Microsoft Edge for Business Recommended Configuration Settings
This article provides recommended configurations for Edge for Business across managed and unmanaged devices for E3 and E5 licenses.
Note
Edge for Business is the browser that's available through a work profile and surfaces enhanced security and productivity features. Edge for business will be referenced as "Edge" in this article.
What is a Secure Enterprise Browser?
A secure enterprise browser is a web browser that is secure by default and designed with security features tailored for use within corporate or organizational environments. These browsers prioritize security, privacy, and manageability to mitigate browser-based cyber risks.
Often, secure enterprise browsers (SEBs) also include enhanced productivity features alongside their robust security measures. These productivity features are designed to improve user efficiency and facilitate collaboration within the organization while maintaining a secure browsing ecosystem.
The importance of a Secure Enterprise Browser
The browser has become more than just a tool; it's now a destination where 56% of the workday is spent. Within this digital realm, sensitive organizational and user data are often surfaced, whether it's through accessing company documents, communicating between users, or interacting with web-based applications.
The increased reliance on browsers heightens browser-based cyber risks. As a result, ensuring the security of browser environments has become paramount for organizations, with secure enterprise browsers emerging as essential tools to safeguard against the ever-evolving landscape of cyber threats. In today's modern work environment where remote work and the use of personal devices are common, the role of SEBs in mitigating such security breaches becomes even more crucial. Remote work introduces more security challenges, such as unsecured home networks, BYOD policies, and reliance on public or personal Wi-Fi, which can increase the risk of cyberattacks and data breaches. SEBs help address these challenges by providing a secure browsing environment with features such as strong encryption, advanced threat detection, and policy enforcement.
The Microsoft Edge advantage
Edge continues to invest in the development of capabilities that transform the browser into a proactive agent, actively detecting and providing anticipatory protections against security concerns that organizations encounter.
Edge for Business capabilities are built on the following pillars:
- Protect users and devices
- Protect sensitive organization data
- Provide secure network access on any device
- Enhance employee productivity with safe AI
- Provide unified manageability
Protecting users and devices
Microsoft Edge has a strong core security foundation inherited from Chromium. This platform is rapidly updated with the latest upstream changes that include security patches. In addition to the strong security foundation, Edge has the following unique capabilities powered by Microsoft Defender SmartScreen and Microsoft Entra ID for protection on the device and on the network.
- Microsoft Defender SmartScreen gives industry leading protection against phishing, drive-by exploits, tech support scams, malware, malware advertising, and malicious downloads.
- Typosquatting protection is embedded in the browser to warn users if they mistype a commonly used website name and land on a malicious site instead.
- Increased zero-day protection surfaced through Enhanced Security Mode safeguards against memory-related vulnerabilities by disabling just-in-time (JIT) JavaScript compilation and enabling more operating system protections for the browser.
- Improved threat detections use new signals for the Security Operations Center (SOC), which provide valuable app level signals to Microsoft Defender.
Protecting sensitive data in the organization
Increased browser usage in the enterprise makes the browser the #1 surface for enterprise data egress. Sensitive organizational data is protected in Edge through various data leak prevention and auditing systems.
- Edge provides native support for Microsoft Purview DLP for a seamless end user experience that protects the distribution of sensitive data in the browser.
- Edge can be integrated with Microsoft Insider Risk Management for policy-based risk monitoring, alerting, and auditing, which supports incident forensics and mitigation.
- Edge supports Microsoft Entra TRv2 which prevents unauthorized tenant access by providing advanced data exfiltration protection and supports multitenant scenarios.
Provide secure network access on any device
Edge provides a broad spectrum of capabilities to enable secure network access to any web resource from BYOD devices. These capabilities include secure network access to both internet (Microsoft 365, SaaS apps, and the rest of internet) and private applications (on-premises and cloud) with threat protection and data exfiltration protections enforced on the network to suit different customer needs.
- Microsoft Entra's Conditional Access systems work seamlessly in Edge to provide productive protection of company assets and prevent unauthorized access.
- Edge uses Microsoft Intune Mobile Application Management and Microsoft Defender with Cloud Apps (coming soon) to enforce compliant device usage on unmanaged devices to provide optimal security.
- Edge integrates with Azure Application Proxy to secure remote access to on-premises applications.
- Edge uses Zero Trust Network Access (ZTNA) infrastructure, powered by Microsoft Entra to help enforce compliance network access [in preview].
Safely introducing AI to the organization
Safely introduce AI by balancing productivity, data security, and compliance.
- Copilot for work ensures Commercial Data Protection (CDP), meaning that Microsoft doesn't save or store any Large-language model (LLM) interactions. Data in motion is encrypted and no one in Microsoft can view the data, and LLM interactions can't be used to train the LLM model.
- Admins can block Copilot access to page content, ensuring that company data isn't sent to the Copilot.
Providing unified manageability
With the browser's importance to enterprise workflows, organizations see an increased need for a dedicated management experience to quickly deliver browser policies. With the Microsoft Edge management service, IT admins can streamline their browser management by reducing overhead, including reduced transition time when upgrading from E3 to E5.
- Easily enable policy to corporate profiles in the browser through Microsoft Edge management service enables streamlined policy management to corporate profiles.
