Microsoft Defender for Mobile app & Conditional Access policies - The great conundrum!


Back in 2022, I had blogged about MDE onboarding for Android and iOS and my experience dealing with Conditional access policies. Recently, I implemented the solution for a customer and experienced similar behavior, so decided to write about it.

Basically, the behavior involves MDE onboarding getting blocked due to enforcing of Conditional Access (CA) policies for conditions like Device compliance state, App Protection Policies (APP). 

Now, according to Microsoft, excluding MDE from CA policies shouldn't be required - 


However, on a different official link, Microsoft also states that -

"Microsoft Defender Mobile app is a security app that needs to constantly be running in the background to report the device security posture. This security posture is used in the Compliance and App Protection policies to secure the managed apps and ensure that corporate data is accessed only in a secured device. However, with restrictive Conditional Access policies such as having Block policies based on certain locations, or enforcing frequent sign ins can result in Defender blocked from reporting posture. If the Defender app fails to report the device posture this can lead to situation where the device is under a threat, leading to vulnerability of corporate data on the device. To ensure seamless protection, we recommend excluding the Defender app from the blocking Conditional Access Policy."

The highlighted lines above are the ones to focus on. MDE still runs as Microsoft Defender Mobile app on iOS and Android devices, which would explain the behavior I have been experiencing lately.



The solution..

Luckily now there is a way to exclude Microsoft Defender for Mobile app from CA policies. It requires excluding the following apps:

1. Xplat Broker App - It is the application responsible for forwarding Defender risk signals to the Defender backend. The App is also used by other platforms like Mac and Linux, so if the policy is same for these platforms, then my advice is to create a separate Conditional Access policy for Mobile OS platforms.

2. TVM app - It is the service that provides the vulnerability assessment for the installed apps on the iOS devices.

Both these apps are not registered in Azure by default and require additional steps for registration which involves creating service principles. At a minimum, you need the following roles and permissions assigned -

Entra roles -

- Application Administrator
- Cloud Application Administrator

Run the following commands to create the service principles -

Import-Module Microsoft.Graph.Applications 

(Note: In case you receive an error stating that module is not found, then run Install-Module to install the module first)

Connect-MgGraph

(Note: In case this is your first time connecting, then you may have to give consent.)


$params = @{
appId = "a0e84e36-b067-4d5c-ab4a-3db38e598ae2"
}

New-MgServicePrincipal -BodyParameter $params

$params = @{
appId = "e724aa31-0f56-4018-b8be-f8cb82ca1196"
}

New-MgServicePrincipal -BodyParameter $params


The applications were created in Azure.



I then excluded the apps in the CA policy in question and was able to finish the MDE enrolment.


Until next time..

Comments

  1. Great post and visit CMOLDS one of the leading best mobile app development company specializing in this domain.

    ReplyDelete
  2. Great content. Thanks for sharing this valuable perspective.
    Leadership Training for Managers

    ReplyDelete
  3. If you get an error 403 when entering the commands, try Connect-MgGraph -Scopes Application.ReadWrite.All when connecting.

    Excellent article, many thanks for it!!!

    ReplyDelete
  4. This article is a gem! I appreciate the detailed research you put into it. It’s refreshing to see such thoroughness!

    ReplyDelete
  5. Rahul, you are amazing! You will not believe how happy I am. Your article saved me countless hours of dealing with non-compliant devices. Had a case open at Microsoft which bounced for several months between their teams. And you solved it. Many, many thanks for this!!!

    ReplyDelete
  6. I have bookmarked your blog, the articles are way better than other similar blogs. certificazioni di sistema iso

    ReplyDelete

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

Prevent users from running certain programs or applications on Windows endpoints using Intune

Intune: Configure Printers for Non-Administrative Users