Microsoft has announced the availability of Cross-Tenant Mobile Application Management in Edge for Business, rolling out in March 2026. The full documentation is available on Microsoft Learn: Cross-tenant support using Intune MAM .
The feature allows organisations to enforce Intune App Protection Policies on devices that are managed by a different tenant without requiring any additional app to be installed on the device.
It is interesting for a limited number of scenarios (with external users accessing internal resources through a browser).
What Microsoft Announced
When an external user accesses your organisation’s resources from a device managed by their own tenant, enforcing your data protection policies on that device is complicated. The device is enrolled somewhere else and you do not control it.
Intune App Protection Policies typically require either device enrollment in your tenant or at minimum the user signing into a supported app with your organisation’s account.
Cross-Tenant MAM in Edge for Business changes the approach. When an external user opens Edge for Business and authenticates with an account from your tenant, your Intune App Protection Policies are applied to that browser session regardless of which tenant manages the device.
No additional app is required on the device. Edge for Business is the enforcement point.
What It Means in Practice
Previously, enforcing data protection on a device managed on a different organization required either enrolling the device in your tenant or deploying additional managed apps, which adds friction and depends on the external organisation’s willingness to cooperate.
With this feature, the enforcement happens in Edge for Business. If your App Protection Policy restricts copy-paste, blocks downloads, or requires encryption, those controls apply to that browser session even though the device belongs to another tenant.
There are important details to note:
- The external user must use Edge for Business. The enforcement is tied specifically to that browser. Other browsers on the same device are not covered.
- Your App Protection Policies apply, not the external tenant’s. The policy that governs the session is defined in your Intune configuration.
- No device enrollment in your tenant is required. This is the key distinction from standard MAM or MDM-based approaches.
- The external user authenticates with your tenant account. The policy binding happens at sign-in. Without that authentication step, no policy is applied.
What to Keep in Mind
The feature is scoped to Edge for Business and to browser-based access. It does not extend protection to native apps, sync clients, or any access that happens outside of that browser context. If an external user is also running the OneDrive sync client or the Teams desktop app under your tenant account, this feature does not cover those surfaces.
It is also worth reviewing your existing App Protection Policies before this applies to external users. Policies that were designed with internal users in mind may need adjustment when applied to a cross-tenant context particularly around allowed apps, clipboard restrictions, and data transfer settings.
Conclusion
Cross-Tenant MAM in Edge for Business fills a specific but important gap: enforcing data protection on devices you do not manage, without requiring enrollment or additional apps. For organisations that regularly work with external contractors or partners accessing internal resources through a browser, this simplifies what was previously a difficult problem to solve cleanly.
The enforcement is scoped to Edge for Business, which is both the limitation and the mechanism that makes it work without touching the rest of the device.
I hope this helps clarify what the feature actually does.
