Applies to: Azure Advanced Threat Protection
Configure Azure ATP to make remote calls to SAM
Azure ATP lateral movement path detection relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Azure ATP Service account created during Azure ATP installation Step 2. Connect to AD.
Configure SAM-R required permissions
To ensure Windows clients and servers allow your Azure ATP account to perform SAM-R, a modification to Group Policy must be made to add the Azure ATP service account in addition to the configured accounts listed in the Network access policy.
Locate the policy:
- Policy Name: Network access - Restrict clients allowed to make remote calls to SAM
- Location: Computer configuration, Windows settings, Security settings, Local policies, Security options
Add the Azure ATP service to the list of approved accounts able to perform this action on your modern Windows systems.
AATP Service (the Azure ATP service created during installation) now has the privileges needed to perform SAM-R in the environment.
Before enforcing new policies, make sure that your environment remains secure, without impacting your application compatibility by enabling and verifying proposed changes in audit mode.
For more on SAM-R and this Group Policy, see Network access: Restrict clients allowed to make remote calls to SAM.