How to Secure Windows App Access in Microsoft Edge on Personal Windows Devices


 1. What exactly it does?

You can use Microsoft Intune along with Conditional Access to control access when users open the Windows App in a web browser (Microsoft Edge) on their personal Windows devices.
This setup ensures the device meets your security requirements before allowing access to Azure Virtual Desktop or Windows 365 Cloud PC.

 2. Prerequisites:

1. If you're following the RBAC (Role-Based Access Control) approach, you'll need the following roles to set up this demo:
  • Intune Administrator – to manage device compliance and policies

  • Conditional Access Administrator – to configure Conditional Access policies

These roles ensure you have the necessary permissions to control access for the Windows App in Microsoft Edge on personal devices.

2. To use Microsoft Intune and Entra Conditional Access policies, an appropriate license is required.

In this case, Microsoft 365 Business Premium includes:

  • Microsoft Intune

  • Entra ID P1 (needed for Conditional Access)

  • Core security & management capabilities

So, you're fully covered for this demo using Microsoft 365 Business Premium.

3. Microsoft Edge on Windows: 134.0.3124.51 or later.

4. An existing host pool with session hosts, or Cloud PCs.

3. Create an app protection policy in Intune:

1. Sign in to the Microsoft Intune admin center.

2. Select Apps, then under Manage apps, select Protection.


3. Provide a meaningful name and description. Click Next.

4. Click Select apps. In the pane that opens, search for and select Microsoft Edge, then select Select. 

5. Once Microsoft Edge is listed in your list of selected apps, select Next.



6. Receive data fromSet to No sources to disable drive redirection from Windows App.
Send org data to: Set to No destinations to disable drive redirection to Windows App.
Allow cut, copy, and paste for: Set to No destination or source to disable clipboard redirection between Windows App and the local device.
Print org data: Set to Block to prevent printing from Windows App.


7. On the Health Checks tab, Microsoft recommends you add the following conditions:

8. Click Next.



9. On the Assignments tab, assign the policy to your security group containing the users you want to apply the policy to.


10. Click Create.


4. Create a Conditional Access Policy:

1. Navigate to Endpoint Security- Conditional Access- +Create New Policy



2. For Assignments, under Users or workload identities, select 0 users or workload identities selected, then include the security group containing the users to apply the policy to. You must apply the policy to the same security group that is used for assigning the host pool to the users.


3. For Target resources, select to apply the policy to Resources, then for Include, select Select resources. Search for and select the following resources. You only have these resources if you registered the relevant service in your tenant.

4. For Conditions:

Select Device platforms, for Configure, select Yes, then under Include, select Select device platforms and check Windows





5. Select Client apps, for Configure select Yes, then check Browser.


6. For Access controls, select Grant access, then check the box for Require app protection policy and select the radio button for Require one of the selected controls.



7. For Enable policy, set it to On.


5. Testing:

1. Login to the Windows App URL


2. After entering the credentials, you are prompted with this screen. Click Switch Edge Profile.


3. Select "Sign in to sync data".


4. Select Yes, all apps. It will check if the user account has MFA configured; if not, it will prompt the user to set it up. It will also prompt the user to set up a Windows Hello PIN.


5. Click Continue.


6. Enter the credentials again to sign in to Windows App.


7. Setup is complete.


8. If the conditions are not met, you will keep circling on the same screen.

9.  On this managed profile, you will not be able to copy or paste data, as per the conditions set in the App Protection Policy.



10. You will not even be allowed to upload, due to the conditions set in the policy.


11. The device is registered in Intune as a personal device.



Comments