Advanced Threat Analytics (ATA) to Microsoft Defender for Identity

This article describes how to migrate from an existing ATA installation to a Microsoft Defender for Identity sensor, and includes the following steps:

  • Review and confirm Defender for Identity service prerequisites
  • Document your existing ATA configuration
  • Plan your migration
  • Set up and configure your Defender for Identity service
  • Perform post-migration checks and verifications
  • Decommission ATA


This migration guide is designed for Defender for Identity sensors only, and not standalone sensors.

While you can migrate to Defender for Identity from any ATA version, your ATA data isn't migrated. Therefore, we recommend that you plan to retain your ATA Data Center and any alerts required for ongoing investigations until all ATA alerts are closed or remediated.


The final release of ATA is generally available. ATA ended Mainstream Support on January 12, 2021. Extended Support will continue until January 2026. For more information, read our blog.


To migrate from ATA to Defender for Identity, you must have an environment and domain controllers that meet Defender for Identity sensor requirements. For more information, see Microsoft Defender for Identity prerequisites.

Make sure that all the domain controllers you plan to use have sufficient internet access to the Defender for Identity service. For more information, see Configure endpoint proxy and internet connectivity settings.

Plan your migration

Before starting the migration, gather all of the following information:


Do not uninstall the ATA Center until all ATA Gateways are removed. Uninstalling the ATA Center with ATA Gateways still running leaves your organization exposed with no threat protection.

Move to Defender for Identity

Use the following steps to migrate to Defender for Identity:

  1. Create your new Defender for Identity workspace.

  2. Uninstall the ATA Lightweight Gateway on all domain controllers.

  3. Install the Defender for Identity Sensor on all domain controllers:

    1. Download the Defender for Identity sensor files and retrieve the access key.

    2. Install Defender for Identity sensors on your domain controllers.

  4. Configure the your Defender for Identity sensor.

After the migration is complete, allow two hours for the initial sync to be completed before moving on with validation tasks.

Validate your migration

In Microsoft 365 Defender, check the following areas to validate your migration:

Post-migration activities

After completing your migration to Defender for Identity, do the following to clean up your legacy ATA resources:

  1. Make sure that you've recorded or remediated all existing ATA alerts. Existing ATA security alerts aren't imported to Defender for Identity with the migration.

  2. Do one or both of the following:

    • Decommission the ATA Center. We recommend keeping ATA data online for a period of time.
    • Back up Mongo DB if you want to keep the ATA data indefinitely. For more information, see Backing up the ATA database.

After migrating to Defender for Identity, learn more about investigating alerts in Microsoft 365 Defender. For more information, see: