Hybrid Deployment and Azure ATP

%3CLINGO-SUB%20id%3D%22lingo-sub-277808%22%20slang%3D%22en-US%22%3EHybrid%20Deployment%20and%20Azure%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277808%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20a%20hybrid%20deployment%20that%20all%20users%20are%20synched%20to%20Azure%20AD%20from%20on-prem%20AD%20and%20all%20workstations%20are%20Azure%20AD%20connected.%20The%20users%20are%20using%20their%20UPN%20from%20on-premise%20AD%20and%20gets%20authentication%20federated%20to%20ADFS.%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20deploying%20Azure%20ATP%20still%20beneficial%20in%20this%20scenario%20that%20only%20monitors%20the%20on-premise%20Active%20Directory%3F%20As%20the%20users%20will%20be%20using%20Azure%20AD%20as%20their%20main%20workspace%20I%20am%20not%20sure%20if%20we%20can%20make%20use%20of%20any%20features%20of%20Azure%20ATP.%20Can%20someone%20please%20provides%20some%20insight%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-278142%22%20slang%3D%22en-US%22%3ERe%3A%20Hybrid%20Deployment%20and%20Azure%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-278142%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20working%20in%20a%20hybrid%20AD%2C%20security%20needs%20to%20be%20addressed%20both%20to%20the%20local%20environment%20and%20to%20the%20cloud%20environment%2C%20especially%20when%20there%20are%20local%20Active%20Directory%20servers.%20The%20purpose%20of%20Azure%20ATP%20is%20to%20address%20security%20and%20protection%20issues%20from%20attacks%20such%20as%20Pass%20the%20Hash%2C%20DC%20Sync%20and%20so%20on.%3CBR%20%2F%3E%3CBR%20%2F%3EIn%20addition%2C%20Azure%20ATP%20and%20Azure%20AD%20Identity%20Protection%20have%20recently%20been%20integrated%2C%20so%20the%20combination%20of%20cloud%20and%20local%20environments%20with%20a%20unified%20layer%20of%20protection%20from%20one%20interface%20is%20very%20important%20today.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FEnterprise-Mobility-Security%2FSecure-your-hybrid-cloud-environments-with-Azure-AD-Identity%2Fba-p%2F262400%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FEnterprise-Mobility-Security%2FSecure-your-hybrid-cloud-environments-with-Azure-AD-Identity%2Fba-p%2F262400%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENote%3A%20Currently%20Azure%20ATP%20can%20integrate%20with%20other%20security%20layers%20such%20as%20Office%20365%20ATP%2C%20Windows%20Defender%20ATP%2C%20and%20Azure%20AD%20will%20get%20more%20integration.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22short_text%22%3E%3CSPAN%20class%3D%22%22%3ERecommend%20to%20review%20the%20following%20article%3C%2FSPAN%3E%3C%2FSPAN%3E%20%3CA%20href%3D%22https%3A%2F%2Fwww.eshlomo.us%2Fazure-atp-first-impressions%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.eshlomo.us%2Fazure-atp-first-impressions%2F%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEli.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277864%22%20slang%3D%22en-US%22%3ERe%3A%20Hybrid%20Deployment%20and%20Azure%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277864%22%20slang%3D%22en-US%22%3E%3CP%3EOk%20I%20see%20where%20you%20coming%20from.%20I%20guess%20it%20is%20beneficial%20from%20holistic%2C%20complementary%20with%20the%20other%20toolsets%20perspective%20to%20give%20a%20complete%20view%20on%20the%20threat%20and%20security%20landscape.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277836%22%20slang%3D%22en-US%22%3ERe%3A%20Hybrid%20Deployment%20and%20Azure%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277836%22%20slang%3D%22en-US%22%3E%3CP%3EAsk%20yourself%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EAlthough%20your%20users%20are%20synched%2C%20can%20someone%20compromise%20one%20of%20them%20to%20go%20after%20a%20more%20privileged%20one%20or%20access%20confidential%20resources%20internally%3F%3C%2FLI%3E%0A%3CLI%3EIs%20there%20internal%20user%20behavior%20that%20i%20wish%20to%20monitor%3F%3C%2FLI%3E%0A%3CLI%3EDo%20i%20want%20to%20augment%20what%20Azure%20AD%26nbsp%3Bidentity%20protection%20finds%2C%20or%20WDATP%2C%20or%20MCAS%20etc.%3C%2FLI%3E%0A%3CLI%3EDo%20i%20have%20VPN%20Servers%20that%20i%20need%20to%20monitor%20for%20abnormal%20user%20access%3C%2FLI%3E%0A%3CLI%3Eshould%26nbsp%3Bmy%20on-premise%20identity%20infrastructure%20can%20be%20used%20against%20me%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EIf%20you%20answered%20yes%20to%20any%2C%20than%20you%20probably%20need%20Azure%20ATP...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277831%22%20slang%3D%22en-US%22%3ERe%3A%20Hybrid%20Deployment%20and%20Azure%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277831%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EThanks%20for%20the%20reply.%20What%20I%20am%20really%20after%20and%20I%20accept%20that%20it%20is%20beneficial%20for%20he%20on-prem%20AD%20is%20if%20it%20will%20really%20provide%20any%20insight%20for%20the%20user%20base%20that%20is%20joined%20to%20Azure%20AD.%3C%2FP%3E%3CP%3EAs%20the%20users%20will%20always%20be%20using%20Azure%20AD%20connected%20workstations%20with%20synchronised%20accounts.%20So%20only%20time%20they%20will%20have%20any%20involvement%20with%20on-premise%20Active%20Directory%20is%20when%20they%20do%20the%20initial%20logon%20to%20workstations%20and%20authenticate%20through%20ADFS%20federated%20authentication%20so%20I%20am%20not%20sure%20they%20will%20have%20any%20interaction%20with%20on-prem%20Active%20Directory%20to%20be%20able%20to%20make%20use%20of%20the%20Azure%20ATP%20security%20events%20etc.%20as%20ATP%20will%20only%20monitor%20and%20report%20against%20the%20on-premise%20AD.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-277815%22%20slang%3D%22en-US%22%3ERe%3A%20Hybrid%20Deployment%20and%20Azure%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-277815%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Dergin%2C%3C%2FP%3E%0A%3CP%3EYes%2C%20If%20you%20have%20a%20domain%20controller%2C%20you%20can%20benefit%20from%20Azure%20ATP!%3C%2FP%3E%0A%3CP%3Ealso%2C%20Azure%20ATP%26nbsp%3Bis%20part%20of%20the%20Microsoft%20security%20stack%20that%20can%20provide%20you%20with%20cross%20solutions%20detections%20and%20investigation%20so%26nbsp%3Bhaving%20this%20kind%20of%20solution%20is%20must%20have%20for%20Hybrid%20environments.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

