mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-14 14:27:22 +00:00
update toc, split conditional access topic to two
This commit is contained in:
Joey Caparas
parent
da1821ac3d
commit
3e0c88dc2e
@ -239,6 +239,10 @@
|
||||
|
||||
### [Configure Secure score dashboard security controls](secure-score-dashboard-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
### Configure Microsoft threat protection integration
|
||||
#### [Configure conditional access](configure-conditional-access-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
|
||||
### [Configure Windows Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md)
|
||||
#### General
|
||||
##### [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -16,8 +16,6 @@ ms.date: 04/24/2018
|
||||
# Enable conditional access to better protect users, devices, and data
|
||||
|
||||
**Applies to:**
|
||||
|
||||
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
|
||||
@ -66,89 +64,9 @@ The following example sequence of events explains conditional access in action:
|
||||
4. The manual or automated investigation and remediation is completed and the threat is removed. Windows Defender ATP sees that there is no risk on the device and Intune assesses the device to be in a compliant state. Azure AD applies the policy which allows access to applications.
|
||||
5. Users can now access applications.
|
||||
|
||||
|
||||
|
||||
## Configure conditional access
|
||||
This section guides you through all the steps you need to take to properly implement conditional access.
|
||||
|
||||
### Before you begin
|
||||
>[!WARNING]
|
||||
>It's important to note that Azure AD registered devices is not supported in this scenario.</br>
|
||||
>Only Intune enrolled devices are supported.
|
||||
|
||||
You need to make sure that all your devices are enrolled in Intune. You can use any of the following options to enroll devices in Intune:
|
||||
|
||||
|
||||
- IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment)
|
||||
- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune-user-help/enroll-your-w10-device-access-work-or-school)
|
||||
- End-user alternative: For more information on joining an Azure AD domain, see [Set up Azure Active Directory joined devices](https://docs.microsoft.com/en-us/azure/active-directory/device-management-azuread-joined-devices-setup).
|
||||
|
||||
|
||||
|
||||
There are steps you'll need to take in Windows Defender Security Center, the Intune portal, and Azure AD portal.
|
||||
|
||||
> [!NOTE]
|
||||
> You'll need a Microsoft Intune environment, with Intune managed and Azure AD joined Windows 10 devices.
|
||||
|
||||
Take the following steps to enable conditional access:
|
||||
- Step 1: Turn on the Microsoft Intune connection from Windows Defender Security Center
|
||||
- Step 2: Turn on the Windows Defender ATP integration in Intune
|
||||
- Step 3: Create the compliance policy in Intune
|
||||
- Step 4: Assign the policy
|
||||
- Step 5: Create an Azure AD conditional access policy
|
||||
|
||||
|
||||
### Step 1: Turn on the Microsoft Intune connection
|
||||
1. In the navigation pane, select **Settings** > **Advanced features** > **Microsoft Intune connection**.
|
||||
2. Toggle the Microsoft Intune setting to **On**.
|
||||
3. Click **Save preferences**.
|
||||
|
||||
|
||||
### Step 2: Turn on the Windows Defender ATP integration in Intune
|
||||
1. Sign in to the [Azure portal](https://portal.azure.com).
|
||||
2. Select **Device compliance** > **Windows Defender ATP**.
|
||||
3. Set **Connect Windows 10.0.15063+ devices to Windows Defender Advanced Threat Protection** to **On**.
|
||||
4. Click **Save**.
|
||||
|
||||
|
||||
### Step 3: Create the compliance policy in Intune
|
||||
1. In the [Azure portal](https://portal.azure.com), select **All services**, filter on **Intune**, and select **Microsoft Intune**.
|
||||
2. Select **Device compliance** > **Policies** > **Create policy**.
|
||||
3. Enter a **Name** and **Description**.
|
||||
4. In **Platform**, select **Windows 10 and later**.
|
||||
5. In the **Device Health** settings, set **Require the device to be at or under the Device Threat Level** to your preferred level:
|
||||
|
||||
- **Secured**: This level is the most secure. The device cannot have any existing threats and still access company resources. If any threats are found, the device is evaluated as noncompliant.
