Azure ATP - Sensitive Accounts

%3CLINGO-SUB%20id%3D%22lingo-sub-725201%22%20slang%3D%22en-US%22%3EAzure%20ATP%20-%20Sensitive%20Accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-725201%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20looking%20to%20configure%20Azure%20ATP%20to%20monitor%20sensitive%20accounts%20in%20my%20local%20Active%20Directory%20and%20want%20to%20know%20what%20is%20the%20max.%20number%20of%20accounts%20I%20can%20add%20in%20Sensitive%20accounts%20setting%3F%20Also%2C%20can%20adding%20sensitive%20accounts%20be%20automated%20using%20API%20or%20PS%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-725201%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Epeginneg%40outlook.com%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-726113%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20-%20Sensitive%20Accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-726113%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F313003%22%20target%3D%22_blank%22%3E%40CyberSecGuy%3C%2FA%3E%26nbsp%3B%2C%20there%20is%20no%26nbsp%3B%20official%20max%20number%20as%20we%20didn't%20put%20any%20max%20cap%20to%20it.%3C%2FP%3E%0A%3CP%3Ein%20theory%20you%20can%20run%20out%20of%20space%20in%20the%20config%2C%20but%20since%20there%20is%20no%20automated%20way%20to%20do%20so%2C%20you%20are%20unlikely%20to%20get%20to%20this%20point.%3C%2FP%3E%0A%3CP%3EIF%20you%20need%20many%20accounts%2C%20the%20more%20practical%20Idea%20is%20to%20create%20a%20%22sensitive%22%20AD%20group%2C%20add%20all%20the%20accounts%20there%2C%20and%20mark%20the%20group%20as%20sensitive%2C%20this%20will%20eventually%20propagate%20to%20all%20accounts%20automatically.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-730095%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20-%20Sensitive%20Accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-730095%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F313003%22%20target%3D%22_blank%22%3E%40CyberSecGuy%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAATP%20will%20also%20automatically%20consider%20users%20to%20be%20sensitive%20who%20are%20members%20of%20specific%20groups%2C%20such%20as%20domain%20admins.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fsensitive-accounts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fsensitive-accounts%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%26nbsp%3B%3C%2FP%3E%3CP%3EGershon%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

I am looking to configure Azure ATP to monitor sensitive accounts in my local Active Directory and want to know what is the max. number of accounts I can add in Sensitive accounts setting? Also, can adding sensitive accounts be automated using API or PS?

 

Thank you

2 Replies
Highlighted

@CyberSecGuy , there is no  official max number as we didn't put any max cap to it.

in theory you can run out of space in the config, but since there is no automated way to do so, you are unlikely to get to this point.

IF you need many accounts, the more practical Idea is to create a "sensitive" AD group, add all the accounts there, and mark the group as sensitive, this will eventually propagate to all accounts automatically.

 

Highlighted

@CyberSecGuy 

 

AATP will also automatically consider users to be sensitive who are members of specific groups, such as domain admins. https://docs.microsoft.com/en-us/azure-advanced-threat-protection/sensitive-accounts 

 

Thanks, 

Gershon