Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Introduction
Protected Clipboard in Microsoft Edge for Business is designed to help organizations safeguard sensitive data by controlling copy and paste actions between managed and unmanaged web applications. By leveraging configurations in Purview DLP policies targeting managed cloud apps, Protected Clipboard helps ensure that data remains within admin defined trusted boundaries, reducing the risk of accidental or intentional data leakage, especially as users interact with modern SaaS and GenAI tools.
Protected Clipboard in Edge for Business empowers organizations to protect sensitive data at the clipboard level, balancing security and productivity. With policy-driven enforcement, silent user experience, and flexible admin controls, it’s a modern solution for today’s browser-based workflows.
Note
This document is primarily focused on implementation using Microsoft Purview DLP policies targeting managed cloud apps with Edge for Business (E5). For organizations using Microsoft 365 E3 with Intune Mobile Application Management (MAM), see the section below for how Protected Clipboard applies to work profiles.
About Screen Capture protection
For a stronger, unified story around clipboard protection, Edge for Business also includes Screen Capture protection. This feature restricts screenshots and recordings during protected browsing sessions to keep sensitive enterprise data secure. When enabled, screen capture is automatically blocked only on pages or sites where a Copy:Block policy is active. Screenshots are treated as an extension of copy protection, helping prevent unauthorized data exfiltration via screen capture, alongside clipboard controls.
When the Protected Clipboard toggle is configured in the Edge Management Service portal, the Screen Capture Protection policy will also be enabled by default. This ensures that both clipboard and screen capture controls work together to prevent data leakage. Screenshots can be used to bypass clipboard restrictions, so enabling both policies by default provides a more comprehensive layer of protection for sensitive enterprise data.
Note
The Screen Capture protection policy only applies to sites/pages with a Copy:Block Purview DLP policy. It doesn't block screenshots globally; enforcement is limited to locations where copy protection is active.
Scope summary: On the E5 Purview path, SCP is per-site/per-app, it activates only where a Copy:Block rule is active. On the E3 Intune MAM path, SCP is profile-wide, it activates as a side effect of the MAM clipboard policy and applies to every tab in the Edge work profile.
For organizations seeking broader screenshot restrictions beyond Purview DLP policies targeting managed cloud app enforcements, Microsoft Edge also supports global controls such as DisableScreenshots Policy:
Admins can block screenshots across all sites in Edge for Business using the Microsoft Edge Browser Policy Documentation DisableScreenshots | Microsoft Learn
This policy disables Edge’s built-in screenshot and Web Capture features for all sites, but doesn't block OS-level tools (such as Windows Snipping Tool).
Requirements
To use Protected Clipboard and Screen Capture protection, ensure your environment meets the following prerequisites:
| Component | Required For |
|---|---|
| Microsoft Edge for Business (latest) | All scenarios |
| Microsoft 365 E5 (or E5 Compliance / E5 Security add-on) | Purview DLP + MDA session controls (E5) |
| Microsoft 365 E3 with Intune MAM | E3 work-profile boundary path |
| Microsoft Defender for Cloud Apps (MDA) | In-browser protection toggle (E5) |
| Entra ID P1+ | Conditional Access policy (E5) |
| Access to Edge Management Service portal | Protected Clipboard toggle |
| Access to Microsoft Purview portal | DLP policy creation (E5) |
Defining Trusted Boundaries for E5
Protected Clipboard in Microsoft Edge for Business lets organizations define how and where sensitive data can move via copy and paste. By configuring Purview DLP policies admins can establish their trusted boundary. A trusted boundary means that data inside the boundary can't leave, and is blocked from being pasted outside. At the same time, data from outside the boundary can enter, allowing it to be pasted inside when needed.
We describe a trusted boundary as a set of managed web apps and sites where clipboard data can safely flow. Attempts to move data outside this boundary (for example, into unmanaged apps, personal browser tabs, or GenAI tools) are silently blocked, reducing the risk of data leaks without disrupting user productivity.
Trusted boundaries are established through configurations made in Purview DLP policies targeting managed cloud apps. Admins can:
- Specify managed cloud apps to include in the policy boundary
- Target policies to specific users or groups
- Adjust boundaries as organizational needs evolve
When a Purview DLP policy targeting managed clouds with a rule applied to the Copy action is active, Edge automatically enforces clipboard controls based on these boundaries, helping prevent sensitive data from being pasted outside of the trusted boundary.
