Microsoft Defender for Endpoint on Android
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender XDR
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.
This article describes how to install, configure, update, and use Defender for Endpoint on Android.
Caution
Running other non-Microsoft endpoint protection products alongside Defender for Endpoint on Android is likely to cause performance problems and unpredictable system errors.
How to install Microsoft Defender for Endpoint on Android
Prerequisites
For end users:
- The end user must be assigned a Microsoft Intune license. For more information on how to assign licenses, see Assign licenses to users.
- The users of the app must be assigned a Microsoft Defender for Endpoint license. For more information on how to assign licenses, see Microsoft Defender for Endpoint licensing requirements.
- Intune Company Portal app can be downloaded from Google Play and is available on the Android device.
- Additionally, devices can be enrolled via the Intune Company Portal app to enforce Intune device compliance policies.
For Administrators:
- Access to the Microsoft Defender portal.
- Access to the Microsoft Intune admin center to:
- Deploy the app to enrolled user groups in your organization.
- Configure Microsoft Defender for Endpoint risk signals in app protection policy.
Note
- Microsoft Defender for Endpoint now extends protection to organizational data within a managed application (MAM) for devices that aren't enrolled using mobile device management (MDM), but are using Intune to manage mobile applications. It also extends this support to customers who use other enterprise mobility management solutions, while still using Intune for mobile application management (MAM).
- In addition, Microsoft Defender for Endpoint already supports devices that are enrolled using Intune mobile device management (MDM).
Network Requirements
- For Microsoft Defender for Endpoint on Android to function when connected to a network, the firewall/proxy must be configured to enable access to Microsoft Defender for Endpoint service URLs.
System requirements
Intune Company Portal app should be downloaded from Google Play and installed for seamless onboarding. Device enrollment is required for Intune device compliance policies to be enforced.
Mobile phones and tablets running Android 8.0 and above. (Note: Microsoft Defender is ending support for Android 8, 8.1 and 9 versions on April 30, 2025, after that device running on Android version < 10 won't be supported)
What does it mean devices running on unsupported Android version?
New users: The application is longer available for new installations on devices running on unsupported versions. When users with unsupported versions attempt to download the Microsoft Defender app, the Google Play store notifies them that the device is incompatible.
Existing users: The Microsoft Defender app continues to function for existing users on unsupported versions, but they don't receive updates from the Google Play store because they don't meet the minimum SDK version requirements. Therefore, any new updates on the app aren't available to devices running unsupported versions. Microsoft no longer addresses bugs or provides maintenance for unsupported operating system versions. Any issues occurring on devices running on unsupported versions aren't investigated.
Note
Microsoft Defender for Endpoint on Android isn't supported on userless or shared devices.
Installation instructions
Microsoft Defender for Endpoint on Android supports installation on both modes of enrolled devices - the legacy Device Administrator and Android Enterprise modes. Currently, Personally-owned devices with work profile, Corporate-owned devices with work profile, and Corporate-owned fully managed user device enrollments are supported in Android Enterprise. Support for other Android Enterprise modes will be announced when ready.
Deployment of Microsoft Defender for Endpoint on Android is via Microsoft Intune (MDM). For more information, see Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune.
Installation of Microsoft Defender for Endpoint on devices that aren't enrolled using Intune mobile device management (MDM), see Configure Microsoft Defender for Endpoint risk signals in app protection policy (MAM).
Note
Microsoft Defender for Endpoint on Android is available on Google Play now.
You can connect to Google Play from Intune to deploy Microsoft Defender for Endpoint app, across Device Administrator and Android Enterprise enrollment modes.
Required permissions
To ensure optimal protection for your device, Microsoft Defender requests access to the following permissions during the device onboarding process:
Storage Access: This permission enables Microsoft Defender to access your device's storage in order to detect and remove any malicious or unwanted apps.
VPN Setup: Microsoft Defender sets up a local VPN to provide web protection. Microsoft respects your privacy and doesn't view your browsing content.
Display Over Other Apps: This permission enables Microsoft Defender to alert you when malicious network activity is blocked.
Accessibility: This feature enhances your browsing experience by providing added security.
Permanent Protection: To ensure continuous protection, Microsoft recommends keeping the Microsoft Defender app active while running in the background. This helps prevent Android from stopping the app to improve battery life, thereby ensuring your device remains well protected.
Location Access: The Microsoft Defender app uses your location to help secure your Wi-Fi network and enhance device protection.
How to resolve the noncompliance state due to silent auth failures
Microsoft Defender for Endpoint has a feature to let the user sign-in according to a set of policies called Conditional Access policies. If a policy is violated, the Microsoft Defender app autosigns out and starts failing in silent auth (sign-in attempts in background). This process results in the devices being shown as non-compliant in the Intune portal. A user can get the device to compliant status by signing in again.
The user receives a notification (as shown in the following scenarios) asking them to sign in. The user can tap the notification or open the Microsoft Defender app and sign in. Signing in results in a successful, interactive authentication and causes the Intune portal to show the device as compliant.
Scenario 1: The following experience occurs when MFA is configured by the admin through a Conditional Access policy:
Scenario 2: The following experience occurs when MFA is not configured by the admin through a Conditional Access policy:
How to configure Microsoft Defender for Endpoint on Android
For information on how to configure Defender for Endpoint on Android features, see Configure Microsoft Defender for Endpoint on Android features.
Related articles
Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune
Configure Microsoft Defender for Endpoint on Android features
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.