|
||||
- **Low**: The device is compliant if only low-level threats exist. Devices with medium or high threat levels are not compliant.
|
||||
- **Medium**: The device is compliant if the threats found on the device are low or medium. If high-level threats are detected, the device is determined as noncompliant.
|
||||
- **High**: This level is the least secure, and allows all threat levels. So devices that with high, medium or low threat levels are considered compliant.
|
||||
|
||||
6. Select **OK**, and **Create** to save your changes (and create the policy).
|
||||
|
||||
### Step 4: Assign the policy
|
||||
1. In the [Azure portal](https://portal.azure.com), select **All services**, filter on **Intune**, and select **Microsoft Intune**.
|
||||
2. Select **Device compliance** > **Policies**> select your Windows Defender ATP compliance policy.
|
||||
3. Select **Assignments**.
|
||||
4. Include or exclude your Azure AD groups to assign them the policy.
|
||||
5. To deploy the policy to the groups, select **Save**. The user devices targeted by the policy are evaluated for compliance.
|
||||
|
||||
### Step 5: Create an Azure AD conditional access policy
|
||||
1. In the [Azure portal](https://portal.azure.com), open **Azure Active Directory** > **Conditional access** > **New policy**.
|
||||
2. Enter a policy **Name**, and select **Users and groups**. Use the Include or Exclude options to add your groups for the policy, and select **Done**.
|
||||
3. Select **Cloud apps**, and choose which apps to protect. For example, choose **Select apps**, and select **Office 365 SharePoint Online** and **Office 365 Exchange Online**. Select **Done** to save your changes.
|
||||
|
||||
4. Select **Conditions** > **Client apps** to apply the policy to apps and browsers. For example, select **Yes**, and then enable **Browser** and **Mobile apps and desktop clients**. Select **Done** to save your changes.
|
||||
|
||||
5. Select **Grant** to apply conditional access based on device compliance. For example, select **Grant access** > **Require device to be marked as compliant**. Choose **Select** to save your changes.
|
||||
|
||||
6. Select **Enable policy**, and then **Create** to save your changes.
|
||||
|
||||
For more information, see [Enable Windows Defender ATP with conditional access in Intune](https://docs.microsoft.com/intune/advanced-threat-protection).
|
||||
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-conditionalaccess-belowfoldlink)
|
||||
|
||||
|
||||
## Related topic
|
||||
- [Configure advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure conditional access in Windows Defender ATP](configure-conditional-access-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
|
||||
|
||||
|
||||
@ -0,0 +1,96 @@
|
||||
---
|
||||
title: Configure conditional access in Windows Defender ATP
|
||||
description:
|
||||
keywords:
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: macapara
|
||||
author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
ms.date: 09/03/2018
|
||||
---
|
||||
|
||||
# Configure conditinal access in Windows Defender ATP
|
||||
**Applies to:**
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP
|
||||
|
||||
This section guides you through all the steps you need to take to properly implement conditional access.
|
||||
|
||||
### Before you begin
|
||||
>[!WARNING]
|
||||
>It's important to note that Azure AD registered devices is not supported in this scenario.</br>
|
||||
>Only Intune enrolled devices are supported.
|
||||
|
||||
You need to make sure that all your devices are enrolled in Intune. You can use any of the following options to enroll devices in Intune:
|
||||
|
||||
|
||||
- IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment)
|
||||
- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune-user-help/enroll-your-w10-device-access-work-or-school)
|
||||
- End-user alternative: For more information on joining an Azure AD domain, see [Set up Azure Active Directory joined devices](https://docs.microsoft.com/en-us/azure/active-directory/device-management-azuread-joined-devices-setup).
|
||||
|
||||
|
||||
|
||||
There are steps you'll need to take in Windows Defender Security Center, the Intune portal, and Azure AD portal.
|
||||
|
||||
> [!NOTE]
|
||||
> You'll need a Microsoft Intune environment, with Intune managed and Azure AD joined Windows 10 devices.
