Advanced Software (return to the homepage)
How can you secure Microsoft 365 without compromising productivity?

How can you secure Microsoft 365 without compromising productivity?

by Dean Phillips, Practice Lead - Modern Workplace

In the digitally-driven era we live in, security is paramount. Yet, maintaining productivity while ensuring the highest level of security can be a balancing act. In this blog, I’m going to be exploring an exciting new capability which will revolutionise access to Microsoft 365 services such as Exchange, SharePoint and Microsoft Teams, from unmanaged devices.

So, what's the problem?

When Office 365 launched way back in 2011, it promised anywhere, anytime, any device access to cloud-based collaboration services. Those promises really came to the forefront for most organisations some 9 years later at the start of the Covid-19 pandemic, when employees were hurried home and tasked with using any computer they had at their disposal. However, CISOs everywhere are waking up to the harsh realities of ‘any device’ access to their corporate data.  

The unfiltered access to corporate data that is contained in Microsoft 365 and the data leakage risk this presents can no longer be ignored. However, after years of open access which fuelled productivity and gave a great user experience, how can CISOs ensure that corporate data remains secure, without simply pulling up the drawbridge on unmanaged device access and receiving a barrage of complaints from the end user community? 

Let’s first start by looking at what controls exist today. 

Microsoft’s Bring Your Own Device (BYOD) solution 

Mobile Application Management (MAM) has been around for many years and enables organisational policies to be enforced at the app layer, on mobile devices running Android or iOS. Controls include copy and paste restrictions to prevent data loss and requiring a PIN code on app launch. This negates the traditional requirement to enrol and fully manage BYOD devices to keep corporate data secure. It also addresses end user privacy concerns over the level of control they provide their organisation in a fully managed device scenario, all whilst providing end users with access to corporate apps and services from a device of their choosing and convenience. 

What about desktops? 

Whilst MAM provides comprehensive data and security controls for mobile devices, somewhat ironically, Microsoft haven’t provided a very robust solution for desktop operating systems like Windows or macOS. At present, only Exchange and SharePoint Online offer some level of data leakage control, but this is positioned as helping to avoid accidental data leakage rather than anything with intent. These controls attempt to contain the user’s session within the web browser, by removing the option to download or print attachments from emails or files from SharePoint. However, these are unfortunately easily circumvented with simple tools like copy and paste. 

Microsoft have been all too aware of the hole in their BYOD offering and shared a sneak peak of their proposed solution at Microsoft Ignite 2020, but it has taken until 2023 for them to let IT admins get their hands on a preview version. 

MAM for Edge on Windows 

Building on the success of MAM on Android and iOS devices, Microsoft have finally released the long-awaited public preview of ‘MAM for Edge.’ Okay, so perhaps the name ‘Mobile Application Management’ is somewhat confusing since we’re talking about application management on a desktop operating system, but the success of MAM has made it synonymous when thinking about securing BYOD access.

Think of MAM for Edge as a DLP-lite solution, which isolates corporate data within the Edge browser. Before any access is granted, Conditional Access policies ensure a BYOD device has a healthy anti-virus state and minimum Windows patch version before authorising any access to corporate data. Crucially, MAM for Edge works with any Azure AD integrated application, not just Exchange and SharePoint Online, and it enforces controls such as prohibiting copy and paste, and the download of any files within the session, much like it does on mobile device operating systems. 

Sounds great, how do I get started? 

Right now, MAM for Edge is in public preview and requires manual tenant opt-in. It is not currently recommended for production environments, but you can learn more about it in this short Microsoft demo. Once it is made Generally Available, we’ll be promoting its use across our customers, as the go-to BYOD solution for secure access to corporate apps and services from desktop operating systems.

As a longstanding Microsoft Partner with specialisations including Infrastructure (Azure), Azure Virtual Desktop Advanced Specialisation, and Digital & App Innovation (Azure), Advanced are the ideal partner to help you you create an empowering roadmap, unlocking the capacity and flexibility to take your business into a stronger future. Simply contact us today to get started.

Microsoft Microsoft Modern Workplace Blog
Dean Phillips

Dean Phillips


Practice Lead - Modern Workplace

Dean has been with Advanced for over 7 years and has extensive experience in both operational and pre-sales (or strategic) roles. He is an accredited Microsoft 365 Expert and leads our Modern/Digital Workplace strategy, helping our customers adopt the latest technology solutions, which enable their colleagues to be productive from anywhere, in a secure manner.

Read published articles