How to Setup MAM for Edge on Windows Using Microsoft Intune

MAM for Windows on Edge allows administrators to ensure devices are healthy and secure before accessing your organisation’s data, all while the device is unmanaged (not managed through Microsoft Intune). This means that some policies, similar to those already supported by Android and IOS, can also be applied to Windows devices using the Microsoft Edge browser. By combining MAM for Windows with Conditional Access, you can create a simple and secure solution to access data on personal (unmanaged) Windows devices.

Note: this feature is currently in public preview

In this tutorial, I am going to show you how to set up MAM for Edge on Windows in Microsoft Intune and demonstrate the user experience.

Why use MAM for Windows?

MAM for Windows (or more specifically, MAM for Microsoft Edge on Windows) will enable Administrators to ensure users can access organisational data on devices that do not belong to the company, securely. This helps ensure the company can keep costs down but not having to provide hardware to contractors (for example) while enabling their existing staff to maintain flexible access to the relevant resources to enable them to do their job.

MAM for Windows vs Microsoft Defender for Cloud Apps

By combing MAM for Windows and Microsoft Defender for Cloud Apps, you can create a more complete security solution to protect company data from being accessed through unmanaged devices. Using conditional access, you can also create a similar experience with Defender for Cloud apps for the end user, as you can with MAM for Windows, so I thought it would be useful to explain the differences and how they should work together.

While MAM for Edge on Windows allows you to control access to company data without the device being managed through Intune, Microsoft Defender for Cloud Apps provides a different level of security.

To break this down, MAM manages the application on the device and signals can be retrieved through the app to ensure the device meets a certain level of basic compliance, such as the operating system being up to date. Defender for Cloud Apps is an access broker (effectively running as a session proxy) to safeguard your data, while not actually proxying traffic from your device. Similar policies can also be applied, such as to prevent copy and pasting and data exfiltration from within the session.

MAM and Defender for cloud apps
MAM and Defender for cloud apps

Configure an App Protection policy for Windows using the Intune Portal

1. Start by logging in to the Microsoft Intune Admin Center.

2. Create a new App Protection policy by selecting Apps > App protection policies > Create policy > Windows.

New App Protection policies
New App Protection policies

3. When the new App protection policy wizard launches, on the first page, enter a meaningful name and click Next.

4. On the Apps page, click Select apps and choose Microsoft Edge. At the time of writing this article, Microsoft Edge is the only available application.

Select Microsoft Edge
Select Microsoft Edge

5. On the Data protection tab, define the data transfer and functionality settings. In the screenshot below I have chosen the most restrictive settings available at the time. This will prevent users from transferring data in and out of the organisation’s context as well as preventing the copy and paste function and printing.

MAM for Windows - Data Protection
MAM for Windows - Data Protection

6. On the health Checks tab configure the application and device conditions to meet your needs. The offline grace period settings define how long the app-managed device can remain ‘offline’ or not checked in before access is revoked or the offline company data is deleted from the device. You can also configure the minimum supported Windows operating system to ensure that only supported versions of Windows can be used to access company data.

MAM health checks
MAM health checks

7. Lastly on the Assignments tab, add an included group and click Next.

8. Finally on the Review + create tab, ensure your configuration is correct and click Create.

Secure with Conditional Access Policies

Conditional Access policies are used to enforce the MAM App Protection policy to be required when accessing Microsoft 365 services using the Microsoft Edge browser. Follow the below steps to create a Conditional Access policy for MAM for Windows.

  1. Login to Microsoft Entra, navigate to the Conditional Access policies blade and launch the new policy wizard. https://entra.microsoft.com/ > Protection > Conditional Access > Policies > New policy
New Conditional Access policy
New Conditional Access policy

2. Create a new policy with the following settings:

  • Name: MAM for Windows
  • Users: All users OR a specific group
  • Target resources: Cloud apps – Office 365
  • Conditions:
    • Device platforms: Include – Windows
    • Client apps: Browser
    • Filter for devices: Exclude – isCompliant Equals True
  • Grant: Require app protection policy

The end user experience with MAM for Windows

Once MAM is deployed, the end user will be automatically directed through some steps when they next try to log in to Microsoft 365 with their corporate account.

Firstly, if the user attempts to sign-in to Microsoft 365 online in a web browser other than Microsoft Edge, they will see the following message:

Attempt to login with Chrome
Attempt to login with Chrome

Once they are redirected to Microsoft Edge, they will then need to enter their username and password again on the Microsoft 365 login page, where they will then receive the following notice and will need to click Switch Edge profile.

Switch edge profile
Switch edge profile

A small popup window will appear at the top of the browser page prompting them to sign in to their work or school account. Their username may or may not be already listed above, but it doesn’t matter, click Sign in to sync data and login with your work email address and password.

It is also worth mentioning at this point, that the user must be enabled for MAM enrollment and not have any device compliance-based Conditional Access policies applied to them as they may prevent them from signing in.

Sign in to sync data
Sign in to sync data

On the final login, uncheck the option Allow my organization to manage my device and click OK. Doing this will ensure that your device is registered in Microsoft Entra. Do not click “No, sign in to this app only” as your device will not be registered.

Allow your device to be registered in Microsoft Entra
Allow your device to be registered in Microsoft Entra

After this step, you will be redirected to your work profile in Microsoft Edge and the Microsoft 365 webpage will auto login. Depending on the health check settings configured in your Windows MAM policy, there may be some immediate warnings displayed after login. 

If the minimum OS in your App Protection policy is configured higher than your current OS and the policy is set to Block. You will be prevented from using your corporate Edge profile until the issue is resolved.

App access blocked
App access blocked

If the policy is only set to warn, you will get the following warning which you can clear, then you can continue to use your corporate Edge profile.

OS update warning
OS update warning

If you have the setting enabled to prevent copy and pasting, you will also be presented with the following warning if you try to copy files from within Edge.

Copy prevention
Copy prevention

And the same if you attempt to print.

Print prevention
Print prevention

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

This Post Has 4 Comments

  1. Tobias

    I think this is a great feature to let external people access.
    With internal users, I’m not sure if you want them to sign in on their unmanaged device with the corporate user.
    Can we set that on the unmanaged devices Edge sync is not allowed to run?

    1. Daniel Bradley

      Yes, you will just need to make use of Conditional Access policies to meet your needs 🙂

  2. Nicola

    That’s a great feature, Bradley!
    Can we extend this approach also to Entra guests?

    To ensure, for example, that guests of a Team only acces company data via the browser (no download/upload) to/from the unmanaged device.

    Nicola

Leave a Reply