Enforce compliance for Microsoft Defender ATP with Conditional Access in Intune
You can integrate Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) with Microsoft Intune as a Mobile Threat Defense solution, to help prevent security breaches and limit the impact of breaches within an organization. Microsoft Defender ATP works with devices that run Windows 10 or later.
To be successful, you use the following configurations in concert:
- Establish a service-to-service connection between Intune and Microsoft Defender ATP. This connection lets Microsoft Defender ATP collect data about machine risk from Windows 10 devices you manage with Intune.
- Use a device configuration profile to onboard devices with Microsoft Defender ATP. You onboard devices to configure them to communicate with Microsoft Defender ATP and to provide data that helps assess their risk level.
- Use a device compliance policy to set the level of risk you want to allow. Risk levels are reported by Microsoft Defender ATP. Devices that exceed the allowed risk level are identified as non-compliant.
- Use a conditional access policy to block users from accessing corporate resources from devices that are non-compliant.
In addition, when you integrate Intune with Microsoft Defender ATP, you can take advantage of ATPs Threat & Vulnerability Management (TVM) and use Intune to remediate endpoint weakness identified by TVM.
Example of using Microsoft Defender ATP with Intune
The following example helps explain how these solutions work together to help protect your organization. For this example, Microsoft Defender ATP and Intune are already integrated.
Consider an event where someone sends a Word attachment with embedded malicious code to a user within your organization.
- The user opens the attachment, and enables the content.
- An elevated privilege attack starts, and an attacker from a remote machine has admin rights to the victim’s device.
- The attacker then remotely accesses the user's other devices. This security breach can impact the entire organization.
Microsoft Defender ATP can help resolve security events like this scenario.
- In our example, Microsoft Defender ATP detects that the device executed abnormal code, experienced a process privilege escalation, injected malicious code, and issued a suspicious remote shell.
- Based on these actions from the device, Microsoft Defender ATP classifies the device as high-risk and includes a detailed report of suspicious activity in the Microsoft Defender Security Center portal.
Because you have an Intune device compliance policy to classify devices with a Medium or High level of risk as non-compliant, the compromised device is classified as non-compliant. This classification allows your conditional access policy to kick in and block access from that device to your corporate resources.
To use Microsoft Defender ATP with Intune, be sure you have the following configured, and ready for use:
- Licensed tenant for Enterprise Mobility + Security E3 and Windows E5 (or Microsoft 365 Enterprise E5)
- Microsoft Intune environment, with Intune managed Windows 10 devices that are also Azure AD joined
- Microsoft Defender ATP and access to the Microsoft Defender Security Center (ATP portal)
Enable Microsoft Defender ATP in Intune
The first step you take is to set up the service-to-service connection between Intune and Microsoft Defender ATP. This requires administrative access to both the Microsoft Defender Security Center, and to Intune.
To enable Defender ATP
Sign in to Intune.
Select Device compliance > Microsoft Defender ATP, and then below Connector Settings, select Open the Microsoft Defender Security Center.
In Microsoft Defender Security Center:
Select Settings > Advanced features.
For Microsoft Intune connection, choose On:
Select Save preferences.
Go back to Intune, Device compliance > Microsoft Defender ATP. Set Connect Windows devices version 10.0.15063 and above to Microsoft Defender ATP to On.
You typically do this task once. After you've enabled Microsoft Defender ATP for your Intune tenant, you don't need to do it again.
When you integrate a new application to Intune Mobile Threat Defense and enable the connection to Intune, Intune creates a classic conditional access policy in Azure Active Directory. Each MTD app you integrate, including Defender ATP or any of our additional MTD partners, creates a new classic conditional access policy. These policies can be ignored, but should not be edited, deleted, or disabled.
Classic conditional access policies for MTD apps:
- Are used by Intune MTD to require that devices are registered in Azure AD so that they have a device ID before communicating to MTD partners. The ID is required so that devices and can successfully report their status to Intune.
- Have no effect on any other Cloud apps or Resources.
- Are distinct from conditional access policies you might create to help manage MTD.
- By default, don’t interact with other conditional access policies you use for evaluation.
To view classic conditional access policies, in Azure, go to Azure Active Directory > Conditional Access > Classic policies.
Onboard devices by using a configuration profile
After you establish the service-to-service connection between Intune and Microsoft Defender ATP, you onboard your Intune managed devices to ATP so that data about their risk level can be collected and used. To onboard devices, you use a device configuration profile for Microsoft Defender ATP.
