Intune App Protection in Edge for Business on Windows

Introduction: why this matters

For many organizations, the browser has become the primary workspace for SaaS apps, internal portals, and AI tools. But when contractors use Windows PCs that are already enrolled in another organization’s tenant, traditional “manage the whole device” approaches don’t work—creating data protection blind spots. Microsoft’s latest updates shift protection from the device to the work context in the browser, aligning Edge for Business, Entra, Intune, and Purview.

What’s new

1) Intune APP support for Edge for Business work profiles on agency-managed PCs (Public Preview)

Edge for Business now extends Intune app protection policies to the Edge work profile on Windows devices managed by a different organization.

Key capabilities:

• Browser-level protection boundary: Apply APP directly to the Edge for Business profile so corporate data is handled within a managed work context.
• No full device enrollment required: Contractors can access corporate resources without your tenant taking device ownership or conflicting with the home agency’s management.
• Tenant-scoped controls in the browser: Options include redirecting downloads to OneDrive for Business, restricting copy/paste, and enforcing data boundaries within the managed Edge profile.

2) Simplified onboarding via updated Entra sign-in flow in Edge on Windows

Microsoft Entra improvements modernize the registration experience and reduce unintended enrollment scenarios.

Highlights:

• Clearer registration guidance: Users get better prompts distinguishing account registration from device enrollment.
• Prevent accidental MDM enrollment: Admins can enable “Disable MDM enrollment when adding work or school account” to block device-enrollment prompts and route users into the APP-based approach instead.

3) Inline Microsoft Purview DLP in Edge for Business—without device onboarding

Purview Data Loss Prevention is built into Edge for Business and applies to the user’s work profile, helping protect sensitive data even when the Windows PC is unmanaged by your organization.

Purview DLP in Edge for Business can:

• Detect/control sensitive actions like uploads, downloads, copy/paste, and printing across browser-based apps.
• Extend protection to unenrolled cloud apps, helping reduce oversharing during web workflows.
• Reduce leakage while maintaining productivity (controls focus on risky actions vs. blocking site access).

Impact on IT admins and end users

• Admins can apply consistent data protection for external/contractor scenarios without negotiating device enrollment or causing cross-tenant management conflicts.
• Users/contractors get a more predictable sign-in and onboarding experience, with protections confined to the work profile rather than the whole PC.

Action items / next steps

1. Evaluate the public preview for Intune APP in Edge for Business work profiles on agency-managed Windows PCs and identify contractor use cases (high-risk web apps, data types, and workflows).
2. In Entra, review and consider enabling Disable MDM enrollment when adding work or school account to reduce accidental device enrollment prompts.
3. Pilot Purview DLP in Edge for Business for key browser actions (download/upload/copy/print) and validate policy behavior across both managed and unmanaged cloud apps.
4. Use Microsoft’s deployment guidance (“Secure Your Corporate Data in Intune with Microsoft Edge for Business”) to map controls to your target tier (Basic/Enhanced/High) and avoid overlapping/conflicting policies.