers.
Most of the triggers and alerts in Azure ATP take time to start showing up. This is because the service spends some time learning your environment. For a full list of default alerts and the learning period, see the Azure ATP Security Alerts guide: https://docs.microsoft.com/en-us/azure-advanced-threat-protection/suspicious-activity-guide?tabs=external. Clicking the alert name will give you detailed information, including the learning period.
The quickest way to test functionality and communication is to create a group in AD, mark it as sensitive in Azure ATP, then change it’s membership. To do this, follow these steps:
- Create a test group in AD. For this guide, it is called atp_test.
- In the Azure ATP portal, go to Configuration > Entity Tags, and expand Sensitive.
- Type the name of the test group in the “Sensitive groups” box and click the + sign.
- Click Save.
- Wait a minute or two, then go back to AD and add a user to the test group.
- After another minute or two, you should be able to look at reports and see that you now have a modification to sensitive groups report available.
That’s it. You now have a functional Azure ATP instance that will start learning your environment to help keep your accounts secure.
All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.