Providing productivity in enterprise settings
Edge provides several features that enrich collaboration and maximize productivity in the browser.
- Workspaces in Edge provide a platform for teams to easily collaborate and stay organized with cross-device syncing to supercharge productivity.
- Compose acts as an AI agent in the browser to support writing activities such as drafting emails, documents, and other materials.
- Tab Groups helps users stay organized across in any browser window.
- Contextual summary with Copilot in Edge can provide support for more efficient research and browsing experiences.
- The work feed in Edge helps users stay up to date on the latest internal network and industry news.
- Text prediction in Edge streamlines communication in text boxes in the browser.
How to configure Edge as a Secure Enterprise Browser for E5 licenses
In the E5 License Tier, Microsoft recommends the following steps to get the most out of your E5 license.
Follow the steps below BEFORE following the steps in the E3 managed device section.
For managed devices
- Provide data leak protections across the machine and in the browser by deploying Purview DLP. For more information, see:
- If your organization would like extensive logging of actions taken on the browser (good for capturing risk signals over time), then use Microsoft Purview Insider Risk Management.
- For more information, see Insider risk management
- Capture PDF and document sensitivity in the browser by using Microsoft Purview Information Protection and safely view in the browser. For more information, see:
- For easy DLP controls for Microsoft services accessed in the webs, configure Microsoft Defender for Cloud Apps AND turn on Edge for Business protections in the admin portal. For more information, see:
For BYOD (Bring Your Own Device)/unmanaged devices
Follow the steps below BEFORE following the steps in the E3 BYOD device section.
- For easy DLP controls for Microsoft services accessed in the webs, configure Microsoft Defender for Cloud Apps AND turn on Edge for Business protections in the admin portal. For more information, see:
How to Configure Edge as a Secure Enterprise Browser for E3 licenses
In the E3 License Tier, Microsoft recommends the following steps to get the most out of your E3 license.
For managed devices
- Deploy Conditional Access to ensure that your corporate assets are only accessed by authorized users from a protected environment, ensuring both productivity and security.
- For more information, see Microsoft Edge and Conditional Access
- For granular controls (such as extension controls, safe AI, blocking insecure browsers, zero-day protection, and customized organizational branding in the browser), configure the Microsoft Edge Management Service.
- For more information, see Microsoft Edge management service
- If some of your users are multitenant, use TRv2 protections.
- For more information, see Configure tenant restrictions, Microsoft Entra ID - Microsoft Entra External ID
- To heighten in-browser productivity, configure the work feed to help keep users focused and up to date.
- For more information, see Microsoft Edge Enterprise new tab page
- To help your users find work information as quickly as possible, enable Microsoft Bing @ Work (Search in Bing)
- For more information, see Overview of Microsoft Search in Bing
- If your users need remote access to on-premises applications, use Azure Application Proxy.
- For more information, see Add an on-premises application for remote access through application proxy in Microsoft Entra ID
- Keep users safe on the web by enabling Website Typo Protection, Enhanced Security Mode (ESM), and Phishing Protection (Microsoft Defender Smart Screen). For more information, see:
- Typo protection: Microsoft Edge Browser Policy Documentation
- Enhanced Security Mode: Browse more safely with Microsoft Edge
- Phishing protection: Microsoft Defender SmartScreen overview - Windows Security
For BYOD (Bring Your Own Device)/unmanaged devices
- Deploy Conditional Access to ensure that your corporate assets are only accessed by authorized users from a protected environment, ensuring both productivity and security.
- For more information, see Microsoft Edge and Conditional Access
- For desktop BYOD coverage in the browser, set up Microsoft Intune MAM.
- For more information, see Secure your corporate data using Microsoft Edge for Business.
- For granular controls (such as extension controls, safe AI, blocking insecure browsers, zero-day protection, and customized organizational branding in the browser), configure Microsoft Edge Management Service.
- For more information, see Microsoft Edge management service.
- If some of your users are multitenant, use TRv2 protections.
- For more information, see Configure tenant restrictions, Microsoft Entra ID - Microsoft Entra External ID
- To heighten in-browser productivity, configure the work feed to help keep users focused and up to date.
- For more information, see Microsoft Edge Enterprise new tab page
- To help your users find work information as quickly as possible, enable Microsoft Bing @ Work (Search in Bing)
- For more information, see Overview of Microsoft Search in Bing
- If your users need remote access to on-premises applications, use Azure Application Proxy.
- For more information, see Add an on-premises application for remote access through application proxy in Microsoft Entra ID
- Keep users safe on the web by enabling Website Typo Protection, Enhanced Security Mode (ESM), and Phishing Protection (Microsoft Defender Smart Screen). For more information, see:
- Typo protection: Microsoft Edge Browser Policy Documentation
- Enhanced Security Mode: Browse more safely with Microsoft Edge
- Phishing protection: Microsoft Defender SmartScreen overview - Windows Security
Note
Commercial Data Protection (CDP) is always on by default in Copilot when signed in with Microsoft Entra ID except for Government and Education users. Enabling Commercial Data Protection (CDP) for Government and Education users instructions can be found here.
Microsoft Intune MAM is also able to cover BYOD Mobile experiences and set up information can be found here.