Share via

Defender on Android & iOS prompting users to sign in to activate protection

Crossley, Erik G 5 Reputation points
2024-01-19T20:30:34.2266667+00:00

MS Defender on our Android & iOS devices has been seemingly working fine for several months up until we began testing a Conditional Access Policy with a pilot group which targets all platforms, All Cloud Apps, Requires MFA, & enforces a 7 day session control. Users in this pilot who are in scope of this policy receive a notification prompt from Defender indicating they need to sign back in to activate protection. After tracking this behavior, the prompt seems to coincide with the 7 day session control. If the session expires & users don't immediately renew it with a single & second factor login upon opening any of the M365 mobile apps, this notification for Defender will appear in the mobile OS's native notification area. Signing in to reactivate Defender works perfectly fine, albeit is followed by a brief period of delay where the App Security, Web Protection, or Network Protection don't all re-enable immediately, but eventually do. This article (https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-conditional-access?view=o365-worldwide) suggests there's no exclusion required for Defender within conditional access policies, but in our case, the policy is seemingly related to the issue.

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
5,086 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,183 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pinaki Ghatak 4,610 Reputation points Microsoft Employee
    2024-01-19T20:38:47.2766667+00:00

    Hello Erik. This behavior is observed when the session expires, and users don’t immediately renew it with a single & second factor login upon opening any of the M365 mobile apps.

    Based on the information you have mentioned, it’s important to note that only Intune enrolled devices are supported for Conditional Access in Microsoft Defender. If you have any devices that are not enrolled in Intune, they might be causing this issue.

    There’s also a discussion in the Microsoft Community about a similar issue. It mentions that classic conditional access policies are created by the linkage between Intune and Defender ATP. These policies are important, should not be changed, must not be deleted, and cannot be converted to modern CA policies.

    To solve a similar problem, the user modified the classic policy to not apply to specific users that require API access I recommend checking if your devices are properly enrolled in Intune and considering the information about classic conditional access policies. Does this answer your question?

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.