When Edge is configured as a Enterprise browser with corporate policies configured on it, for managed devices you can configure Microsoft Edge policies in Microsoft Intune. The personal profile is only a lightly managed profile, even on a managed device.

Only the following categories are automatically inherited from the work profile in the Microsoft Edge browser.

• Security
• Data Compliance
• Microsoft Edge Update

You can see the complete list of policies that only applies to the Microsoft Edge work browser here : https://learn.microsoft.com/en-us/DeployEdge/edge-learnmore-personal-browser-policies

In this case you as an IT admin want to ensure what browser extensions are installed on you corporate devices. One way of doing that is by leveraging Microsoft Edge baseline version 128, as the recommendation is to block all extensions and then you can create a specific allow list.

In the Baseline the policy “Control witch extensions cannot be installed” is enabled and configured with “*” so the policy is preventing the end user from installing all extension and the policy is device wide.

In your work profile where you are signed in with your corporate Entra ID and you are trying to install an extension, in this case “Dino Roar” and the end gets a message that it is blocked by your administrator.

Lets check what the policy are saying now by entering edge://policy in your Edge Work profile

If we go to edge://policy we can verify that the policy has effect on the device and the status is OK.

As the policy is a device policy you would expect it to apply to everything on the device – so lets try to sign into Microsoft Edge with a personal account (MSA) – now you are allowed to install the same browser extension “Dino Roar” that you where blocked from installing with your profile signed in with your Entra ID.

Lets check what the policy are saying now by entering edge://policy in your personal Edge profile

It still shows that ExtensionInstallBlocklist applies to Device – but now the status shows as Ignored.

Lets say that you want to block installing browser extensions on your corporate devices – one option is to restrict witch accounts can be used to sign in to Microsoft Edge.

You can create the policy in Microsoft Intune by going to https://intune.microsoft.com/#view/Microsoft_Intune_DeviceSettings/DevicesWindowsMenu/~/configuration Click Create then New policy select Platform Windows 10 and later profile type Settings catalog click Create

Enter name Microsoft Edge – Restrict accounts enter Description Restrict which accounts can be used to sign in to Microsoft Edge

Search for Restrict which accounts can be used to sign in to Microsoft Edge and select Restrict which accounts can be used to sign in to Microsoft Edge

You need to Enable the policy settings and to put in which Entra domain name can be used in Microsoft Edge, in my case I enter .*@osddeployment.dk in Restrict which accounts can be used as Microsoft Edge primary accounts (Device)

Then you just need to assign it to a group of users or devices – and wait for your devices to sync.

If you have already are signed in with a account that is not in the list, you will get a message like this that I got for my personal account in Microsoft Edge.

If you try and Set up new personal profile in Microsoft Edge

You get a message that Your profile doesn’t have sign-in permissions

You can read more about the policy here : https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#restrict-which-accounts-can-be-used-to-sign-in-to-microsoft-edge

If you have requirements on what browser extensions your end users are allowed to install on there devices, it might be a good idea also to restrict how is allowed to sign into your Microsoft Edge browser.
I just showed you one way to do that with Microsoft Intune.