Forum Discussion
Connecting data from Microsoft 365 Defender to Microsoft Sentinel
I understand Microsoft 365 Defender incidents include all their alerts, entities, and other relevant information, and they group together and are enriched by, alerts from Microsoft 365 Defender's component services: Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Defender for Office 365, and Microsoft Defender for Cloud Apps etc...
One thing I want to clarify is there ever a need to onboard and connect, each individual related connector as well, such as Microsoft Defender for Endpoint or Microsoft Defender for Identity etc...?
Source: Connect Microsoft 365 Defender data to Microsoft Sentinel | Microsoft Learn
See line #1 from the note.
Clive_Watson - Don't suppose you are aware of any issues with the Microsoft Defender connector in Sentinel are you? It's worked fine for me since preview but now I get the following error on MDE and M365 Defender connector.
I came across the following article which suggests its somethign to do with the classic CA policy created when Intune is connected to Defender portal: AADSTS50131: Device is not in required device state: known. Or, the request was blocked due to suspicious activity, access policy, or security policy decisions with WDATP | Liebensraum - I've seen another MSFT doc suggesting you should NOT delete this policy but instead you can exclude users, any thoughts?
