Force Microsoft 365 access only through Edge work profile on BYOD devices (without Intune enrollment)?
Hi everyone,
I’m trying to understand if there’s a supported way to force users on personal/BYOD Windows devices to access Microsoft 365 only through Microsoft Edge using their corporate/work profile, without enrolling or registering the device into Intune.
What I would like to achieve is something like:
User accesses M365 resources from a personal PC
Access is allowed only via Edge for Business / Edge work profile
No device enrollment or Intune registration
Ideally block or discourage access from Chrome/Firefox/personal Edge profiles
Keep the separation between personal and corporate browsing sessions
I’ve been looking into Conditional Access, Edge for Business, MAM for Windows, app protection policies, and browser-based controls, but documentation and real-world experiences seem a bit fragmented.
From what I understand, Edge for Business on unmanaged devices might support some level of browser-based management and policy enforcement when users sign in with Entra ID, but I’m not sure how far this can realistically go without device registration.
Has anyone implemented something similar in production?
Main questions:
Can Conditional Access reliably enforce Edge work profile usage only?
Is it possible to distinguish between personal Edge profile vs work Edge profile?
Can browser restrictions/policies be applied only to the work profile on unmanaged devices?
Any caveats or limitations with MAM for Windows + Edge for Business?
User experience wise, does this become painful?
Would love to hear real-world experiences or recommended architectures for this scenario.