Securing your organization’s devices against cyber threats is a critical priority in today’s digital landscape. Microsoft Intune, combined with Microsoft Defender for Endpoint, provides a powerful solution to enhance your device security posture. In this comprehensive guide, we’ll explore the steps to configure the integration between these two Microsoft services, allowing you to effectively onboard devices, set compliance policies based on risk levels, and leverage conditional access to protect your corporate resources.

Establishing the Service-to-Service Connection

The first step in this process is to set up the service-to-service connection between Microsoft Intune and Microsoft Defender for Endpoint. This connection enables Defender for Endpoint to collect data about the risk levels of the devices you manage with Intune.

To enable Microsoft Defender for Endpoint:

  1. Sign in to the Microsoft Intune admin center and navigate to Endpoint security > Microsoft Defender for Endpoint.
  2. Select Open the Microsoft Defender Security Center to access the Microsoft Defender portal.
  3. In the Microsoft Defender portal, go to Settings > Endpoints > Advanced features and toggle the Microsoft Intune connection to On.
  4. Save your preferences to complete the service-to-service connection setup.

Once the connection is established, the services are expected to sync with each other at least once every 24 hours. You can configure the number of days without sync before the connection is considered unresponsive in the Intune admin center.

Onboarding Devices to Microsoft Defender for Endpoint

With the service-to-service connection in place, you can now onboard the devices you manage with Intune to Microsoft Defender for Endpoint. This onboarding process configures the devices to communicate with Defender for Endpoint and provide data for assessing their risk levels.

The onboarding process varies by device platform, and you should ensure you are using the most recent version of Microsoft Defender for Endpoint for each platform.

Windows Devices

For Windows devices, you can use either Endpoint Detection and Response (EDR) policies or Device Configuration policies to onboard them to Microsoft Defender for Endpoint. The EDR policy creation workflow in the Intune admin center includes a direct link to open the EDR policy creation experience.

When configuring the EDR policy, you can select the ‘Auto from connector’ option for the ‘Microsoft Defender for Endpoint client configuration package type’ setting, which allows Intune to automatically retrieve the onboarding package from your Defender for Endpoint deployment.

Alternatively, you can use a Device Configuration policy and select the ‘Microsoft Defender for Endpoint’ template, which will use the onboarding configuration package received from Defender for Endpoint to set up the devices.

macOS, Android, and iOS/iPadOS Devices

For macOS, Android, and iOS/iPadOS devices, the onboarding process is platform-specific. Refer to the corresponding Microsoft Defender for Endpoint documentation for detailed instructions on onboarding these device types.

Configuring Compliance Policies for Risk Levels

The next step is to create and assign compliance policies in Intune to set the acceptable risk levels for your Android, iOS/iPadOS, and Windows devices. These compliance policies leverage the risk data reported by Microsoft Defender for Endpoint to determine device compliance.

  1. In the Intune admin center, navigate to Devices > Compliance Policies and create a new policy.
  2. Select the appropriate platform (Android, iOS/iPadOS, or Windows) and configure the ‘Microsoft Defender for Endpoint’ settings to specify the maximum allowed device risk level.
  3. Assign the compliance policy to the relevant user or device groups.

Devices that exceed the allowed risk level will be marked as noncompliant, which can then be used as a condition in your Conditional Access policies.

Implementing Conditional Access Policies

Conditional Access policies in Microsoft Entra can use the data from Microsoft Defender for Endpoint to block access to corporate resources, such as SharePoint or Exchange Online, for devices that exceed the specified risk level.

  1. In the Intune admin center, navigate to Endpoint Security > Conditional Access and create a new policy.
  2. Configure the policy to target the specific cloud apps you want to protect, such as SharePoint Online and Exchange Online.
  3. Under the ‘Conditions’ section, select ‘Client apps’ and configure the policy to apply to both browser and mobile apps/desktop clients.
  4. In the ‘Grant’ section, configure the policy to require the device to be marked as compliant, using the risk levels set in your Intune compliance policies.
  5. Enable the policy and save your changes.

With this Conditional Access policy in place, devices that are deemed noncompliant due to their risk level will be blocked from accessing the targeted corporate resources until the threat is resolved and the device is reported as compliant.

Conclusion

By integrating Microsoft Defender for Endpoint with Microsoft Intune, you can significantly enhance your organization’s device security posture. This integration allows you to onboard devices, set compliance policies based on risk levels, and leverage Conditional Access to protect your corporate resources. By following the steps outlined in this guide, you can effectively secure your devices and safeguard your organization against cyber threats.

For more information, refer to the Intune documentation and the Microsoft Defender for Endpoint documentation.