Deploy Azure ATP
To begin deploying Azure ATP you need to create a workspace. You can go to https://portal.atp.azure.com to access the Workspace Management Portal. Here you can create/delete a workspace and configure integration to Windows Defender ATP. You can only have a single primary workspace and a maximum of two active and three deleted workspaces.
By default, Global Administrators have access to Azure ATP. Three additional role groups are created for management of Azure ATP per workspace. Administrators have full access, Users can manage activities and alerts, and viewers can only view the workspace portal.
Once you have created your workspace portal, you need to connect it to your on-premises Active Directory. This involves entering credentials for a read-only AD account and installing the sensor on a domain controller (or dedicated server). Save the package locally on the server and copy the Access key.
Azure ATP requires .Net Framework 4.7 to be installed on the server. If not installed, the Azure ATP sensor installation will install it, which requires a reboot. Azure ATP sensor is a very quick, 3-page installation for a domain controller. Simply select your language, deployment type (which is automatically determined), and install path.
After the package is installed you should see it in the Workspace portal. At this point you can select your domain controller and provide a description, select NICs to capture (if standalone sensor), as well Domain synchronizer candidate. This option determines the server responsible for synchronization between Azure ATP and your on-premises domain. This should be either the standalone sensor, or if none were deployed, your primary domain controller. Remote and Read-Only domain controllers should not have this option enabled.
That concludes the basic installation of Azure ATP for installing directly on a domain controller. If deploying a standalone sensor a few additional steps are required such as configuring port mirroring. It is recommended to configure all domain controllers to connect and communicate with Azure ATP to obtain the most data to provide the most accurate alerts and protection from threats. Once deployed you can then proceed with any customization necessary including SIEM integration, setup notifications, or any other customization desired. Just remember Azure ATP needs at least two weeks or more to accurately report valid issues.
Azure ATP is just one of many security toolsets that Microsoft provides to protect your Identity, Apps, Data, Devices, and Infrastructure. If you already have EMS E5 licenses or are looking to expand upon your current protection capabilities, contact Enabling Technologies to allow us to see how we can assist with your security goals. You can also check out our other security offerings at our SecureIT page on our website.