diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 9dae856bb7..d9b9a635c5 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -91,6 +91,9 @@ #### [Automated investigations](windows-defender-atp\automated-investigations-windows-defender-advanced-threat-protection.md) #### [Advanced hunting](windows-defender-atp\advanced-hunting-windows-defender-advanced-threat-protection.md) +###Prevent threats +#### [Enable conditional access](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md) + ###API and SIEM support #### [Pull alerts to your SIEM tools](windows-defender-atp\configure-siem-windows-defender-advanced-threat-protection.md) ##### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..264604eb33 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md @@ -0,0 +1,56 @@ +--- +title: Enable conditional access in Windows Defedener ATP +description: Enable conditional access to prevent applications from running if a device is considered at risk and an application is determined to be non-compliant. +keywords: conditional access, block applications, security level, intune, +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 03/05/2018 +--- + +# Enable conditional access in Windows Defender ATP + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Conditional access is a capability that helps you better protect your users and enterprise information by making sure that only secure devices have access to applications. + +With conditional access, you can control access to enterprise information based on the risk level of a device. This helps ensure that devices are always trusted. + +You can define security conditions under which devices and applications can run and access information from your network by enforcing policies to stop applications from running until a device returns to a compliant state. + +The implementation of conditional access in Windows Defender ATP is based on Microsoft Intune (Intune) device compliance policies and Azure Active Directory (Azure AD) conditional access policies. + +The compliance policy is used with conditional access to allow only devices that fulfill one or more device compliance policy rules to access applications. + +## Understand conditional access +When a device is found to be at high risk, the signal is communicated to Intune. In Intune, a device compliance policy is used in conjunction with Azure AD conditional access to block access to applications. In parallel, an automated investigation and remediation process is launched. + +![Image of conditional access](images/atp-conditional-access.png) + +A device returns to a compliant state when there is low or no risk seen on it. A user can still use the device while the automated investigation and remediation is taking place, but access to enterprise data is blocked until the threat is fully remediated. + +When this happens, the same flow is followed but this time around the user will be able to access the application. + + +## Configure conditional access +> [!NOTE] +> You'll need a valid Intune license to enable conditional access. + +You'll need to take the following steps to enable conditional access: + +1. Turn on the Microsoft Intune connection. For more information, see [Turn on advanced features](advanced-features-windows-defender-advanced-threat-protection.md). +2. Create a device compliance policy in Intune. For more information, see [Create a compliance policy in the Azure portal](https://docs.microsoft.com/en-us/intune/compliance-policy-create-windows#create-a-compliance-policy-in-the-azure-portal). +3. Define a conditional access policy in AAD. For more information, see [Get started with conditional access in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal-get-started). + + diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-conditional-access.png b/windows/security/threat-protection/windows-defender-atp/images/atp-conditional-access.png new file mode 100644 index 0000000000..c8126f92a3 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-conditional-access.png differ