In this scenario we make an compliance policy for our Windows 10 devices, with a Conditional Access policy. The output should be if the Windows 10 Azure AD Hybrid Joined devices not are compliant to the level of risk the compliance policy allows – then the devices will automatically exceed the allowed risk level and then are indentified as an non-compliant Windows 10 devices. Then our Conditional Access policy will be enforced and block the access to cloud resources (Apps) for non-compliant Windows 10 devices.
It’s a condition that only our Hybrid Azure Active Directory joined Windows 10 devices can be granted access to the Office 365 Exchange Online apps – cloud only (Azure Active Directory joined) Windows 10 devices will not be in compliance, this will be defined in our Conditional Access policy.
But again if the level of risk at the ATP compliance policy is exeeded then the hybrid joined devices also will be denied access to Office 365 Exchange online apps. These settings will be defined in our compliance and Conditional Access policies.
Prerequisites that needs to be inplace before starting configure Microsoft defender with conditional Access:
Note: This will establish a connections to Microsoft Intune for data and risk score collection so we can make a Conditional Access policy that enforces for exsample block devices that exceeds the allowed risk level for within our compliance policy.
When you established the connection to Microsoft Defender ATP, Intune received a Microsoft Defender ATP onboarding configuration package from Microsoft Defender ATP. This package is deployed automatically to Windows 10 devices with the device configuration profile added – we will make the device configuration profile later in this blog. The configuration package configures devices to communicate with Microsoft Defender ATP services to scan files, detect threats, and report the risk to Microsoft Defender ATP.
Now back to the Intune portal and Activate the “Connect Windows devices version 10.0.15063 and above to Microsoft Defender ATP” set it to ON and click Save:
Note: Intune will kindy tall us that we don’t have any Device compliance policy enabled yet. Thats all fine for now.
Note: In this test lab we choosing Low. This setting almost sets a zero tolerance for unsecured sources or data, files etc. detected as potential or malware, virus etc. Threat level classifications are determined by Microsoft Defender ATP:
Note: Assign to all users will effect All end users that logs on a Windows 10 devices and no one is left behind. This test lab security for out end users are highly prioritized.
Note: The selected client apps that this policy will apply to is almost everything that app could be presented on.
Note: Selecting Enabled to both settings under configure is a thing is highly recommendable because it will provide cool features such as Sample sharing for all files and it help Microsoft develop and preserve a high security level though important telemetry data.
Note: The name of the profile could also have been something like –> “Microsoft Defender ATP Windows 10 onboarding”
Note: Under domain you can see if the devices are ADD joined or hybrid joined.
Note: This Windows 10 devices is a cloud only device, meaning its only Azure Active directory joined and do not meet the Hybrid join criteria for beeing compliant. So we cannot access this cloud app from this device. If the Device later on do a hybrid join then we will be able to access to app Microsoft 365 Exhange online (that includes teams and Onedrive)
Note: So remember our compliance policy tell us that if the Windows defender ATP Windows 10 device detects some abnormal behavior or any kind of security breach the device will not be compliant and the Conditional Access policy will not let the users access the cloud resource / app.