Forum Discussion

mrboxx's avatar
mrboxx
Brass Contributor
Nov 13, 2020

Classic Conditional Access Policy for Defender ATP

When Defender is first enabled, something in the sequence creates a classic conditional access policy in Azure AD called "Windows Defender ATP] Device policy". This is strange because it's not docume...
mrboxx's avatar
mrboxx
Brass Contributor
Nov 18, 2020

After a lot of digging and opening a case here's the answer.

 

These classic conditional access polices are created by the linkage between intune and defender ATP. They are classic policies, are important, should not be changed, must not be deleted and cannot be converted to modern CA policies. Similar policies will be created other similar MTD solutions.

 

To solve my problem (unable to pass device code auth to the defender APIs due to these policies blocking authentication), I have modified the classic policy to not apply to the specific users that require API access, after confirming that these users will not be registering devices associated with  intune/defender. I've seen some discussion posts (on other forums) where people have deleted the classic policies on the assumptions they are irrelevant - which I think is a mistake.

 

This is the applicable doc

https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fmem%2Fintune%2Fprotect%2Fadvanced-threat-protection-configure&data=04%7C01%7CHUW.LYNCH%40woodside.com.au%7Cdce30e850ba44611ff2108d88a7cfc26%7Ca3299bbaade64965b011bada8d1d9558%7C0%7C0%7C637411616709644656%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2FX%2FpYKzOM5IR4ZFLMYId9LCzSE9S5U%2FFGpV%2BKZt5xYQ%3D&reserved=0

 

“When you integrate a new application to Intune Mobile Threat Defense and enable the connection to Intune, Intune creates a classic conditional access policy in Azure Active Directory. Each MTD app you integrate, including https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fmem%2Fintune%2Fprotect%2Fadvanced-threat-protection&data=04%7C01%7CHUW.LYNCH%40woodside.com.au%7Cdce30e850ba44611ff2108d88a7cfc26%7Ca3299bbaade64965b011bada8d1d9558%7C0%7C0%7C637411616709634663%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=wua69wJuEom%2BtTFadBRm6uv%2B756sgEz0HvaOtayxhOg%3D&reserved=0 or any of our additional https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fmem%2Fintune%2Fprotect%2Fmobile-threat-defense%23mobile-threat-defense-partners&data=04%7C01%7CHUW.LYNCH%40woodside.com.au%7Cdce30e850ba44611ff2108d88a7cfc26%7Ca3299bbaade64965b011bada8d1d9558%7C0%7C0%7C637411616709644656%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tgDZga5WueZ4ivAbVzI1XhuGUXdibokLQposuWVrWOY%3D&reserved=0, creates a new classic conditional access policy. These policies can be ignored, but should not be edited, deleted, or disabled.”

 

“Its not supported to migrate classic policies for MTD apps to the new policy type for conditional access.”

 

 

Resources