First look at In-Browser Protection with Edge for Business

Today, it’s time for another blog post in the unmanaged devices series. We’ll look at a newly introduced feature called in-browser protection with Edge for Business. This new preview feature is a welcome addition to Microsoft Defender for Cloud Apps (MDA) and its session policies. Session policies monitor or restrict certain users’ activities in risky situations, such as working from unmanaged or non-compliant devices.

Until now, session policies have worked with reverse proxy technology to monitor and restrict; the new in-browser protection feature will deliver these capabilities straight from the Microsoft Edge for Business browser.

In this post, I’ll discuss the differences between these options, how to enable the new feature, and what the user experience looks like. The post will include the following sections;

This post was written during the preview; some things might have changed slightly if the feature is now generally available.

Prerequisite

Before we start looking at the new in-browser protection and enabling the feature, I recommend that you have already configured or at least have prior knowledge of these features.

  • Conditional Access policy with the App Control setting enabled
  • One or multiple session policies with restrictions in Microsoft Defender for Cloud Apps

If you need help with the above, I recommend reading this previous blog post first.

Advantages of in-browser protection

Let’s discuss the differences between using the reverse proxy or the new in-browser protection, starting with the advantages of in-browser protection.

If you have ever actually tried working with the reverse proxy for longer than an hour, you’ll know it can become very slow. This delay is caused by the increased latency of the additional hop required for the reverse proxy. In-browser protection completely solves this problem by applying session restrictions straight from the browser.

Another advantage is that, by default, in-browser protection disables the developer tools in Edge to prevent users from bypassing the session restrictions through the developer tools.

Microsoft also tells us that the in-browser protection fixes some app compatibility issues that would generally occur with the reverse proxy, so that’s another plus in my book. I personally haven’t seen any fixed use cases yet.

Another benefit is the ability to combine in-browser protection with Mobile Application Management, as they both work closely with the Microsoft Edge for Business work profiles. I will discuss this further in a later chapter.

Disadvantages of in-browser protection

Now, let’s move on to the disadvantages of working with the in-browser protection.

Currently, in-browser protection only supports users working with Edge for Business on Windows 10/11, so other browsers and operating systems aren’t supported. This doesn’t become an issue, though. Users working from non-supported browsers or operating systems will still have their session protected by the reverse proxy, which will work as a fallback for whenever in-browser protection can’t come into play.

The second disadvantage is that it requires users to sign in and switch to an Edge work profile. This requirement would be fine if the user experience wasn’t so ugly, as I’ll show you later.

Lastly, in-browser protection doesn’t yet support all session policy restrictions, such as the paste or download malware action. It currently only supports the file download, upload, cut/copy, and print actions.

How to enable in-browser protection

You can enable in-browser protection for Edge for Business by following these steps:

  1. Navigate to the Microsoft Defender admin center and go to Settings > Cloud Apps > Edge for Business Protection.
  2. Turn on Edge for Business browser protection.
  3. Optionally, select the notify users on non-Edge browsers to use Microsoft Edge for Business option to nudge (not enforce) them towards using Microsoft Edge.
  4. Click on the Save button.

After enabling the in-browser protection feature, it will automatically apply to all user sessions protected by a session policy in Microsoft Defender for Cloud Apps. Do note, that it will only affect users working with Microsoft Edge on Windows 10/11; otherwise, they will be protected through the reserve proxy.

User experience

So, let’s take a look at the user experience. I’ll sign in to the Microsoft 365 portal from my Google Chrome browser on my unmanaged Windows 11 device.

After signing in, Microsoft will nudge me (if configured) to use Microsoft Edge for Business instead of Google Chrome. Let’s pretend we are an obedient user and switch to the Edge browser. If the user decides to keep on using Google Chrome, they will use the reverse proxy feature instead.

Now Microsoft will notice that I am not using my Microsoft Edge for Business work profile, and they ask me to switch.

Because this is my first time, I’ll sign in again to create my Microsoft Edge for Business work profile and register my device with Microsoft Entra ID. Unfortunately, users must actively uncheck the “Allow my organization to manage my device” button; otherwise, the device will be MDM enrolled instead and will not be “Unmanaged” anymore. Please, Microsoft, stop checking this box by default. I beg you.

Afterward, we successfully created our Microsoft Edge for Business work profile and can switch to it more quickly the next time we sign in to Microsoft 365. As you can see, we are still notified that our session is being monitored after sign-in.

But now, let’s test whether some of my session policy restrictions are still applied correctly. I’ll open Outlook and try to print an email attachment.

As you can see, the print (and cut/copy, download, and upload) actions are successfully blocked, and the notifications come straight from the Microsoft Edge for Business browser.

Before, opening the developer tools and copying content from there was possible.

As you can see, this is no longer possible as the developer tools are disabled by default with in-browser protection.

Advanced scenario

I’m not sure Microsoft intentionally made this scenario work, and I don’t know if it will continue to work. For now, during the preview, I wouldn’t recommend it in production.

I learned that you can indirectly enforce (instead of nudge) in-browser protection with Microsoft Edge by creating a conditional access and app protection policy for Windows. By doing so, users are forced to use Microsoft Edge for Business instead of being able to use alternative browsers with the reverse proxy.

I might write a post about this scenario if it’s still possible whenever in-browser protection becomes generally available, or maybe there will be a more logical way of enforcing it upon users without relying on Mobile Application Management.

Wrap up

I do not quite like this user experience yet, especially with the user having to uncheck a box to prevent the company from managing their device. It has the same problems as Mobile Application Management for Windows currently has.

On the other hand, the reverse proxy can dramatically slow down the user experience, and in-browser protection with Microsoft Edge for Business solves this problem completely. Also, it is more secure, especially when combined with Mobile Application Management for Windows.

If you’re already using session policies, consider enabling in-browser protection with Microsoft Edge for Business whenever it becomes generally available. You can run it side-by-side with the proxy, so it won’t really impact users on other operating systems or browsers.

Definitely have a go at this new feature, and tell me what you think!

I’ll try to update this post once new features or significant changes are introduced. For now, have a great day!

This post is part of the unmanaged devices blog series; find more posts here.
View previous part: Quick Guide: How to enable device trust for guest users
View next part: (coming soon)

First look at In-Browser Protection with Edge for Business

About the author

Myron Helgering:

0 Comments

Would you like to share your thoughts?

Your email address will not be published. Required fields are marked *

Leave a Reply