Integrate Office 365 Advanced Threat Protection with Microsoft Defender Advanced Threat Protection

If you are part of your organization's security team, you can integrate Office 365 Advanced Threat Protection and related investigation and response features with Microsoft Defender Advanced Threat Protection. This can help you quickly understand if users' machines are at risk when you are investigating threats in Office 365. For example, once integration is enabled, you will be able to see a list of machines that are used by the recipients of a detected email message, as well as how many recent alerts those machines have in Microsoft Defender Advanced Threat Protection.

The following image shows the Devices tab that you'll see when have Microsoft Defender ATP integration enabled:

When Microsoft Defender ATP is enabled, you can see a list of machines with alerts.

In this example, you can see that the recipients of the email message have four devices and one has an alert. Clicking the link for a device opens its page in the Microsoft Defender Security Center.

Requirements

To integrate Office 365 ATP with Microsoft Defender ATP

Integrating Office 365 ATP with Microsoft Defender ATP is set up by using both the Security & Compliance Center AND the Microsoft Defender Security Center.

  1. As an Office 365 global administrator or a security administrator, go to https://protection.office.com and sign in with your work or school account for Office 365.

  2. Choose Threat management > Explorer.
    Explorer in Threat Management menu

  3. In the upper right corner of the screen, choose WDATP Settings.

  4. In the Windows Defender ATP connection dialog box, turn on Connect to Windows ATP.
    Microsoft Defender ATP connection

  5. Enable the connection in the Microsoft Defender Security Center.

Office 365 Threat Investigation and Response

Office 365 Advanced Threat Protection