From 29875f2a3241909c831a82d387d1ede6a39d7d36 Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Wed, 10 Jul 2019 21:27:16 -0400 Subject: [PATCH] WIP - Documenting how to integrate MDATP with Intune (#633) * first draft * small copy edits * fixed link syntax * updated with more info on conditional access * add links and roles * link update * product name update --- .../microsoft-defender-atp/advanced-features.md | 16 +++++++++++++--- .../configure-conditional-access.md | 16 +++++++++++----- 2 files changed, 24 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md index 22f1392737..edf9758501 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md @@ -138,12 +138,22 @@ Turning this setting on forwards signals to Azure Information Protection, giving ## Microsoft Intune connection -This feature is only available if you have an active Microsoft Intune (Intune) license. +Microsoft Defender ATP can be integrated with [Microsoft Intune](https://docs.microsoft.com/intune/what-is-intune) to [enable device risk-based conditional access](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). When you [enable this feature](configure-conditional-access.md), you'll be able to share Microsoft Defender ATP device information with Intune, enhancing policy enforcement. -When you enable this feature, you'll be able to share Microsoft Defender ATP device information to Intune and enhance policy enforcement. +>[!IMPORTANT] +>You'll need to enable the integration on both Intune and Microsoft Defender ATP to use this feature. For more information on specific steps, see [Configure Conditional Access in Microsoft Defender ATP](configure-conditional-access.md). + +This feature is only available if you have the following: + +- A licensed tenant for Enterprise Mobility + Security E3, and Windows E5 (or Microsoft 365 Enterprise E5) +- An active Microsoft Intune environment, with Intune-managed Windows 10 devices [Azure AD-joined](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-join/). + +### Conditional Access policy + +When you enable Intune integration, Intune will automatically create a classic Conditional Access (CA) policy. This classic CA policy is a prerequisite for setting up status reports to Intune. It should not be deleted. >[!NOTE] ->You'll need to enable the integration on both Intune and Microsoft Defender ATP to use this feature. +> The classic CA policy created by Intune is distinct from modern [Conditional Access policies](https://docs.microsoft.com/azure/active-directory/conditional-access/overview/), which are used for configuring endpoints. ## Preview features diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md index e1ba0b2aff..76fe3c070d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md @@ -1,7 +1,7 @@ --- title: Configure Conditional Access in Microsoft Defender ATP -description: -keywords: +description: Learn about steps that you need to do in Intune, Microsoft Defender Security Center, and Azure to implement Conditional access +keywords: conditional access, conditional, access, device risk, risk level, integration, intune integration search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 09/03/2018 --- # Configure Conditional Access in Microsoft Defender ATP @@ -29,17 +28,24 @@ This section guides you through all the steps you need to take to properly imple >It's important to note that Azure AD registered devices is not supported in this scenario.
>Only Intune enrolled devices are supported. + You need to make sure that all your devices are enrolled in Intune. You can use any of the following options to enroll devices in Intune: - IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment) -- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune-user-help/enroll-your-w10-device-access-work-or-school) -- End-user alternative: For more information on joining an Azure AD domain, see [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup). +- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune]https://docs.microsoft.com/intune/quickstart-enroll-windows-device) +- End-user alternative: For more information on joining an Azure AD domain, see [How to: Plan your Azure AD join implementation](https://docs.microsoft.com/azure/active-directory/devices/azureadjoin-plan). There are steps you'll need to take in Microsoft Defender Security Center, the Intune portal, and Azure AD portal. +It's important to note the required roles to access these portals and implement Conditional access: +- **Microsoft Defender Security Center** - You'll need to sign into the portal with a global administrator role to turn on the integration. +- **Intune** - You'll need to sign in to the portal with security administrator rights with management permissions. +- **Azure AD portal** - You'll need to sign in as a global administrator, security administrator, or Conditional Access administrator. + + > [!NOTE] > You'll need a Microsoft Intune environment, with Intune managed and Azure AD joined Windows 10 devices.