WIP - Documenting how to integrate MDATP with Intune (#633)

* first draft * small copy edits * fixed link syntax * updated with more info on conditional access * add links and roles * link update * product name update
2025-06-19 12:23:37 +00:00 · 2019-07-10 21:27:16 -04:00
parent 5b263d8bba
commit 29875f2a32
2 changed files with 24 additions and 8 deletions
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
@ -138,12 +138,22 @@ Turning this setting on forwards signals to Azure Information Protection, giving
 ## Microsoft Intune connection
-This feature is only available if you have an active Microsoft Intune (Intune) license.
+Microsoft Defender ATP can be integrated with [Microsoft Intune](https://docs.microsoft.com/intune/what-is-intune) to [enable device risk-based conditional access](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). When you [enable this feature](configure-conditional-access.md), you'll be able to share Microsoft Defender ATP device information with Intune, enhancing policy enforcement.
-When you enable this feature, you'll be able to share Microsoft Defender ATP device information to Intune and enhance policy enforcement.
+>[!IMPORTANT]
 >You'll need to enable the integration on both Intune and Microsoft Defender ATP to use this feature. For more information on specific steps, see [Configure Conditional Access in Microsoft Defender ATP](configure-conditional-access.md).
 This feature is only available if you have the following:
 - A licensed tenant for Enterprise Mobility + Security E3, and Windows E5 (or Microsoft 365 Enterprise E5)
 - An active Microsoft Intune environment, with Intune-managed Windows 10 devices [Azure AD-joined](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-join/).
 ### Conditional Access policy
 When you enable Intune integration, Intune will automatically create a classic Conditional Access (CA) policy. This classic CA policy is a prerequisite for setting up status reports to Intune. It should not be deleted.
 >[!NOTE]
->You'll need to enable the integration on both Intune and Microsoft Defender ATP to use this feature.
+> The classic CA policy created by Intune is distinct from modern [Conditional Access policies](https://docs.microsoft.com/azure/active-directory/conditional-access/overview/), which are used for configuring endpoints.
 ## Preview features
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md
@ -1,7 +1,7 @@
 ---
 title: Configure Conditional Access in Microsoft Defender ATP
-description: 
+description: Learn about steps that you need to do in Intune, Microsoft Defender Security Center, and Azure to implement Conditional access
-keywords: 
+keywords: conditional access, conditional, access, device risk, risk level, integration, intune integration
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: w10
@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
 ms.date: 09/03/2018
 ---
 # Configure Conditional Access in Microsoft Defender ATP
@ -29,17 +28,24 @@ This section guides you through all the steps you need to take to properly imple
 >It's important to note that Azure AD registered devices is not supported in this scenario.</br>
 >Only Intune enrolled devices are supported.
 You need to make sure that all your devices are enrolled in Intune. You can use any of the following options to enroll devices in Intune:
 - IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment)
- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune-user-help/enroll-your-w10-device-access-work-or-school)
+- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune]https://docs.microsoft.com/intune/quickstart-enroll-windows-device)
- End-user alternative: For more information on joining an Azure AD domain, see [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup).
+- End-user alternative: For more information on joining an Azure AD domain, see [How to: Plan your Azure AD join implementation](https://docs.microsoft.com/azure/active-directory/devices/azureadjoin-plan).
 There are steps you'll need to take in Microsoft Defender Security Center, the Intune portal, and Azure AD portal.
 It's important to note the required roles to access these portals and implement Conditional access:
 - **Microsoft Defender Security Center** - You'll need to sign into the portal with a global administrator role to turn on the integration.
 - **Intune** - You'll need to sign in to the portal with security administrator rights with management permissions. 
 - **Azure AD portal** - You'll need to sign in as a global administrator, security administrator, or Conditional Access administrator.
 > [!NOTE]
 > You'll need a Microsoft Intune environment, with Intune managed and Azure AD joined Windows 10 devices.