Let’s paint the scene.
A user shows up with a personal Windows laptop and wants access to email, SharePoint, Teams on the web, and the rest of Microsoft 365. Meanwhile, you are staring at that device thinking, “There is absolutely no chance I am enrolling this thing into MDM.”
Honestly, that is a fair reaction.
BYOD usually lands people in one of two camps. The first says, “No corporate access on personal devices at all.” The second says, “We can allow some access, as long as the guardrails are strong.” Personally, I tend to lean toward keeping corporate access off BYOD whenever possible. Still, after working with a wide range of customers, I have seen plenty of environments that need a practical middle ground.
That is where Windows MAM with Edge for Business steps in.
This approach gives you a way to allow browser-based access to Microsoft 365 on personal Windows devices without fully enrolling those devices into Intune. It is not magic, and it is not a free-for-all. It works because three pieces come together:
- Intune App Protection Policy to protect the data
- Conditional Access to enforce the experience
- App Configuration Policies to shape how Edge behaves
When those three layers are lined up correctly, you get a much smoother BYOD experience. When they are not, you end up painting yourself into a corner with support calls and confused users. So, let’s make this a happy little Edge deployment instead.
Before You Start: The Boring but Important Stuff
I know prerequisites are not the exciting part. They are the “clean the brush before the next color” part. Still, skipping them is how you end up troubleshooting something for far longer than you should.
Here is what you need in place:
- Licensing: Microsoft Intune Plan 1
- Platform requirements: Windows 11, version 22H2 or later is the best path forward
- Windows 10 note: Windows 10 version 20H2 with KB5031445 is technically supported, but with Windows 10 reaching end of support in October 2025, you are hopefully not still using it.
- For Mobile Threat Defense integration through Windows Security Center: Windows 11 23H2 or later
- Microsoft Edge: Version 117.0.2045.31 or later
- Company Portal: Installed from the Microsoft Store, but it does not need to be opened or used to enroll the device
One more item worth calling out is cross-tenant support. It is currently in public preview, and for anyone who spends time bouncing between multiple tenants, that one is especially interesting.
Cross-tenant support using Intune MAM | Microsoft Learn
Step 1: Creating the App Protection Policy
Start in the Intune admin center and go to:
Apps > Managed apps > Protection > Create > Windows
Give the policy a name that makes sense. Something like “Windows BYOD – Edge MAM Protection” works well. Then, on the Apps tab, select Microsoft Edge, which is currently the supported app for this scenario.
Data Protection. Where the Guardrails Live
This is where the policy starts doing real work.
You will mainly focus on two areas:
- Data Transfer settings, which control how corporate data moves in and out of Edge
- Functionality settings, which currently include printing controls for organizational data
These settings directly shape what users can do inside the work context in Edge.
For example:
- If Receive data is set to No sources, users cannot upload files into the work profile through drag and drop or the file picker
- If Send org data is set to No destinations, users cannot download files out of the work profile
- If Cut, copy, and paste is locked down to No destination or source, clipboard actions are blocked within corporate web content, although the address bar still works
That is the beauty of this model. You are not just allowing browser access. You are defining the boundaries around how organizational data can move.
Microsoft breaks this into three recommended security levels:
| Setting | Level 1 (Basic) | Level 2 (Enhanced) | Level 3 (High) |
| Receive data | All sources | No sources | No sources |
| Send org data | All destinations | No destinations | No destinations |
| Clipboard | Unrestricted | No transfer | No transfer |
| Printing | Allowed | Allowed | Blocked |
| User Impact | Minimal friction | Moderate impact | Tightest restrictions |
In other words, you can decide whether you want a light touch, a balanced approach, or the full “let’s keep the paint inside the lines” experience.
Health Checks (Conditional Launch)
The Health Checks tab, known as Conditional Launch on iOS and Android, is where you define what conditions should trigger enforcement.
This includes app-related checks such as:
- Offline grace period
- Minimum app version
- Minimum SDK version
- Disabled account detection
It also includes device-related checks such as:
- Minimum OS version
- Maximum OS version
- Maximum allowed threat level
Each condition can trigger actions like Warn, Block access, or Wipe data.
That gives you a lot of flexibility. You can be gentle where it makes sense, and firm where it needs to count.
Step 2: Conditional Access, the Policy That Makes It All Work
If the App Protection Policy is the guardrail, Conditional Access is the part that tells users which road they are allowed to drive on.
This is the policy that takes unmanaged Windows devices and pushes users into a MAM-protected Edge session when they try to access Microsoft 365 in the browser.