When you established the connection to Microsoft Defender ATP, Intune received a Microsoft Defender ATP onboarding configuration package from Microsoft Defender ATP. This package is deployed to devices with the device configuration profile. The configuration package configures devices to communicate with Microsoft Defender ATP services to scan files, detect threats, and report the risk to Microsoft Defender ATP.
After you onboard a device using configuration package, you don't need to do it again. You can also onboard devices using a group policy or System Center Configuration Manager (SCCM).
Create the device configuration profile
Sign in to Intune.
Select Device Configuration > Profiles > Create profile.
Enter a Name and Description.
For Platform, select Windows 10 and later
For Profile type, select Microsoft Defender ATP (Windows 10 Desktop).
Configure the settings:
Microsoft Defender ATP client configuration package type: Select Onboard to add the configuration package to the profile. Select Offboard to remove the configuration package from the profile.
If you've properly established a connection with Microsoft Defender ATP, Intune will automatically Onboard the configuration profile for you, and the Microsoft Defender ATP client configuration package type setting will not be available.
Sample sharing for all files: Enable allows samples to be collected, and shared with Microsoft Defender ATP. For example, if you see a suspicious file, you can submit it to Microsoft Defender ATP for deep analysis. Not configured doesn't share any samples to Microsoft Defender ATP.
Expedite telemetry reporting frequency: For devices that are at high risk, Enable this setting so it reports telemetry to the Microsoft Defender ATP service more frequently.
Onboard Windows 10 machines using System Center Configuration Manager has more details on these Microsoft Defender ATP settings.
Select OK, and Create to save your changes, which creates the profile.
Assign the device configuration profile to devices you want to assess with Microsoft Defender ATP.
Create and assign the compliance policy
The compliance policy determines the level of risk that you consider as acceptable for a device.
Create the compliance policy
Sign in to Intune.
Select Device compliance > Policies > Create policy.
Enter a Name and Description.
In Platform, select Windows 10 and later.
In the Microsoft Defender ATP settings, set Require the device to be at or under the machine risk score to your preferred level.
Threat level classifications are determined by Microsoft Defender ATP.
- Clear: This level is the most secure. The device can't have any existing threats and still access company resources. If any threats are found, the device is evaluated as noncompliant. (Microsoft Defender ATP users the value Secure.)
- Low: The device is compliant if only low-level threats exist. Devices with medium or high threat levels aren't compliant.
- Medium: The device is compliant if the threats found on the device are low or medium. If high-level threats are detected, the device is determined as noncompliant.
- High: This level is the least secure and allows all threat levels. So devices that with high, medium, or low threat levels are considered compliant.
Select OK, and Create to save your changes (and create the policy).
Assign the device compliance policy to applicable groups.
Create a Conditional Access policy
The Conditional Access policy blocks access to resources for devices that exceed the threat level you set in your compliance policy. You can block access from the device to corporate resources, such as SharePoint or Exchange Online.
Conditional Access is an Azure Active Directory (Azure AD) technology. The Conditional Access node accessed from Intune is the same node as accessed from Azure AD.
Sign in to Intune and select Conditional Access > New policy.
Enter a policy Name, and select Users and groups. Use the Include or Exclude options to add your groups for the policy, and select Done.
Select Cloud apps, and choose which apps to protect. For example, choose Select apps, and select Office 365 SharePoint Online and Office 365 Exchange Online.
Select Done to save your changes.
Select Conditions > Client apps to apply the policy to apps and browsers. For example, select Yes, and then enable Browser and Mobile apps and desktop clients.
Select Done to save your changes.
Select Grant to apply Conditional Access based on device compliance. For example, select Grant access > Require device to be marked as compliant.
Choose Select to save your changes.
Select Enable policy, and then Create to save your changes.
Monitor device compliance
Next, monitor the state of devices that have the Microsoft Defender ATP compliance policy.
- Sign in to Intune.
- Select Device compliance > Policy compliance.
- Find your Microsoft Defender ATP policy in the list, and see which devices are compliant or noncompliant.
View onboarding status
To view the onboarding status of all Intune-managed Windows 10 devices, you can go to Device compliance > Microsoft Defender ATP. From this page, you can also initiate the creation of a device configuration profile for onboarding more devices to Microsoft Defender ATP.
Microsoft Defender ATP Conditional Access
Microsoft Defender ATP risk dashboard
Use security tasks with ATPs Vulnerability Management to remediate issues on devices.
Get started with device compliance policies