Mobile Threat Defense for Entra Shared Device Mode

Hi StuartK73​,
if by Entra Shared Device Mode you mean the frontline “shared device” experience (Authenticator + SDM), one important gotcha: Microsoft Defender for Endpoint on mobile isn’t supported on user-less or shared devices (both iOS and Android). So if you were hoping to use MDE as your MTD in SDM, it’s usually a dead end.

What most orgs do in SDM instead is pick a third-party Mobile Threat Defense vendor that integrates with Intune and feed its risk signal into Intune compliance + Entra Conditional Access. Microsoft lists the supported MTD partners (for example: Zimperium, Lookout, Check Point Harmony Mobile, CrowdStrike Falcon for Mobile, Jamf MTD, Pradeo, BlackBerry Protect Mobile, Better Mobile, iVerify, etc.).

Practical recommendation:

• Choose one MTD vendor per platform (Microsoft explicitly recommends this to avoid devices being marked noncompliant because multiple agents are required).
  https://learn.microsoft.com/en-us/intune/intune-service/protect/mobile-threat-defense
• Wire it into device compliance (MTD threat level rule) and then enforce with Conditional Access (https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-device-compliance.)

Quick question so people can answer you accurately: are your SDM devices Android, iOS/iPadOS, or both? (Android SDM tends to be the common case.)