Intune test environment for Microsoft edge secure browser work

Use the Secure Enterprise Browser (SEB) levels and Entra security groups as the foundation, then layer Intune device groups on top so testing is safe and controlled.

1. Create dedicated Entra ID user groups for SEB levels Use the recommended structure so policies can be assigned consistently and expanded later:
   • SEB-Level1-Users – broad pilot for basic protection.
   • SEB-Level2-Users – smaller pilot for enhanced protection.
   • SEB-Level3-Users – very small, high‑risk users or IT/security for high protection.
   • SEB-Excluded-Users – break‑glass and test accounts that must never receive SEB policies.
   These groups are used across Conditional Access, App Protection Policies (APP), App Configuration Policies (ACP), and Settings Catalog profiles.
2. Create matching device groups in Entra ID / Intune Mirror the user groups for device targeting and exclusions:
   • SEB-Level1-Devices
   • SEB-Level2-Devices
   • SEB-Level3-Devices
   • SEB-Excluded-Devices
   Start with a small number of test devices in each level group (for example, IT-owned test machines) and keep production-critical devices in SEB-Excluded-Devices during initial validation.
3. Use Conditional Access in report-only for initial validation Before enforcing, configure Conditional Access policies per level and assign only to the SEB pilot user groups:
   • Level 1: Basic CA policy targeting SEB-Level1-Users, scoped to browser clients on Windows/Android/iOS, excluding compliant devices so you focus on BYOD/unmanaged endpoints. Keep in Report-only mode while validating that unmanaged devices are routed through Edge with app protection.
   • Level 3: High Zero Trust CA policy targeting SEB-Level3-Users and requiring managed, compliant devices, app protection, MFA, and strong session controls (sign-in frequency, non‑persistent sessions, Conditional Access App Control). Keep this in Report-only initially as well.
   This approach lets policies be validated against a small, clearly defined pilot population without impacting the wider tenant.
4. Assign policies progressively by group and level With groups in place, roll out SEB configuration in layers:
   • App Protection Policies (MAM) and App Configuration Policies (ACP) for Edge → assign to SEB-Level1-Users / SEB-Level2-Users / SEB-Level3-Users as appropriate.
   • Settings Catalog / Security Baselines for Edge on Windows → assign to SEB-Level*-Devices groups.
   Use the level definitions to decide which users/devices go where:
   • Level 1 – general staff, minimal disruption.
   • Level 2 – departments handling more sensitive data.
   • Level 3 – executives, SecOps, legal, or other high‑risk roles.
5. Keep explicit exclusion paths for safe rollback During testing, always:
   • Add critical admins and service accounts to SEB-Excluded-Users.
   • Add key shared or sensitive devices to SEB-Excluded-Devices.
   Use these exclusion groups in all policy assignments and Conditional Access policies so there is a guaranteed way to bypass SEB controls if misconfiguration occurs.
6. Validate per platform using the pilot groups With the pilot groups populated and policies assigned:
   • On Windows devices in SEB-Level*-Devices, use edge://policy to confirm policies are applied and test URL/feature enforcement per level.
   • On iOS/iPadOS devices for SEB-Level*-Users, verify managed configuration (homepage, search, disabled features) and URL filtering behavior per level.

This group structure (Level1/2/3 + Excluded, for both users and devices) is the recommended way to safely test Microsoft Edge Secure Enterprise Browser configurations in Intune and then scale out to production.

References:

• Secure Your Corporate Data in Intune with Microsoft Edge for Business
• Step 1: Microsoft Entra Conditional Access with Microsoft Edge for Business
• Step 4: App Configuration Policies for Microsoft Edge for Business (windows)
• Step 4: App Configuration Policies for Microsoft Edge for Business (ios-ipados)
• Microsoft Edge for Business Recommended Configuration Settings