Steve: Hey everybody. Welcome back to 3in3. This episode is all about Advanced Threat Protection(ATP): Lessons Learned. So, let’s jump right in.


With me, I’ve got Charlie Smith. He’s a Senior Consultant on our Digital Workplace team. So, Charlie, since this is about lessons learned, we’ve done a lot with ATP, probably the first question would be what is the biggest lesson learned around ATP?


Charlie: Sure, yeah, anytime we’ve implemented Office ATP, what I typically need to do is level-set with the team on how it actually works because they’re used to another technology and they have a really good foundation for how that works. Office ATP works a little bit different and there are things where I go review in an environment and I kind of cringe a little bit. So we step through:

  • What it means when Office ATP inspects an email?
  • How [Office ATP] inspects [emails]?
  • At what point [Office ATP] scores the email?
  • What does [Office ATP] does with [the scored email]?

So, starting with that foundation really helps better secure your own environment when it comes to implementing Office ATP.


Steve: Excellent. So the lesson learned, to summarize, would be: don’t assume it’s exactly like all the other tools out there. In many ways, it’s more advanced. In other ways, there may be some things that are a little bit different. So, let’s start with that foundational learning exercise.


Alright. Excellent. So, the second question then would be Charlie, what’s another major lesson learned that you’d like to share?


Charlie: So, typically when I engage with a customer and we implement Office ATP, we get everything exactly the way we want it, as far as the policies that are working. The product is always evolving. What we set [up] today, six months from now - or even sooner- they’ve released brand new features. One example would be in Office ATP, there are safe links. So, we’re protecting malicious URLs. Well, that has been extended to Teams now and that’s a brand-new feature. So, that wasn’t available for some customers when they implemented it


So, the takeaway is we have to go back in and review the policies and look at what’s new with the product and see how that would impact you. So, the product itself is always evolving and it’s always getting better. So, the takeaway is to go back and look at what you have today and see what new things we can implement.


Steve: Excellent. So, set it up, obviously to the way you need it, but then also, setup a process by which you continually evaluate and assess over time.


Excellent. So, we’ve got two big lessons learned. The third question would be what should our viewers do about ATP and our lessons learned right now?

Charlie: So, Microsoft released this really great tool called Orca. It’s an Office 365 ATP configuration analyzer and a powerful command. [Once ran] it does a quick assessment against all the policies you have today and then it says, okay, here’s what you have, but here’s our recommendation. It spits it out into this beautiful report. It tells you why they recommend it.


So, let’s say that your given treatment around, let’s say Spam. And maybe you’re doing a threshold of six or so. This tool will come out and say this policy is set here, we recommend it to be a little more aggressive and here’s why. So, that’s what I would recommend for customers today. That’s the first thing that I always run in every organization to see where we’re at.


Steve: Excellent. Well thanks for that. This has been great. Obviously, we’ve done a lot of work with ATP. We’ve got more lessons learned than that, but those are two big ones. Plus, we have a call to action to run that Orca report.


So, if you want more information, as always, reach out to us at and click on that connect button at the top and let us know. Thanks a lot Charlie. We really appreciate it, and we’ll see everybody next time.