Integrate Office 365 Threat Intelligence with Windows Defender Advanced Threat Protection
If you are part of your organization's security team, you can integrate Office 365 with Windows Defender Advanced Threat Protection (ATP). This can help you quickly understand if users' machines are at risk when you are investigating threats in Office 365. For example, once integration is enabled, you will be able to see a list of machines that are used by the recipients of a detected email message, as well as how many recent alerts those machines have in Windows Defender ATP.
The following image shows the Devices tab that you'll see when have Windows Defender ATP integration enabled:
In this example, you can see that the recipients of the email message have four machines and one has an alert in Windows Defender ATP. Clicking the link to a machine opens the machine page in Windows Defender ATP in a new tab.
Your organization must have Office 365 Threat Intelligence and Windows Defender ATP.
You must be an Office 365 global administrator or have a security administrator role assigned in the Security & Compliance Center. (See Permissions in the Office 365 Security & Compliance Center)
You must have access to both Office 365 Threat Intelligence and the Windows Defender ATP portal.
To integrate Office 365 Threat Intelligence with Windows Defender ATP
Integrating Office 365 Threat Intelligence with Windows Defender ATP is set up both in Office 365 and in the Windows Defender ATP portal.
As an Office 365 global or a security administrator, go to https://security.microsoft.com and sign in with your work or school account for Office 365.
Choose Threat management > Threat explorer.
On the More menu, choose WDATP Settings.
Select Connect to Windows ATP.
After you have changed the settings in Office 365, you must enable the connection from Windows Defender ATP. To do that, see Use the Windows Defender Advanced Threat Protection portal.