Two ATA feature requests - input?

%3CLINGO-SUB%20id%3D%22lingo-sub-1163705%22%20slang%3D%22en-US%22%3ETewo%20ATA%20feature%20requests%20-%20input%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1163705%22%20slang%3D%22en-US%22%3E%3CP%3EHello!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAn%20ATA%20customer%20with%2060%26nbsp%3B000%20seats%20has%20two%20new%20feature%20requests%20for%20ATA.%20I%E2%80%99ve%20told%20them%20that%20while%20ATA%20is%20still%20officially%20supported%2C%20Azure%20ATP%20is%20where%20the%20focus%20is%2C%20and%20it%20may%20be%20challenging%20to%20get%20new%20features%20added%20to%20ATA%2C%20but%20it%20doesn%E2%80%99t%20hurt%20to%20ask.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThey%20will%20formally%20submit%20a%20%3CEM%3EDesign%20Change%20Request%3C%2FEM%3E%20via%20their%20TAM%2FSDM%2C%20but%20I%20wanted%20to%20see%20if%20anyone%20here%20has%20valuable%20input%20before%20that.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EOne%20of%20their%20requirements%20is%20%3CSTRONG%3EMFA%20for%20accessing%20the%20portal%3C%2FSTRONG%3E%2C%20which%20is%20not%20possible%20today%20(see%20discussion%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-advanced-threat%2Frequire-smart-card-for-ata-portal%2Fm-p%2F1122031%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Ehere%3C%2FA%3E).%20We%20see%20at%20least%20two%20ways%20for%20this%3A%3C%2FSPAN%3E%3C%2FP%3E%3CUL%3E%3CLI%3E%3CSPAN%3ESupport%20in%20ATA%20for%20federated%20login%26nbsp%3B%3C%2FSPAN%3E(i.e.%2C%20forcing%20MFA%20on%20the%20Identity%20Provider%20side)%3C%2FLI%3E%3CLI%3E%3CSPAN%3EAdding%20native%20support%20for%20MFA%2Fsmartcard%20in%20ATA%3C%2FSPAN%3E%20Center%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%3CSPAN%3EThe%20other%20is%20%3CSTRONG%3EGroup%20Managed%20Service%20Accounts%3C%2FSTRONG%3E%20(gMSA).%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EToday%2C%20the%20%3CEM%3EATA%20%3CU%3EGateway%3C%2FU%3E%20service%3C%2FEM%3E%20can%20run%20with%20a%20gMSA%20(at%20least%20according%20to%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fadvanced-threat-analytics%2Fwhats-new-version-1.8%23security-improvements%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Erelease%20notes%20of%20v1.8%3C%2FA%3E%2C%20but%20not%20documented%20anywhere%20else)%3C%2FSPAN%3E.%20%3CSPAN%3EBut%20they%20want%20the%20%3CEM%3EATA%20%3CU%3ECenter%3C%2FU%3E%20service%3C%2FEM%3E%26nbsp%3Bto%20also%26nbsp%3B%3C%2FSPAN%3Erun%20%3CSPAN%3Ewith%20a%20gMSA.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAgain%2C%20not%20really%20questions%2C%20more%20asking%20for%20feedback%2Finput%20before%20they%20formally%20submit%20a%20formal%26nbsp%3BDesign%20Change%20Request.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%2FTom%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1163705%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20Threat%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1163763%22%20slang%3D%22en-US%22%3ERe%3A%20Two%20ATA%20feature%20requests%20-%20input%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1163763%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F308146%22%20target%3D%22_blank%22%3E%40TomAafloen%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EgMsa%20is%20supported%20for%20running%20the%26nbsp%3B%20gateway%20itself%20instead%20of%20local%20service%20(although%20the%20value%20of%20that%20is%20really%20low%2C%20so%20not%20sure%20why%20anyone%20will%20want%20to%20do%20that).%3C%2FP%3E%0A%3CP%3Eit%20is%20not%20supported%20instead%20of%20using%20the%20AD%20account%20in%20the%20config%20page%2C%20(it%20is%20supported%20for%20AATP%20though!)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThey%20are%20welcome%20to%20submit%20any%20feedback%2C%20but%20the%20chances%20of%20those%20happening%20for%20ATA%20at%20this%20point%20are%20very%20low.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20strongly%20advise%20them%20to%20check%20out%20AATP%20instead%20of%20ATA%20as%20it%20will%20give%20such%20a%20large%20customer%20much%20more%20value%20compared%20to%20ATA.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1163777%22%20slang%3D%22en-US%22%3ERe%3A%20Two%20ATA%20feature%20requests%20-%20input%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1163777%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYes%2C%20I%20have%20talked%20about%20AATP%2C%20but%20it's%20a%20licensing%20thing%20at%20the%20moment.%20It%20may%20be%20relevant%20in%20the%20future.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20clarify%20what%20is%20supported%20in%20AATP%3F%20Do%20you%20mean%20running%20the%20Azure%20ATP%20Sensor%20service%20with%20a%20gMSA%2C%20instead%20of%20adding%20a%20Directory%20Services%20user%20account%20in%20the%20AATP%20Configuration%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1164081%22%20slang%3D%22en-US%22%3ERe%3A%20Two%20ATA%20feature%20requests%20-%20input%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1164081%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F308146%22%20target%3D%22_blank%22%3E%40TomAafloen%3C%2FA%3E%26nbsp%3B%20The%20service%20is%20still%20running%20as%20a%20virtual%20service%20account%20(local%20service)%2C%20but%20in%20the%20config%20page%20which%20until%20recently%20you%20had%20to%20enter%20username%20and%20password%2C%20you%20can%20now%20just%20enter%20a%20gmsa%20account%20without%20password%2C%20so%20no%20need%20to%20manage%20this%20account%20any%20more%20with%20password%20replacements%20etc...%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hello!

