deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 20:33:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

WIP - Documenting how to integrate MDATP with Intune (#633)

Browse Source 
* first draft

* small copy edits

* fixed link syntax

* updated with more info on conditional access

* add links and roles

* link update

* product name update
This commit is contained in:
Marty Hernandez Avedon
2019-07-10 21:27:16 -04:00
committed by GitHub
parent 5b263d8bba
commit 29875f2a32
2 changed files with 24 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
View File

@ -138,12 +138,22 @@ Turning this setting on forwards signals to Azure Information Protection, giving
## Microsoft Intune connection
This feature is only available if you have an active Microsoft Intune (Intune) license.
Microsoft Defender ATP can be integrated with [Microsoft Intune](https://docs.microsoft.com/intune/what-is-intune) to [enable device risk-based conditional access](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). When you [enable this feature](configure-conditional-access.md), you'll be able to share Microsoft Defender ATP device information with Intune, enhancing policy enforcement.
When you enable this feature, you'll be able to share Microsoft Defender ATP device information to Intune and enhance policy enforcement.
>[!IMPORTANT]
>You'll need to enable the integration on both Intune and Microsoft Defender ATP to use this feature. For more information on specific steps, see [Configure Conditional Access in Microsoft Defender ATP](configure-conditional-access.md).
This feature is only available if you have the following:
- A licensed tenant for Enterprise Mobility + Security E3, and Windows E5 (or Microsoft 365 Enterprise E5)
- An active Microsoft Intune environment, with Intune-managed Windows 10 devices [Azure AD-joined](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-join/).
### Conditional Access policy
When you enable Intune integration, Intune will automatically create a classic Conditional Access (CA) policy. This classic CA policy is a prerequisite for setting up status reports to Intune. It should not be deleted.
>[!NOTE]
>You'll need to enable the integration on both Intune and Microsoft Defender ATP to use this feature.
> The classic CA policy created by Intune is distinct from modern [Conditional Access policies](https://docs.microsoft.com/azure/active-directory/conditional-access/overview/), which are used for configuring endpoints.
## Preview features

16
windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md
View File

@ -1,7 +1,7 @@
---
title: Configure Conditional Access in Microsoft Defender ATP
description:
keywords:
description: Learn about steps that you need to do in Intune, Microsoft Defender Security Center, and Azure to implement Conditional access
keywords: conditional access, conditional, access, device risk, risk level, integration, intune integration
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 09/03/2018
---
# Configure Conditional Access in Microsoft Defender ATP
@ -29,17 +28,24 @@ This section guides you through all the steps you need to take to properly imple
>It's important to note that Azure AD registered devices is not supported in this scenario.</br>
>Only Intune enrolled devices are supported.
You need to make sure that all your devices are enrolled in Intune. You can use any of the following options to enroll devices in Intune:
- IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment)
- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune-user-help/enroll-your-w10-device-access-work-or-school)
- End-user alternative: For more information on joining an Azure AD domain, see [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup).
- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune]https://docs.microsoft.com/intune/quickstart-enroll-windows-device)
- End-user alternative: For more information on joining an Azure AD domain, see [How to: Plan your Azure AD join implementation](https://docs.microsoft.com/azure/active-directory/devices/azureadjoin-plan).
There are steps you'll need to take in Microsoft Defender Security Center, the Intune portal, and Azure AD portal.
It's important to note the required roles to access these portals and implement Conditional access:
- **Microsoft Defender Security Center** - You'll need to sign into the portal with a global administrator role to turn on the integration.
- **Intune** - You'll need to sign in to the portal with security administrator rights with management permissions.
- **Azure AD portal** - You'll need to sign in as a global administrator, security administrator, or Conditional Access administrator.
> [!NOTE]
> You'll need a Microsoft Intune environment, with Intune managed and Azure AD joined Windows 10 devices.