💡 Our Technical Review in summary
Summary
Microsoft is introducing cross-tenant support for Intune Mobile Application Management (MAM) within Microsoft Edge for Business. This update allows organizations to apply Intune App Protection Policies (APP) to Edge work profiles even when the device is managed by an external tenant. This capability is specifically designed to secure corporate data in scenarios involving contractors, partners, or mergers and acquisitions, providing a layer of security without requiring full device enrollment or the installation of additional software.
Impact
- Data Protection: Admins can enforce security controls—such as clipboard restrictions, screenshot protection, and DevTools blocking—within the Edge work profile across tenant boundaries.
- Storage Management: To prevent data leakage, protected downloads are automatically redirected to the user’s OneDrive for Business instead of being saved to local device storage.
- Tenant Flexibility: Allows one tenant to govern data protection settings on a device that is technically managed by a different organization’s tenant.
- User Experience: There is no impact on personal browsing profiles or unmanaged profiles, ensuring user privacy and a seamless transition between work and personal tasks.
- Default State: This feature is off by default and requires an explicit opt-in by administrators.
Action Required
- Review Policies: Assess current Intune App Protection Policies (APP) to determine if they meet the security requirements for external contractors or cross-tenant collaborators.
- Opt-in Strategy: Determine if your organization requires cross-tenant enforcement and prepare to enable the feature within the Intune portal once the rollout begins.
- Update Security Documentation: Update internal SOPs regarding data storage, as users affected by this policy will find their downloads redirected to OneDrive for Business.
- Stakeholder Notification: Inform helpdesk and security teams about the new behavior for screenshot and DevTools blocking in cross-tenant scenarios to avoid unnecessary support tickets.
- Monitor Rollout: Track the Public Preview starting mid-February 2026, with full General Availability expected by mid-April 2026.
Microsoft Official Update
Service: N/A
Category: planForChange
Severity: normal
[Introduction]
Microsoft Edge for Business now supports cross-tenant Intune Mobile Application Management (MAM) policies. This update allows organizations to apply Intune App Protection Policies to Edge work profiles even when the device is managed by another tenant. This capability helps protect corporate data in cross-tenant scenarios such as contractors, partners, or mergers, without requiring additional device enrollment or disrupting the end-user experience.
This message is associated with Microsoft 365 Roadmap ID 557187.
[When this will happen:]
- Public Preview (Worldwide): We will begin rolling out mid-February 2026 and expect to complete by early April 2026.
- General Availability (Worldwide): We will begin rolling out early April 2026 and expect to complete by mid-April 2026.
[How this affects your organization:]
Who is affected:
- Organizations using Microsoft Edge for Business
- Admins configuring Intune App Protection Policies
- Users accessing corporate data on devices managed by another tenant
What will happen:
- This feature is off by default and opt-in only
- Intune MAM policies are enforced within the Edge work profile
- When enabled, protected downloads are redirected to OneDrive for Business instead of local storage, and leak controls for screenshots and DevTools activate when data protection settings are applied.
- This approach secures cross-tenant scenarios like contractors or mergers without requiring additional apps or disrupting the user experience.
- No impact to personal browsing or unmanaged profiles
[What you can do to prepare:]
No action is required before rollout.
- Review existing Intune App Protection Policies
- Determine whether to enable cross-tenant MAM for Edge
- Notify security and helpdesk teams as appropriate
- Update internal documentation if needed
Learn more: Cross-tenant support using Intune MAM | Microsoft Learn
[Compliance considerations:]
| Compliance area impacted | Explanation |
|---|---|
| Customer data storage | When protected downloads are enabled by the admin, downloads are redirected to OneDrive for Business instead of local storage, changing where corporate data is stored. |
| Processing and access of existing customer data | Corporate data accessed through Edge work profiles is processed under Intune App Protection Policies even when the device is managed by another tenant. |
| Tenant-to-tenant interaction | This change enables cross-tenant enforcement of Intune MAM policies, allowing one tenant to govern data protection on devices managed by another tenant. |
| Data Loss Prevention (Purview) | Intune MAM leak controls such as clipboard restrictions, screenshot protection, and DevTools blocking are enforced within the Edge work profile. |
| Admin controls | The capability is opt-in and controlled through Intune App Protection Policies, allowing admins to decide whether and how cross-tenant MAM enforcement applies. |