|
||||
|
||||
Take the following steps to enable conditional access:
|
||||
- Step 1: Turn on the Microsoft Intune connection from Windows Defender Security Center
|
||||
- Step 2: Turn on the Windows Defender ATP integration in Intune
|
||||
- Step 3: Create the compliance policy in Intune
|
||||
- Step 4: Assign the policy
|
||||
- Step 5: Create an Azure AD conditional access policy
|
||||
|
||||
|
||||
### Step 1: Turn on the Microsoft Intune connection
|
||||
1. In the navigation pane, select **Settings** > **Advanced features** > **Microsoft Intune connection**.
|
||||
2. Toggle the Microsoft Intune setting to **On**.
|
||||
3. Click **Save preferences**.
|
||||
|
||||
|
||||
### Step 2: Turn on the Windows Defender ATP integration in Intune
|
||||
1. Sign in to the [Azure portal](https://portal.azure.com).
|
||||
2. Select **Device compliance** > **Windows Defender ATP**.
|
||||
3. Set **Connect Windows 10.0.15063+ devices to Windows Defender Advanced Threat Protection** to **On**.
|
||||
4. Click **Save**.
|
||||
|
||||
|
||||
### Step 3: Create the compliance policy in Intune
|
||||
1. In the [Azure portal](https://portal.azure.com), select **All services**, filter on **Intune**, and select **Microsoft Intune**.
|
||||
2. Select **Device compliance** > **Policies** > **Create policy**.
|
||||
3. Enter a **Name** and **Description**.
|
||||
4. In **Platform**, select **Windows 10 and later**.
|
||||
5. In the **Device Health** settings, set **Require the device to be at or under the Device Threat Level** to your preferred level:
|
||||
|
||||
- **Secured**: This level is the most secure. The device cannot have any existing threats and still access company resources. If any threats are found, the device is evaluated as noncompliant.
|
||||
- **Low**: The device is compliant if only low-level threats exist. Devices with medium or high threat levels are not compliant.
|
||||
- **Medium**: The device is compliant if the threats found on the device are low or medium. If high-level threats are detected, the device is determined as noncompliant.
|
||||
- **High**: This level is the least secure, and allows all threat levels. So devices that with high, medium or low threat levels are considered compliant.
|
||||
|
||||
6. Select **OK**, and **Create** to save your changes (and create the policy).
|
||||
|
||||
### Step 4: Assign the policy
|
||||
1. In the [Azure portal](https://portal.azure.com), select **All services**, filter on **Intune**, and select **Microsoft Intune**.
|
||||
2. Select **Device compliance** > **Policies**> select your Windows Defender ATP compliance policy.
|
||||
3. Select **Assignments**.
|
||||
4. Include or exclude your Azure AD groups to assign them the policy.
|
||||
5. To deploy the policy to the groups, select **Save**. The user devices targeted by the policy are evaluated for compliance.
|
||||
|
||||
### Step 5: Create an Azure AD conditional access policy
|
||||
1. In the [Azure portal](https://portal.azure.com), open **Azure Active Directory** > **Conditional access** > **New policy**.
|
||||
2. Enter a policy **Name**, and select **Users and groups**. Use the Include or Exclude options to add your groups for the policy, and select **Done**.
|
||||
3. Select **Cloud apps**, and choose which apps to protect. For example, choose **Select apps**, and select **Office 365 SharePoint Online** and **Office 365 Exchange Online**. Select **Done** to save your changes.
|
||||
|
||||
4. Select **Conditions** > **Client apps** to apply the policy to apps and browsers. For example, select **Yes**, and then enable **Browser** and **Mobile apps and desktop clients**. Select **Done** to save your changes.
|
||||
|
||||
5. Select **Grant** to apply conditional access based on device compliance. For example, select **Grant access** > **Require device to be marked as compliant**. Choose **Select** to save your changes.
|
||||
|
||||
6. Select **Enable policy**, and then **Create** to save your changes.
|
||||
|
||||
For more information, see [Enable Windows Defender ATP with conditional access in Intune](https://docs.microsoft.com/intune/advanced-threat-protection).
|
||||
|
||||
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-conditionalaccess-belowfoldlink)
|
||||
Loading…
x
Reference in New Issue
Block a user