Azure Advanced Threat Protection integration

Applies to: Microsoft Cloud App Security

Microsoft Cloud App Security integrates with Azure Advanced Threat Protection (Azure ATP) to provide user entity behavioral analytics (UEBA) across a hybrid environment - both cloud app and on-premises, for more information, see Tutorial: Investigate risky users For more information about the machine learning and behavioral analytics provided by Azure ATP, see What is Azure ATP?.

Prerequisites

For complete user investigation across a hybrid environment, you must have:

  • A valid license for Azure ATP connected to your Active Directory instance
  • You must be a global admin to enable integration between Azure ATP and Microsoft Cloud App Security
  • If do not have Azure ATP, try it now

Note

If you don't have a subscription for Microsoft Cloud App Security, you will still be able to use the Cloud App Security portal to get Azure ATP insights.

Enable Azure Advanced Threat Protection

To enable Cloud App Security integration with Azure ATP:

  1. In Cloud App Security, under the settings cog, select Settings.

    Settings menu

  2. Under Threat Protection, select Azure ATP.

    enable azure advanced threat protection

  3. Select Connect Azure ATP data including alerts and activities with Cloud App Security and then click Save.

Note

It may take up to 12 hours until the integration takes effect.

After enabling Azure Advanced Threat Protection integration, you'll be able to see on-premises activities for all the users in your organization. You will also get advanced insights on your users that combine alerts and suspicious activities across your cloud and on-premises environments.

Disable Azure Advanced Threat Protection

To disable Cloud App Security integration with Azure ATP:

  1. In Cloud App Security, under the settings cog, select Settings.

  2. Under Threat Protection, select Azure ATP.

  3. Clear Connect Azure ATP data including alerts and activities with Cloud App Security and then click Save.

Note

Existing azure ATP data is kept in accordance with Cloud App Security retention policies but the Identity Security Posture assessments are removed.

Next steps

If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.