To enforce conditional access policies, you'll need to set up a device compliance policy that checks your devices' threat level in Microsoft Defender ATP. Azure AD registered devices are not eligible for conditional access unless they are enrolled in Intune. That being said, take note of the following requirements for conditional access with Microsoft Defender ATP:
- You must have an Enterprise Mobility and Security E5 license or Microsoft 365 Enterprise E5 license.
- You must have Intune configured with Windows 10 devices joined to Azure AD.
- You must have Microsoft Defender ATP and the portal (Security Center).
Assuming you have met these requirements, you can enable conditional access by following these steps:
- Go to Microsoft Defender Security Center (securitycenter.windows.com).
- Turn on the Microsoft Intune connection (advanced features).
- Turn on Microsoft Defender ATP integration in Intune. Before you can continue, Intune will provide instructions for doing this as seen in the following screenshot:
You must have completed step 2 before you're able to configure Microsoft Defender ATP. If you forget, Intune won't allow you to turn on Microsoft Defender ATP until you've configured it. Only after doing this, will you be able to complete the steps that follow.
- Create and assign the compliance policy in Intune. Set it so that the device must be at or under a specified threat level (see Chapter 2, Managing Device Compliance).
- Create an Azure AD Conditional Access policy, restricting access to compliant devices (see Chapter 2, Managing Device Compliance).
Finally, let's enable and configure any of the features that will reduce our attack surface and provide next-generation protection.