Advanced Threat Protection by Microsoft

I just wanted to throw together a quick post explaining the differences between the "Advanced Threat Protection" solutions from Microsoft. These different offerings sometimes confuse me, and I work for Microsoft. So let me start from the desktop and soar to the cloud. Keep in mind, all these solutions require Azure and/or Office 365 and various levels of licensing.

BLUF: Microsoft Defender ATP protects the endpoints, Office 365 ATP protects by determining safe attachements and links with Exchange, SharePoint, Teams and OneDrive online, Azure ATP helps to protect on-premises Active Directory identities.

Microsoft Defender ATP


At a high-level Microsoft Defender ATP is a platform that takes signals from the desktop and the Microsoft  Intelligence Security Graph (more on that later) to provide protections for the endpoint and enterprise reporting. It really does get more in-dept than that. Please see the link above.

Office 365 ATP


Office 365 ATP is utilized to provide detection and protection from malicious links and attachments. Depending on the level of licensing, this protection is more than just email, it can include Teams, SharePoint and OneDrive. It also provides reporting and even attack simulation.

Azure ATP


Azure ATP provides for on-premises Active Directory signals. It monitors users activities to create a baseline for normal behavior. It provides recommendations to better protect identities. It can help identify suspicious activities to help reduce the potential for attack.

Microsoft Intelligence Security Graph


Collection of threat intelligence signals and indicators from Microsoft and partners products and services that are fed to advanced analytics to create insights on threats. This graph is utilized to provide real-time protection to Microsoft products and services. It also provides an API that can be utilized beyond Microsoft products to help identify and protect against threats.

For example, a user opens a malicious PDF that infects a Windows 10 system. When investigated and determined to be malicious that indicator is fed back to the graph. Office 365 utilized this same graph to ensure that the attachment is blocked for other users.