A solid starting point looks like this:
- Users included: All users, or a pilot group
- Users excluded: Break-glass accounts and service principals
- Cloud apps: Office 365
- Device platforms: Windows
- Client apps: Browser only
- Grant controls: Require app protection policy and require compliant device
- Multiple controls: Require one of the selected controls
- Policy state: Start in report-only
That last setting is the real star of the show.
Using Require one of the selected controls gives you clean logic for both managed and unmanaged devices.
A compliant, Intune-enrolled device can satisfy the compliance requirement and continue using the browser normally.
An unmanaged personal device cannot meet compliance, so it must satisfy the app protection policy requirement instead. That is what nudges the user into Edge with MAM.
It is a smart design, because one policy can account for both experiences without getting messy.
Companion Policies You Should Add
Microsoft recommends two companion policies here, and I agree.
1. Platform restriction policy
Block access to Office 365 from unsupported or unknown device platforms. Include all platforms, exclude Windows, iOS, and Android, then set the grant control to Block.
2. Desktop client restriction policy
Require device compliance for Windows desktop apps by targeting:
- Windows as the platform
- Mobile apps and desktop clients as the client app condition
- Require device to be marked as compliant as the grant control
This matters because it prevents BYOD users from simply sidestepping the browser and signing in through Outlook, Teams, or other native Office apps on unmanaged Windows devices.
In short, if the device is not compliant, desktop apps are off the table. Browser access goes through Edge with protection in place.
Step 3: Configuring Edge Behavior with App Configuration Policies
Once protection and enforcement are in place, it is time to shape the actual browser experience.
For unmanaged MAM-only devices, use App Configuration Policies through the Managed Apps channel. This part is important. Do not use the Settings Catalog for this scenario. The Settings Catalog is for MDM-enrolled devices, and that is not the workflow we are building here.
Go to:
Intune admin center > Apps > Manage apps > Configuration > Create > Managed apps
Select Microsoft Edge Windows as the target app.
From there, you can define settings as name and value pairs using standard Edge policy names.
Here are a few useful examples:
- HomepageLocation
Sets the work profile home page - ShowHomeButton = Enabled
Adds the home button to the toolbar - ExtensionInstallBlocklist = [“*”]
Blocks all extensions by default - ExtensionInstallAllowlist = [“extension_id_1”]
Allows only approved extensions
For stronger security postures, especially Level 2 and Level 3, blocking all extensions by default and allowing only what is approved is the safer route.
There are plenty of other Edge settings you can define this way too, including download controls, privacy settings, search provider configuration, and more.
On top of that, the Microsoft Edge Management Service (accessed through http://admin.microsoft.com ) can add even more polish. Features like watermarking, protected downloads to a managed OneDrive for Business location, and organizational branding can help reinforce the separation between personal and work activity.
What Your Users Will Actually Experience
This part matters more than many admins realize.
A technically secure design that feels confusing or frustrating to the user is still going to cause problems. If adoption is rough, support tickets will follow.
So here is the flow from the user’s side.
A user on a personal Windows device tries to access Microsoft 365.
They are redirected into Microsoft Edge.
Inside Edge, they select the profile icon, choose Sign in to sync data, and enter their work account. After MFA, they will likely see the prompt asking whether they want to stay signed in to all their apps.
This is the moment they need to choose Yes, because that action triggers the MAM enrollment experience.
Then comes the part that often causes hesitation. If they see a prompt asking, Allow my organization to manage my device?, that is the spot where users may need a little guidance. In a BYOD scenario, clarity matters. You want them to understand the difference between protecting the work browser session and fully enrolling their personal device.
A little user communication here goes a long way.
Wrapping Up
Windows MAM with Edge for Business gives Microsoft a practical answer to the browser access side of BYOD on Windows.
The model is straightforward:
- App Protection Policies protect the data
- Conditional Access enforces the path into a protected Edge session
- App Configuration Policies refine the browser experience
Together, those three layers give you a controlled way to deliver Microsoft 365 web access on unmanaged personal devices without handing over the keys to full device enrollment.
The biggest limitation is still scope. This is an Edge-focused solution, not a full Windows app protection ecosystem like what you see on mobile. It protects browser-based access, not every app on the device.
Still, when you pair this with device compliance requirements for native desktop apps, you end up with a strong and practical BYOD strategy. You can give users access to what they need, keep corporate data inside sensible boundaries, and avoid turning every personal laptop into a fully managed endpoint.
Not bad for one happy little Edge.
