Sep 24 2018 10:13 AM
Do you need to have Global Admin/Security Admin credentials during the ATP sensor install or just the key? Want to use the minimum needed.
Work space creation created these groups.
Azure ATP<Work space Name> Administrators
Azure ATP<Work space Name> Owners
Azure ATP<Work space Name> Readers
Thanks
Sep 24 2018 12:46 PM
You need Just the key to be able to connect to the service.
Fro the installation itself, you need to have privileges on the local machine to install the sensor.
Apr 13 2020 09:29 AM
With all that ATP is gathering and doing on each DC, is it true that no user associated with ATP running needs privileges? A standard user would not be able to see the network traffic, read the security logs, or be able to run the agent on the DC. Could you explain the different user accounts (if more than one) that are used with ATP and what the minimum level of privilege for each is? Thanks!
Apr 13 2020 03:11 PM
You need at least one directory service account with read access to all objects in the monitored domain. This account can be an standard AD user or a Group Managed Service Account. You configure this within the AATP portal.
https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-prerequisites#before-you-start
As Eli mentioned for the sensor, you just need privileges on the local machine to install the sensor. There is not a second account needed to collect data with the sensor.
Apr 23 2020 01:14 AM
@derekmelber , The sensor has a few components, each running under a different account.
The sensor updater service is running as local system, thus has permissions to do a lot...
The sensor itself is running as a local service virtual account created during deployment,
And since the deployment is running as admin, it gives it the permissions it needs locally to access security log, read traffic etc.
The domain credentials you are adding in the console UI are for outside authentications, like ruining remote LDAP queries, SAMR authentication to endpoints for lateral movement etc, so low privileged account for this purpose is enough.