We have a hybrid deployment that all users are synched to Azure AD from on-prem AD and all workstations are Azure AD connected. The users are using their UPN from on-premise AD and gets authentication federated to ADFS. 

Is deploying Azure ATP still beneficial in this scenario that only monitors the on-premise Active Directory? As the users will be using Azure AD as their main workspace I am not sure if we can make use of any features of Azure ATP. Can someone please provides some insight?

5 Replies
Highlighted

Hi Dergin,

Yes, If you have a domain controller, you can benefit from Azure ATP!

also, Azure ATP is part of the Microsoft security stack that can provide you with cross solutions detections and investigation so having this kind of solution is must have for Hybrid environments.

Highlighted

Hi,

Thanks for the reply. What I am really after and I accept that it is beneficial for he on-prem AD is if it will really provide any insight for the user base that is joined to Azure AD.

As the users will always be using Azure AD connected workstations with synchronised accounts. So only time they will have any involvement with on-premise Active Directory is when they do the initial logon to workstations and authenticate through ADFS federated authentication so I am not sure they will have any interaction with on-prem Active Directory to be able to make use of the Azure ATP security events etc. as ATP will only monitor and report against the on-premise AD.

Highlighted

Ask yourself:

  • Although your users are synched, can someone compromise one of them to go after a more privileged one or access confidential resources internally?
  • Is there internal user behavior that i wish to monitor?
  • Do i want to augment what Azure AD identity protection finds, or WDATP, or MCAS etc.
  • Do i have VPN Servers that i need to monitor for abnormal user access
  • should my on-premise identity infrastructure can be used against me

If you answered yes to any, than you probably need Azure ATP...

 

 

Highlighted

Ok I see where you coming from. I guess it is beneficial from holistic, complementary with the other toolsets perspective to give a complete view on the threat and security landscape.

 

Thank you

Highlighted

Hi,

 

When working in a hybrid AD, security needs to be addressed both to the local environment and to the cloud environment, especially when there are local Active Directory servers. The purpose of Azure ATP is to address security and protection issues from attacks such as Pass the Hash, DC Sync and so on.

In addition, Azure ATP and Azure AD Identity Protection have recently been integrated, so the combination of cloud and local environments with a unified layer of protection from one interface is very important today.
https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Secure-your-hybrid-cloud-environ...

 

Note: Currently Azure ATP can integrate with other security layers such as Office 365 ATP, Windows Defender ATP, and Azure AD will get more integration.

Recommend to review the following article https://www.eshlomo.us/azure-atp-first-impressions/

 

Eli.