 

An ATA customer with 60 000 seats has two new feature requests for ATA. I’ve told them that while ATA is still officially supported, Azure ATP is where the focus is, and it may be challenging to get new features added to ATA, but it doesn’t hurt to ask.

 

They will formally submit a Design Change Request via their TAM/SDM, but I wanted to see if anyone here has valuable input before that.

 

One of their requirements is MFA for accessing the portal, which is not possible today (see discussion here). We see at least two ways for this:

  • Support in ATA for federated login (i.e., forcing MFA on the Identity Provider side)
  • Adding native support for MFA/smartcard in ATA Center

The other is Group Managed Service Accounts (gMSA).

Today, the ATA Gateway service can run with a gMSA (at least according to the release notes of v1.8, but not documented anywhere else). But they want the ATA Center service to also run with a gMSA.

 

Again, not really questions, more asking for feedback/input before they formally submit a formal Design Change Request.

 

/Tom

3 Replies
Highlighted

Hi  @TomAafloen 

 

gMsa is supported for running the  gateway itself instead of local service (although the value of that is really low, so not sure why anyone will want to do that).

it is not supported instead of using the AD account in the config page, (it is supported for AATP though!)

 

They are welcome to submit any feedback, but the chances of those happening for ATA at this point are very low.

 

I strongly advise them to check out AATP instead of ATA as it will give such a large customer much more value compared to ATA.

Highlighted

@Eli Ofek 

Yes, I have talked about AATP, but it's a licensing thing at the moment. It may be relevant in the future.

 

Can you clarify what is supported in AATP? Do you mean running the Azure ATP Sensor service with a gMSA, instead of adding a Directory Services user account in the AATP Configuration?

Highlighted

@TomAafloen  The service is still running as a virtual service account (local service), but in the config page which until recently you had to enter username and password, you can now just enter a gmsa account without password, so no need to manage this account any more with password replacements etc...