In-browser protection with Microsoft Edge for Business (Preview)

What is Microsoft Edge for Business?

It’s a web browser designed specifically for organizations. It builds upon the standard Microsoft Edge browser, adding features that benefit both IT professionals and regular users. Here are some key capabilities of Microsoft Edge for Business:

  • Security: Like the regular Edge browser, it prioritizes security with features to protect your organization’s data. IT admins can leverage manageability tools to configure security policies.
  • Productivity: It includes features to help users be more productive, like Workspaces for organizing tabs and Collections for grouping related content.
  • AI Integration: It integrates with Microsoft AI features, including Copilot (formerly Bing Chat Enterprise) which offers AI-powered chat within the browser sidebar.
  • Manageability: IT administrators have more control over browser settings and configurations within an organization.
  • Work and Personal Browsing Separation: It allows for automatic switching between separate work and personal browsing windows, with distinct favorites, passwords, and settings.
  • Unmanaged Device Support: With Intune Mobile Application Management, users can securely access work resources on personal devices.
  • Legacy Application Support: It includes Internet Explorer mode (IE mode) for users to access older websites and applications built for Internet Explorer.

What about Defender for Cloud Apps?

Is a multi-cloud CASB solution from Microsoft. It provides in-depth security functionalities through a combination of techniques:

  • API Connectors: MCA integrates with various cloud applications (Microsoft and third-party) through APIs. This enables it to access and analyze user activity logs, data governance settings, and application configurations.
  • Machine Learning (ML): MCA leverages machine learning algorithms to analyze user behavior and cloud app activity. This allows for anomaly detection, identification of risky behaviors, and potential threats like malware or compromised accounts.
  • Content Inspection: MCA can inspect data uploaded, downloaded, or shared within connected cloud apps. This includes integration with Microsoft Defender for Cloud Apps DLP (Data Loss Prevention) to enforce policies and prevent sensitive information leaks.
  • User and Entity Behavior Analytics (UEBA): MCA analyzes user activity data to identify potential insider threats or compromised accounts. It considers factors like location, device used, access patterns, and downloaded/shared data to build user baselines and flag deviations.
  • Adaptive Access Control (AAC): MCA offers built-in AAC functionality. This allows for dynamic access controls based on real-time user and session risk assessments. For example, access can be restricted for high-risk users, unusual locations, or suspicious activity.
  • Integration with Microsoft Defender XDR: MCA integrates with Microsoft Defender XDR, a security platform offering extended detection and response (XDR) capabilities. This allows for correlation of security signals across various Microsoft security products for a holistic view of potential threats and improved incident response.

Overall, MCA provides a technical toolkit for securing your cloud environment by offering visibility, threat detection, information protection, and governance controls. It leverages machine learning, data inspection, and behavioral analysis to provide comprehensive cloud application security.

And this in mind, let’s learn how these two can be combined.

In-browser protection with Microsoft Edge for Business (Preview)

Imagine you’re a Defender for Cloud Apps user and a security champion for your company. You rely on Microsoft Edge for Business to access all your essential cloud apps. But juggling security and a smooth workflow can be tricky.

Here’s where in-browser protection comes in as your knight in shining armor. This innovative feature by Defender for Cloud Apps works directly within Microsoft Edge for Business, eliminating the need for a separate proxy server.

In-Browser Protection Requirements

RequirementDescriptionSupported Value(s)Notes
Operating SystemThe operating system where the user is accessing Microsoft Edge for Business.Windows 10 or 11In-browser protection is not currently supported on other operating systems.
Identity PlatformThe identity and access management platform used for authentication.Microsoft Entra IDOther identity platforms may not provide the necessary integration for in-browser protection.
Microsoft Edge for Business VersionThe version of Microsoft Edge for Business the user is running.121 and higherIn-browser protection features may not be available or may function differently in older versions.
Supported Session PoliciesPolicies that can be enforced within the browser session to protect sensitive data.Block/Monitor file download (all files/specific file types) Block/Monitor file upload
Block/Monitor copy/cut Block/Monitor print
These policies allow granular control over user actions that could potentially leak sensitive information.
User ProfileThe browser profile the user is using.Work ProfileIn-browser protection is designed to function within the dedicated work profile for Microsoft Edge for Business and isolate it from personal browsing data.

Reverse Proxy policy Serving Behavior:

ScenarioNotes
Users with multiple policies, including at least one unsupported policyUnsupported policies will not be enforced within the browser session.
Policies defined in Microsoft Entra ID portalAll policies defined in the Entra ID portal are handled by the reverse proxy.
Unsupported Browsers (e.g., Google Chrome)In-browser protection features are not available in unsupported browsers.
Unsupported Session Policies (e.g., block paste)Unsupported session policies will not be enforced within the browser session.
Unsupported Platforms (e.g., Android devices)In-browser protection is not currently available on unsupported platforms.
Unsupported Authentication Methods (e.g., OKTA)In-browser protection relies on Microsoft Entra ID for authentication.
InPrivate Browsing ModeInPrivate browsing bypasses security policies for privacy reasons.
Older Microsoft Edge Versions (below 121)In-browser protection features may not be available or may function differently.
B2B Guest UsersIn-browser protection functionality may be limited for guest users.

A Quick Guide for Admins

Here’s a breakdown of key points for configuring in-browser protection settings:

  • Default Status: In-browser protection comes pre-enabled for Microsoft Edge for Business.
  • Admin Controls: IT admins have the power to:
    • Turn On/Off: Activate or deactivate in-browser protection integration entirely.
    • Nudge Users: Configure a notification to encourage users of non-Edge browsers to switch for improved security and performance.
      • You can even customize this notification message!
  • Configuration Steps:
    1. Navigate to the Microsoft Defender portal.
    2. Go to Settings > Cloud Apps > Conditional Access App Control > Edge for Business protection.
    3. Toggle the desired setting for “Turn on Edge for Business protection.”
    4. (Optional) If prompting non-Edge users, choose between the default message or create a custom one.
    5. Click “Save” to finalize the changes.

Policy Precedence: When Defender for Cloud Apps policies and Microsoft Purview Endpoint DLP policies overlap for the same action (e.g., blocking file upload), the Endpoint DLP policy takes priority.

A User’s Perspective

In-browser protection with Microsoft Edge for Business offers a seamless user experience with several key indicators:

  • Lock and Load: Keep an eye out for an extra “lock” icon displayed in the address bar. This icon signifies that your session is actively protected by Defender for Cloud Apps.
  • Clean Address Bar: Unlike standard conditional access app control, in-browser protection keeps the address bar free of the “.mcas.ms” suffix. This provides a cleaner and more familiar browsing experience.
  • Developer Tools Off Limits: For enhanced security, in-browser protection disables developer tools within the browser. This prevents unauthorized modifications or potential vulnerabilities.

Closure

Defender for Cloud Apps and in-browser protection for Microsoft Edge for Business combine forces to deliver a winning formula. Users experience a secure and familiar browsing environment, free from clunky proxies and compatibility issues. IT admins gain centralized control and simplified policy enforcement.

In short, this innovative duo empowers organizations to prioritize security without sacrificing user experience.

Author: Harri Jaakkonen