|
1 | 1 | --- |
2 | 2 | title: Configure Conditional Access in Microsoft Defender for Endpoint |
3 | | -description: Learn about steps that you need to do in Intune, Microsoft Defender XDR, and Azure to implement Conditional access |
| 3 | +description: Learn about steps that you need to do in Intune, Microsoft Defender XDR, and Azure to implement Conditional Access |
4 | 4 | ms.service: defender-endpoint |
5 | 5 | ms.author: bagol |
6 | 6 | author: batamig |
@@ -41,7 +41,7 @@ You need to make sure that all your devices are enrolled in Intune. You can use |
41 | 41 |
|
42 | 42 | There are steps you'll need to take in the Microsoft Defender portal, the Intune portal, and Microsoft Entra admin center. |
43 | 43 |
|
44 | | -It's important to note the required roles to access these portals and implement Conditional access: |
| 44 | +It's important to note the required roles to access these portals and implement Conditional Access: |
45 | 45 |
|
46 | 46 | - **Microsoft Defender portal** - You'll need to sign into the portal with an appropriate role to turn on integration. See [Permission options](user-roles.md#permission-options). |
47 | 47 | - **Intune** - You'll need to sign in to the portal with Security Administrator rights with management permissions. |
@@ -113,24 +113,27 @@ Take the following steps to enable Conditional Access: |
113 | 113 |
|
114 | 114 | ### Step 5: Create a Microsoft Entra Conditional Access policy |
115 | 115 |
|
116 | | -1. In the [Azure portal](https://portal.azure.com), open **Microsoft Entra ID** \> **Conditional Access** \> **New policy**. |
117 | | - |
118 | | -2. Enter a policy **Name**, and select **Users and groups**. Use the Include or Exclude options to add your groups for the policy, and select **Done**. |
119 | | - |
120 | | -3. Select **Cloud apps**, and choose which apps to protect. For example, choose **Select apps**, and select **Office 365 SharePoint Online** and **Office 365 Exchange Online**. Select **Done** to save your changes. |
121 | | - |
122 | | -4. Select **Conditions** \> **Client apps** to apply the policy to apps and browsers. For example, select **Yes**, and then enable **Browser** and **Mobile apps and desktop clients**. Select **Done** to save your changes. |
123 | | - |
124 | | -5. Select **Grant** to apply Conditional Access based on device compliance. For example, select **Grant access** \> **Require device to be marked as compliant**. Choose **Select** to save your changes. |
125 | | - |
126 | | -6. Select **Enable policy**, and then **Create** to save your changes. |
| 116 | +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Conditional Access Administrator](/entra/identity/role-based-access-control/permissions-reference#conditional-access-administrator). |
| 117 | +1. Browse to **Entra ID** > **Conditional Access** > **Policies**. |
| 118 | +1. Select **New policy**. |
| 119 | +1. Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies. |
| 120 | +1. Under **Assignments**, select **Users or workload identities**. |
| 121 | + 1. Under **Include**, select **All users** |
| 122 | + 1. Under **Exclude**: |
| 123 | + 1. Select **Users and groups** |
| 124 | + 1. Choose your organization's emergency access or break-glass accounts. |
| 125 | + 1. If you use hybrid identity solutions like Microsoft Entra Connect or Microsoft Entra Connect Cloud Sync, select **Directory roles**, then select **Directory Synchronization Accounts** |
| 126 | +1. Under **Target resources** > **Resources (formerly cloud apps)** > **Include**, select **All resources (formerly 'All cloud apps')**. |
| 127 | +1. Under **Access controls** > **Grant**. |
| 128 | + 1. Select **Require device to be marked as compliant**. |
| 129 | + 1. Select **Select**. |
| 130 | +1. Confirm your settings and set **Enable policy** to **Report-only**. |
| 131 | +1. Select **Create** to create to enable your policy. |
| 132 | + |
| 133 | +After confirming your settings using [policy impact or report-only mode](/entra/identity/conditional-access/concept-conditional-access-report-only#reviewing-results), move the **Enable policy** toggle from **Report-only** to **On**. |
127 | 134 |
|
128 | 135 | > [!NOTE] |
129 | 136 | > You can use the Microsoft Defender for Endpoint app along with the **Approved Client app** , **App Protection policy** and **Compliant Device** (Require device to be marked as compliant) controls in Microsoft Entra Conditional Access policies. There's no exclusion required for the Microsoft Defender for Endpoint app while setting up Conditional Access. Although Microsoft Defender for Endpoint on Android & iOS (App ID - dd47d17a-3194-4d86-bfd5-c6ae6f5651e3) isn't an approved app, it is able to report device security posture in all the three grant permissions. |
130 | | -> |
131 | | -> However, internally Defender requests **MSGraph/User.read** scope and **Intune Tunnel** scope (in case of Defender+Tunnel scenarios). So these scopes must be excluded*. To exclude MSGraph/User.read scope, any one cloud app can be excluded. To exclude Tunnel scope, you need to exclude 'Microsoft Tunnel Gateway'.These permission and exclusions enables the flow for compliance information to Conditional Access. |
132 | | -
|
133 | | -Applying a Conditional Access policy to All Cloud Apps could inadvertently block user access in some cases, so it's not recommended. Read more about [Conditional Access policies on Cloud Apps](/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps#all-cloud-apps) |
134 | 137 |
|
135 | 138 | For more information, see [Enforce compliance for Microsoft Defender for Endpoint with Conditional Access in Intune](/mem/intune/protect/advanced-threat-protection). |
136 | 139 |
|
|
0 commit comments