Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Edge for Business supports Intune App Protection (MAM) policies on Windows, including for users working on devices managed by a different tenant.
This capability allows organizations to apply data protection controls—such as clipboard restrictions, protected downloads, watermarking, and leak prevention—directly to Edge work profiles without requiring full device management. Policies are enforced through Microsoft Intune App Protection policies and Microsoft Entra Conditional Access, ensuring corporate data accessed through Edge remains governed by your tenant even in cross-tenant scenarios like contractors, partners, or mergers.
When configured, Edge automatically receives MAM policies after user enrollment and enforces protections consistently across supported features, while preserving a native browser experience for end users.
What this article covers
- How Entra Conditional Access, Intune App Protection, and Edge for Business enable MAM protections on Windows
- Supported scenarios and known limitations for Edge MAM, including cross-tenant devices
- Configuration steps for Conditional Access, App Protection policies, and user enrollment
Prerequisites
Licensing
- Microsoft Intune
- Microsoft Entra ID P1 or P2 (for Conditional Access)
Supported platforms
- Windows 10/11
- Microsoft Edge for Business version 147 or later
How Entra, Intune, and Edge for Business deliver protections
Microsoft Edge uses Microsoft Entra Conditional Access to require app protection when users access corporate resources. This requirement triggers Intune App Protection (MAM) enrollment for the Edge work profile, without enrolling the device.
Intune App Protection Policies define which data protections apply, and Edge enforces those protections directly in the browser, scoped only to organizational data. This enables secure access on unmanaged or cross-tenant Windows devices while leaving personal browsing unaffected.
Supported Scenarios and Known Limitations
| Limitation | Impact |
|---|---|
| Same-tenant managed devices | Devices managed by the same tenant aren't supported with the Conditional Access configuration described in this article. Users can't access Conditional Access–protected data in this configuration. |
| Endpoint DLP enabled on device | If device level Endpoint DLP is enabled, Intune App Protection (MAM) policies cannot be applied to Edge work profiles on that device unless a policy is set to bypass this limitation. Otherwise, profile switching will not be available, and the added profile must be removed. |
How to verify whether Endpoint DLP is enabled on a device
- Open Microsoft Edge
- Navigate to
edge://edge-dlp-internals - On the Feature Status page, check the Provider Name field
If the Provider State is set to Available and the provider is Endpoint DLP, device-level Endpoint DLP is enabled.
Example:
| Provider Name | Provider State |
|---|---|
| Endpoint DLP | Available |
The device-level Endpoint DLP block can be bypassed using the policy MAMWithDeviceDLPEnabled. This policy must be configured by the tenant managing the device. If using Edge version 148 or later, this policy is configurable via Intune. If using Edge version 147, you can use group policy or the registry to set the policy.
Configuration Steps
Step 1: Conditional Access Policy Requiring APP
In the Entra admin center (entra.microsoft.com):
Go to Conditional Access → Create new policy
Create a Conditional Access policy that requires app protection for Edge access:
| Setting | Value |
|---|---|
| Users | Target users or groups |
| Cloud apps | Office 365 (or other protected resources) |
| Client apps | Browser |
| Device platform | Windows |
| Grant access | Require App Protection policy |
Not supported
- “Require compliant device” (users will be blocked from MAM enrollment)
Step 2: Configure an App Protection Policy
In the Intune admin center:
- Go to Apps → Protection → Create → Windows
- Create an App Protection policy for Windows. Under Apps, select Microsoft Edge.
- Configure data protection settings as needed see here.
- Assign the policy to the same user group targeted by the Conditional Access policy created in step 1.
- Review and create the new policy.
Reference: Secure your corporate data in Intune with Microsoft Edge for Business
Step 3: Enrolling a user’s Edge profile in MAM
User Steps
- Open Microsoft Edge on the managed device.
- Navigate to a corporate resource (for example, SharePoint or internal site).
- Attempt to sign in to the resource using corporate credentials.
- Encounter a Conditional Access block.
Follow the prompt to switch Edge profile.
Complete the sign-in flow and accept any prompts.
Important: Select Yes in the dialog prompt.
- After sign-in, Edge will start receiving MAM policies automatically.
At this stage, users are enrolled in MAM and Edge for Business can apply app protection policies. To control how organizational data is handled within the browser — including clipboard access, downloads, and data sharing between apps — you must configure data protection settings in the Edge Management Service and Intune. See here to define these controls.