»Whats the difference?

There are 3 different products that Microsoft offer that revolve around the name ATP.

  1. Office 365 Advanced Threat Protection
  2. Microsoft Defender Advanced Threat Protection
  3. Azure Advanced Threat Protection But whats the difference? What do you use when?

»Office 365 ATP.

If your looking for email messaging protection then this may be for you. Depending on the licensing you have access to Safe Attachments, Safe Links, Anti-phishing policies, Real-Time Reports, Threat Trackers, Automated Incident response and more! I see Office 365 ATP being a tool to protect your Exchange or mail environment using the above features.

Office 365 ATP is available inside the portal and is used to protect emails and data contained within Office 365, these include: OneDrive for Business, Teams and SharePoint Online.

Part of this product is the Safe Links which protects your users from malicious URL’s and web links within emails or documents. Making URL’s safe works by referencing malicious links against a database full of known malicious links. If a link in an email or document matches any of the URL’s in this database then it will block the user from visiting this site.

Another part of this product is Safe Attachments, this works by using machine learning and a database full of signatures of files that have gone through a Microsoft detonation chamber that opens up the malicious attachment in a separate windows VM to understand the effect this has on the system. Safe Attachments will block the users access to this file if it suspects suspicious activity.


Licensing for Office 365 ATP is included as standard in Office 365 E5, Office 365 Education A5 and Microsoft 365 Business.

Its also available as addon license to the below SKUS.

  • Exchange Online Plan 1
  • Exchange Online Plan 2
  • Exchange Online Kiosk
  • Exchange Online Protection
  • Office 365 Business Essentials
  • Office 365 Business Premium
  • Office 365 Enterprise E1
  • Office 365 Enterprise E3
  • Office 365 Enterprise F1
  • Office 365 A1
  • Office 365 A3

»Microsoft Defender ATP.

Microsoft Defender ATP which was previously known as Windows Defender ATP is a technology that protects your windows endpoints, specifically Laptops/Desktops and Windows Servers.

For any Windows OS besides Windows 10 Microsoft Defender would need to be installed via an agent on the machine whereas Windows 10 has it pre-installed and only needs to be activated via policy.

Microsoft want to provide a product set that will help you protect, detect and respond to threat inside your Windows environments. They do this with a combination of technologies both built into Windows 10 and available on their cloud service.

This list has been taken from the Microsoft Docs website and more information can be found here: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection


Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:

  • Windows 10 Enterprise E5
  • Windows 10 Education A5
  • Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
  • Microsoft 365 A5 (M365 A5)

»Azure ATP.

Azure ATP is a mainly cloud based technology that is positioned to protecting identities within your 365 environment.

It does this by monitoring and analyzing users activities and information across your network and creates expected behaviors for them. Once it has these “usually after 14 days of running” it can pick out anomalies in activity using machine learning AI and can reveal compromised users, advanced threats and even internal knowledge leaks inside your company.

You can access this information via portals inside of your 365 tenant but Azure ATP has been developed to reduce the general alert noise across your tenant and only show you relevant information. This can be seen inside the ATP attack timeline view.

Azure ATP also has seamless integration with the technologies mentioned above especially MDATP.


You can acquire a license directly from the Microsoft 365 portal or through the Cloud Solution Partner (CSP) licensing model.

  • Azure ATP is available as part of Enterprise Mobility + Security 5 suite (EMS E5), and as a standalone license.


I’m not to sure how to bring this post all together. I’ve written this post to bring light to the fact that there are 3 different ATP’s currently inside of Microsoft 365 which all relate to security. So when you’re talking about this with customers or other parts of your business please make sure you’re on the same page and talking about the same technologies to cut down confusion. HOPEFULLY this post helps.