End of mainstream support for Advanced Threat Analytics January 2021

Published Jul 22 2020 12:57 PM 71.8K Views

A single compromised user or malicious insider can compromise an entire organization – which is why we’re always looking for the best way to protect identity environments.

Since its release in 2015, Microsoft Advanced Threat Analytics (ATA) has protected organizations from identity-based attacks in on-premises environments, receiving multiple updates that introduced new functionality and improvements to existing features.

As the nature and requirements of security changed, so did the frequency and severity of cyber-attacks. We saw a dramatic increase in the sophistication and velocity of attacks and realized that the current IT security tools provided were limited in the protection they could offer to on-premises environments.

To help customers combat these attacks, in March 2018 we introduced Azure Advanced Threat Protection (Azure ATP), which shifted to a lightweight sensor connected to cloud service model. This allows us to rapidly update detections and provide customers with an easier deployment path.

We are now reaching the end of mainstream support for ATA and are guiding our customers to shift to Azure ATP as their on-premises identity threat protection solution.

Our commitment to security means we will continue to provide critical security updates affecting ATA, with Extended Support continuing until January 2026. Mainstream support ends on January 12, 2021. The final update in mainstream support will be ATA v1.9.3. We will communicate further details about this release in the coming weeks.

To help you get started, we have compiled some information and resources:

Preventing threats – Assess your security posture through full visibility into on-premises Active Directory configuration, users, and service accounts that could become compromised due to security misconfigurations or failure to follow best practices. Identity Security Posture assessments powered by Azure ATP alert you to known bad practices within your environment, like dormant accounts within sensitive groups or risky lateral movement paths. This proactivity ensures you are remediating potentially harmful configurations before they become an additional attack vector.

Detecting threats – Detect on-premises, advanced attacks in real time, leveraging unique approaches to Network Traffic Analytics & User and Entity Behavior Analytics, as well as entity enrichments such as device name resolution, event log inspection, and Event Tracing for Windows events. Azure ATP detections can identify attackers’ activities through the kill chain — starting with network and user mapping (reconnaissance) and continuing with attempts to compromise identities and move laterally inside the organization to gain domain dominance. Potential threats are grouped together using cloud-powered analytics.

Investigating threats – Review alerts and user activities to understand the attack methods and potential damage. Additionally, you can hunt through user activities and define custom alerts based on user events. And, with Azure ATP’s Investigation Priority Score, you can pinpoint the riskiest users to investigate, based on their alerts and suspicious activities.

Remediating threats – Azure ATP’s integration with other products in Microsoft’s security portfolio helps you mitigate the impact of compromised users by raising a user’s AAD User Risk level and enforcing organizational risk policies such as blocking access—or allowing access, but requiring a password change using Azure AD self-service password reset.

We also know that the real test of any security solution is real-world results. Recently we submitted Azure ATP for MITRE ATT&CK APT 29 evaluation. MITRE evaluates cybersecurity products using an open methodology based on the ATT&CK knowledge base. The latest evaluation centered around a nation-state threat actor Advanced Persistent Threat (APT) 29. Azure ATP detected account compromise at the domain level, lateral movement, and the more sophisticated pass-the-ticket (Golden Ticket) attack. Check out this blog for more details on how Azure ATP performed in the evaluation.

Acknowledgement from independent experts like MITRE is a great milestone for Azure ATP, but we also have large customers who rely on it to help protect their environments. Ansell, a global personal protective equipment leader, made the move from ATA to Azure ATP and is pleased with their new, enhanced capabilities:


George Michalitsianos, Senior Director of IT Security and Infrastructure at Ansell, states “We valued Advanced Threat Analytics for the ability to recognize and even help proactively stop an attack, and now that we have the same capability in Azure ATP, we’re in an even better position. We can use new features and capabilities as soon as they’re delivered.”

Find out more about Ansell’s cloud security journey here.

So what do we recommend you do right now? The best way to experience all that Azure ATP has to offer is to try it for yourself. Resources to assist in migrating can be found here. And, for personalized help with the transition, contact us at atahelp@microsoft.com.


Is there anything more you can share on this?


Biggest concern for me is that customers who have EM+S E3 licencing are losing a major tool in their toolbox, unless they uplift to E5 to take advantage of Azure ATP.

Frequent Contributor

This is definitely a backward step from a security point of view. Very few organisations have the budget for M365 E5.



Occasional Contributor

Okay, so Advanced Threat Protection will be useless, as nearly nobody can afford EMS E5. Why was for ATA E3 sufficient?


Seems the Microsoft way to go: kill product to introduce another one with similar features but a nice heavy price lift included.


We will definitely look for other vendors. 

New Contributor

Very disappointed to learn this isn't included in EM+S E3 anymore.


New Contributor

@BramV It is included. Contact M365 support for the license key and Azure Support for the ISO download.


Anyway, we have a lot of customers on M365 E3 which includes EMS E3 and there is no replacement for ATA in their case without paying a lot more for E5.

New Contributor

@VladV30 Yes i know, I was talking about the replacement of ATA of course.

New Contributor

@VladV30 - Could you share the path or the way you have contacted them?




New Contributor

@Daniel Manta I contacted them using the M365 Admin center and from the Azure Console.

Regular Visitor

@Ricky Simpson Does this mean organizations will have to purchase E5 to get access to the ATA replacement (Azure ATP)? Or will the current minimum license for ATA (E3 + Mobility) allows access to Azure ATP? 

New Contributor

@1357924680 I, for one, am hopeful, but it's unlikely.

Regular Visitor

@VladV30 I agree, but I'm going to give MS the benefit of the doubt here to make the right call and keep ATA/Azure-ATP functionality within reach of orgs via E3 + EMS. Moving it to E5 would hurt a lot of organizations who rely on this tool but can't afford E5, and it would seriously undermine Microsofts commitment to helping it's customers secure their environments. 

Occasional Visitor


Occasional Contributor

What a great way to kill a great on-prem tool with cloud based licensing, thanks M$FT.

Frequent Visitor

That was a miss, MS. Azure ATA should replace ATA in currently plans.

Occasional Contributor

EOL and offer an alternative product within a needed license upgrade. **bleep** MS... it’s a joke

Occasional Visitor

I try

Occasional Visitor

Well that's not optimal. We have a strictly offline environment so any product that moves to the cloud is lost for us. 


Suggestions anyone?



Oh, we are offline because of legal requirements, going online anyway are likely to cause loss of job & reputation, fines and maybe even a prison sentence(Capital punishment is abolished here though, no worries there)

Occasional Contributor

And EMS E3 price will be increased this sommer :ok_hand:

New Contributor

Understood that the replacement product is not the original product, but the subscription that includes ATA hasn't gone down in cost to reflect the retiring of ATA, so it feels like you're paying for the original ATA and the new product.

New Contributor

Can someone answer, I can still see ATA under EMS3 when it was moving to E5 https://www.microsoft.com/en-in/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing 

Occasional Visitor

هلا هلا هلا

Version history
Last update:
‎May 11 2021 03:14 PM
Updated by:
We support Ukraine and condemn war. Push Russian government to act against war. Be brave, vocal and show your support to Ukraine. Follow the latest news HERE