Configuring DLP Features in Microsoft Edge

This guidance applies to Microsoft 365 E3 customers configuring Edge for Business DLP features through Intune Mobile Application Management (MAM), where the Edge work profile is the trusted boundary. All policies described here (Protected Clipboard, Screen Capture Protection, Watermarking, Protected Downloads, etc) apply profile-wide to every tab signed into the Edge work profile on the targeted device. No per-site or per-app configuration is required; if the MAM policy is applied to the profile, the controls are active across the entire profile.

If you are on Microsoft 365 E5 and want to use Microsoft Purview DLP to define the trust boundary at the per-site / per-app level instead of profile-wide, see Microsoft Purview DLP.

Protected Clipboard

Protected clipboard restricts copy/paste to the managed profile, allowing users to stay productive while corporate data stays secure. NOTE: When the Intune App Protection clipboard policy is set to Org dest, Org source (or Org dest, Any source), Screen Capture Protection activates across the entire Edge work profile automatically. It applies to every tab in the work profile.

Admin Steps

In Intune Admin Center (intune.microsoft.com):

1. Go to Apps → App Protection Policies → Windows.
2. Modify the App Protection Policy you’ve configured for users receiving MAM policies.
3. Under Data Protection, configure:

• Option 1: Allow cut/copy/paste between org destinations and org sources.
• Option 2: Allow cut/copy/paste between org destinations and any sources.

Effect

• Option 1: Copy/paste is restricted to the protected Edge for Business work profile.
• Option 2: Copy/paste is restricted to the protected Edge for Business work profile, but users can paste data into the browser from unprotected locations.

Protected Downloads

Admin Steps

In Intune Admin Center (intune.microsoft.com):

1. Go to Apps → App Protection Policies → Windows.

2. Modify the App Protection Policy you’ve configured for users receiving MAM policies.

3. Under Data Protection, configure:

   • ‘Send org data to’ to No destinations.

In the Edge Management Service (admin.microsoft.com → Settings → Microsoft Edge)

1. Create a new Configuration policy targeted to the intended users.
2. Ensure Windows 10+ is selected for platforms and policy type is Cloud.
3. No settings need to be added when creating the policy.
4. Under Assignments, select the intended users.

(After the Configuration Policy has been created and saved) In your Configuration policy, navigate to Customization Settings → Security Settings.

5. Enable Protected Downloads.

Users will now have protected downloads to OneDrive for Business enabled.

Effect

When users download files in Edge with this policy configured, the files are redirected to a OneDrive for Business folder named ‘Microsoft Edge Downloads’.

This folder is managed by your tenant and enforces organizational compliance.

Watermarking

Admin Steps

In the Edge Management Service (admin.microsoft.com → Settings → Microsoft Edge)

1. Create a new Configuration policy targeted to the intended users.
2. Ensure Windows 10+ is selected for platforms and policy type is Cloud.
3. No settings need to be added when creating the policy.
4. Under Assignments, select the intended users.

(After the Configuration Policy has been created and saved) In your Configuration policy, navigate to Customization Settings → Security Settings.

5. Enable Watermarking for users who are receiving MAM policies.

Effect

• MAM-managed profiles have a watermark throughout the entire profile (Note: users need at least one Intune app protection policy and this watermarking policy for the watermark to be enabled).

Additional Leak Controls

Defaults Applied

• Screenshot Prevention: Blocks screen captures in protected sessions.
• Developer Tools Protection: Restricts access to DevTools when MAM policies are active.

Admin Note

These controls are enforced when the cut/copy/paste Intune policy is set to any blocking setting (i.e. not “All destinations and sources”).