Enforce compliance for Microsoft Defender ATP with Conditional Access in Intune

You can integrate Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) with Microsoft Intune as a Mobile Threat Defense solution. Integration can help you prevent security breaches and limit the impact of breaches within an organization.

Microsoft Defender ATP works with devices that run Windows 10 or later, and with Android devices.

To be successful, you'll use the following configurations in concert:

  • Establish a service-to-service connection between Intune and Microsoft Defender ATP. This connection lets Microsoft Defender ATP collect data about machine risk from supported devices you manage with Intune.
  • Use a device configuration profile to onboard devices with Microsoft Defender ATP. You onboard devices to configure them to communicate with Microsoft Defender ATP and to provide data that helps assess their risk level.
  • Use a device compliance policy to set the level of risk you want to allow. Risk levels are reported by Microsoft Defender ATP. Devices that exceed the allowed risk level are identified as noncompliant.
  • Use a conditional access policy to block users from accessing corporate resources from devices that are noncompliant.

When you integrate Intune with Microsoft Defender ATP, you can take advantage of Microsoft Defender ATPs Threat & Vulnerability Management (TVM) and use Intune to remediate endpoint weakness identified by TVM.

Example of using Microsoft Defender ATP with Intune

The following example helps explain how these solutions work together to help protect your organization. For this example, Microsoft Defender ATP and Intune are already integrated.

Consider an event where someone sends a Word attachment with embedded malicious code to a user within your organization.

  • The user opens the attachment, and enables the content.
  • An elevated privilege attack starts, and an attacker from a remote machine has admin rights to the victim's device.
  • The attacker then remotely accesses the user's other devices. This security breach can impact the entire organization.

Microsoft Defender ATP can help resolve security events like this scenario.

  • In our example, Microsoft Defender ATP detects that the device executed abnormal code, experienced a process privilege escalation, injected malicious code, and issued a suspicious remote shell.
  • Based on these actions from the device, Microsoft Defender ATP classifies the device as high-risk and includes a detailed report of suspicious activity in the Microsoft Defender Security Center portal.

You can integrate Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) with Microsoft Intune as a Mobile Threat Defense solution. Integration can help you prevent security breaches and limit the impact of breaches within an organization.

Because you have an Intune device compliance policy to classify devices with a Medium or High level of risk as noncompliant, the compromised device is classified as noncompliant. This classification allows your conditional access policy to kick in and block access from that device to your corporate resources.

For devices that run Android, you can use Intune policy to modify the configuration of Microsoft Defender ATP on Android. For more information, see Microsoft Defender ATP web protection.

Prerequisites

To use Microsoft Defender ATP with Intune, be sure you have the following configured, and ready for use:

  • Licensed tenant for Enterprise Mobility + Security E3 and Windows E5 (or Microsoft 365 Enterprise E5)
  • Microsoft Intune environment, with Intune managed Windows 10, or Android devices that are also Azure AD joined
  • Microsoft Defender ATP and access to the Microsoft Defender Security Center (ATP portal)

Note

Microsoft Defender ATP is not supported with iOS/iPadOS and Android Intune app protection policies.

Next steps

Learn more from the Intune documentation:

Learn more from the Microsoft Defender ATP documentation: