Unboxing Microsoft Defender for Business, Part 4: Integration with MEM and Conditional Access
Welcome back to this series! Microsoft Defender for Business (MDB) is a huge product with lots of ground to cover. So far we have discussed the Simplified configuration process, Threat & Vulnerability Management, and Attack Surface Reduction Rules.
Since we began our series an exciting thing has happened: MDB has been released into the Microsoft 365 Business Premium SKU. This announcement was made along with another, which is related: General Availability of Microsoft 365 Lighthouse for partners (including some important announcements about GDAP). These are big steps forward for those of us who service SMB organizations in the Microsoft cloud.
But for today, we are going to return our focus to Microsoft Defender for Business and discuss how we can integrate signals from our EDR with Conditional Access. What this means is that we can leverage data from MDB to determine whether or not our endpoints are “healthy enough” to access corporate resources like email and files in Office 365. If the threat level is determined to be too high, then access can be rescinded until the device has been cleared of threats.
Step 1. Prepare MEM to integrate with MDB
Some of these items may already be switched on in your tenant, but it is a good idea to double-check, and get them set correctly if not. In Part 1 of this series, we already checked Endpoints > Advanced features in the Microsoft 365 Defender Settings area, so we should be good there. Next navigate to the Microsoft Endpoint Manager portal (https://endpoint.microsoft.com).
Go to Endpoint security then under Setup find Microsoft Defender for Endpoint. Switch every option to On if it isn’t already. Be sure to Save your selections on this screen.
Step 2. Configure compliance policies
Next we are going to visit Device compliance.
If you want users to receive a notification, then go to the Notifications page from the left navigation and add a notification that you can use with your compliance policy.
In this example I have named the notification: “Device is above acceptable risk threshold” with a simple message for the end user about contacting IT Support for immediate resolution. You should customize your own message to fit your situation.
Return to Compliance policies to create new policies: one for each device platform that you intend to support (unless you plan to cover mobile devices via MAM in which case you can skip those platforms for now).
Starting with Windows 10 and later devices, we will give this policy a name and description that makes sense. On the Compliance settings page, expand the Microsoft Defender for Endpoint option.
I have set this option to Clear in the above example, which means that device must be free of threats or it will be marked noncompliant. You can also choose Low, Medium, or High as the “risk score” threshold (by the way, selecting High would mean that any threat level keeps the device in a compliant state, so obviously this would not be recommended). Read more about how Defender ranks threat severity here.
On the Actions for noncompliance page you can decide whether to include a grace period (delay), and whether to include other actions such as Send email to end user (selecting the template you created above).
Note: In my experience, sometimes a short grace period for Mark device noncompliant can be a good thing. For example, in the event of a false positive or something relatively simple that can be handled by Automated Investigation and Remediation (AIR), the device will return to Clear status on its own.
Click through to Assignments and finish setting up your policy (consider starting with a pilot group and run them on this configuration for at least a week before moving to All users). Again, you can create a policy like this for every device platform that you intend to support.
Step 3. Configure App Protection Policies (optional)
For mobile devices, remember that we have two options: we can either enforce policies via MDM (full device-based management) or use a lightweight app-based management model (MAM). If you are taking advantage of this latter type of policy, then know it is also possible to integrate it with MDB’s threat status as well.
Recall that screen from step 1 (Endpoint security > Setup Defender for Endpoint); down toward the bottom of that page are the options to enable MAM integration for iOS and Android.
Assuming these are on, then you can configure the corresponding settings in your MAM policies (Apps > App protection policies). Specifically, on the Conditional launch screen, you will want to scroll down to the Device conditions area, and configure the setting called Max allowed device threat level.
In this example I want it to behave similarly to my device-based compliance policies, so I will choose “Secured” (which is the same as Clear in the compliance policies), and set the Action to Block access.
Step 4. Configure Conditional Access
Before you deploy a Conditional Access policy to enforce the new compliance requirements, you should be sure that the users and devices you have targeted are showing up as compliant in the Microsoft Endpoint Manager portal. As well, users should have the Company portal app and the Defender app installed on their mobile devices.
Once you know for certain that your devices are reporting in and compliant (and therefore unlikely to be negatively impacted by a device-based CA policy), then you can proceed to the final step.
When you’re ready, navigate to Endpoint security > Conditional Access. Create a new policy and give it an appropriate name. Target the same (licensed) users that you did with the compliance policies and app protection policies in the previous steps (and always be sure to exclude at least one emergency access account). Under Cloud apps or actions, select just one cloud app for now: Office 365.
Under Access controls > Grant, select Require device to be marked as compliant as well as Require app protection policy. Then down below use the option Require one of the selected controls. This means that access to Office 365 will only be granted if the device can satisfy the requirements of the device-based compliance policies (clear of threats), or the app-based protection policies (which require mobile devices to be clear of threats).
Note: As regards other Conditions in the policy, this is dependent on your situation. For example, do you want to apply this access control only for Mobile apps and desktop clients, or do you want it to apply to access requests that take place via web browsers also? You could also construct this as two policies, with one targeting just iOS and Android devices with the App protection requirement, and another for Windows/macOS that enforces compliance. The policy I show here just does both in one with no additional conditions.
You can Create and enable the policy to finish.
At this point, when a user who is in the scope of these policies winds up in a situation where one of their devices is compromised by some threat according to MDB, then access to Office 365 will be suspended until the device can be remediated.
In some cases this happens automatically due to Automated Investigation and Remediation (AIR should be on by default in MDB) or because of a temporary false positive. In other cases there may be serious follow-up required, and it may even be best to Autopilot reset or factory reset an infected device and then run scans across other devices to restore confidence in the environment.
But at the end of the day, now you have a solution that you can take to your customers that is unlike any other you’ve had before: when Defender’s telemetry determines a device may be at risk, then your user will be alerted, and access to corporate data and resources can be automatically rescinded if the threat is unresolved within a very short period. This reduces “dwell time” and lowers your overall risk. That’s a pretty compelling statement, I think.
Now, one last note: Microsoft has not released the “standalone” version of MDB at this point (just the one bundled in Microsoft 365 Business Premium). I do not expect this feature to be included with standalone, since it requires additional licensing such as Azure AD Premium P1 and Microsoft Intune/Endpoint Manager (both of which are found in Business Premium). So keep that in mind in case it applies to your situation.
Cheers. Until next time!