Forum Discussion
Classic Conditional Access Policy for Defender ATP
When Defender is first enabled, something in the sequence creates a classic conditional access policy in Azure AD called "Windows Defender ATP] Device policy". This is strange because it's not documented and Classic Policies are heavily depreciated.
I found out about it because this policy blocked sign-ins when attempting to create a device-code client script using the Defender ATP APIs. Sign-ins were failing on a conditional access condition, but it wasn't obvious which policy it was until we checked classic policies. The block was happening because device enrolment was required.
This same problem is described in more detail here https://www.techmymind.net/post/defender-atp-and-powerbi-authentication-failure-with-conditional-access - although the author couldn't figure out what to do with the policy so just excluded specific users from the policy.
I'd like to delete this policy and replace it with a modern policy. However, the UI for classic policies doesn't tell you what the policy is doing - it looks like it has no conditions configured. If you look at the JSON the azure portal is sending to the page it has this RequiredDeviceState:["known"].
Has anyone figured out what the appropriate modern CA policy should be? Could be some combination of hybrid / managed / compliant.
- mrboxxBrass Contributor
After a lot of digging and opening a case here's the answer.
These classic conditional access polices are created by the linkage between intune and defender ATP. They are classic policies, are important, should not be changed, must not be deleted and cannot be converted to modern CA policies. Similar policies will be created other similar MTD solutions.
To solve my problem (unable to pass device code auth to the defender APIs due to these policies blocking authentication), I have modified the classic policy to not apply to the specific users that require API access, after confirming that these users will not be registering devices associated with intune/defender. I've seen some discussion posts (on other forums) where people have deleted the classic policies on the assumptions they are irrelevant - which I think is a mistake.
This is the applicable doc
https://docs.microsoft.com/en-gb/mem/intune/protect/advanced-threat-protection-configure
“When you integrate a new application to Intune Mobile Threat Defense and enable the connection to Intune, Intune creates a classic conditional access policy in Azure Active Directory. Each MTD app you integrate, including Microsoft Defender ATP or any of our additional MTD partners, creates a new classic conditional access policy. These policies can be ignored, but should not be edited, deleted, or disabled.”
“Its not supported to migrate classic policies for MTD apps to the new policy type for conditional access.”
- jamesglaves-bjssCopper Contributor
They can now safely be removed...
Classic Conditional Access Policy for Defender ATP - Microsoft Community Hub