Azure Advanced Threat Protection integration
Applies to: Microsoft Cloud App Security
Microsoft Cloud App Security integrates with Azure Advanced Threat Protection (Azure ATP) to provide user entity behavioral analytics (UEBA) across a hybrid environment - both cloud app and on-premises, for more information, see Tutorial: Investigate risky users For more information about the machine learning and behavioral analytics provided by Azure ATP, see What is Azure ATP?.
For complete user investigation across a hybrid environment, you must have:
- A valid license for Azure ATP connected to your Active Directory instance
- You must be a global admin to enable integration between Azure ATP and Microsoft Cloud App Security
- If do not have Azure ATP, try it now
If you don't have a subscription for Microsoft Cloud App Security, you will still be able to use the Cloud App Security portal to get Azure ATP insights.
Enable Azure Advanced Threat Protection
To enable Cloud App Security to integrate with Azure ATP:
In Cloud App Security, under the settings cog, select Settings.
Under Threat Protection, select Azure ATP.
Select the checkbox to Connect Azure ATP data including alerts and activities with Cloud App Security.
It may take up to 12 hours until the integration takes effect.
After enabling Azure Advanced Threat Protection integration, you'll be able to see on-premises activities for all the users in your organization. You will also get advanced insights on your users that combine alerts and suspicious activities across your cloud and on-prem environments.