Applies to: Azure Advanced Threat Protection

Configure Azure ATP to make remote calls to SAM

Azure ATP lateral movement path detection relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Azure ATP Service account created during Azure ATP installation Step 2. Connect to AD.

Configure SAM-R required permissions

To ensure Windows clients and servers allow your Azure ATP account to perform SAM-R, a modification to Group Policy must be made to add the Azure ATP service account in addition to the configured accounts listed in the Network access policy.

  1. Locate the policy:

    • Policy Name: Network access - Restrict clients allowed to make remote calls to SAM
    • Location: Computer configuration, Windows settings, Security settings, Local policies, Security options

    Locate the policy

  2. Add the Azure ATP service to the list of approved accounts able to perform this action on your modern Windows systems.

    Add the service

  3. AATP Service (the Azure ATP service created during installation) now has the privileges needed to perform SAM-R in the environment.

Note

Before enforcing new policies, make sure that your environment remains secure, without impacting your application compatibility by enabling and verifying proposed changes in audit mode.

For more on SAM-R and this Group Policy, see Network access: Restrict clients allowed to make remote calls to SAM.

See Also