Trusted Boundary for E3
Protected Clipboard is also available for organizations using Microsoft 365 E3 with Intune Mobile Application Management (MAM). In this scenario, the trusted boundary is the Edge work profile. All copy/paste actions are restricted within the managed work profile. That is, data can't be pasted outside the profile, ensuring sensitive information remains protected even on BYOD or unmanaged devices. For more information about configuring this scenario, see Protected Clipboard within MAM profiles.
- Trusted Boundary: Edge work profile (Entra ID identity)
- Policy Enforcement: Admins configure Intune MAM policies to restrict copy/paste within the work profile.
- User Experience: Copy/paste is allowed only between sites and apps inside the managed profile. Attempts to paste outside the profile are blocked with the message: “Your organization’s data can't be pasted here.”
Why Modes Matter
Different organizations and scenarios require different levels of governed clipboard control. Protected Clipboard offers several enforcement modes, each shaping the trusted boundary in a unique way. These modes let you balance security and productivity, helping protect data sharing while users can work efficiently within approved environments. Admins can adjust these boundaries as organizational needs evolve.
Protected Clipboard Modes Explained
| Mode | What Happens to Data? (Trusted Boundary Outcome) | Purview DLP Policy for managed cloud apps |
|---|---|---|
| Not configured | Data can move freely. No trusted boundary is enforced. Users can copy and paste between managed apps. | Purview policy rules are enforced, which can include blocking copy. |
| Tab-Only | Data stays within the trusted boundary of the same browser tab. Copy/paste is blocked outside that tab. | Activated by using Copy:Audit or Copy:Block configurations. Allows a managed app with Audit or Block to copy/paste within the same tab. |
| Shared Boundary | These managed apps form a shared trusted boundary. Clipboard data can't leave this group of managed apps. | Activated by Copy:Block configurations. Only managed apps with Block share clipboard. Managed apps in audit-only policies are excluded and not part of the boundary. |
| Hybrid | These sites share a broader trusted boundary. | Activated by Copy:Audit or Copy:Block configurations. Apps with Audit can paste into apps with Block. Managed apps with Block can't paste into apps with Audit. Managed apps with Block are limited to same-tab behavior. |
All modes require a rule using the Copy configuration Purview DLP policy set up via Microsoft Purview.
How to Choose a Mode
- Start with your data protection goals: Do you want to keep data within a single app, groups of apps, or allow broader sharing within trusted apps?
- Consider user workflows: If users need to copy between multiple managed apps, Shared Boundary or Hybrid may be best. For strict isolation, Tab-Only is ideal.
- Monitor and adjust: Use reporting to see how policies are working and refine your trusted boundaries as needed.
Getting started
Protected Clipboard is designed for simplicity and seamless integration into your existing security workflows. Refer to Help Prevent Users from Sharing Sensitive Info with Cloud Apps in Edge for Business | Microsoft Learn to get started.
Setting up Protected Clipboard with Purview DLP requires configuration across four portals in this order:
Step 1 — Entra: Create a Conditional Access policy
- Navigate to
entra.microsoft.com> Conditional Access > New policy. - Under Assignments > Users, select your pilot user group.
- Under Target resources > Cloud apps, select Office 365. This is an example configuration. You can select any apps connected to your tenants with Entra. Learn more.
- Under Conditions > Client apps, select Browser only.
- Under Session, select Use Conditional Access App Control > Use custom policy.
- Enable and save the policy.
Step 2 — Authenticate once to register apps with CA App Control
After the CA policy is live, at least one targeted user must sign in to one of the in-scope cloud apps (Outlook on the web, OneDrive, SharePoint, etc.) before continuing. Apps only appear in Defender's CA App Control apps list after a user authenticates through the CA policy for the first time. If the list is empty, Edge for Business won’t detect the CA policy and the Purview DLP policy will not enforce.
To verify Step 2 worked: In security.microsoft.com > System > Settings > Cloud apps > Conditional Access App Control apps, confirm at least one app appears with Status: Enabled, IDP: Entra ID app.
Step 3 — Defender for Cloud Apps: Turn on Edge for Business browser protection
- Navigate to
security.microsoft.com> System > Settings > Cloud apps > Conditional access app control > Edge for Business protection. - Set Edge for Business browser protection = ON.
- Set Enforce usage = Allow access only from Edge (required).
- Set Enforce for which devices = All devices or Unmanaged devices only.
- Set Notify users in non-Edge browsers = ON.
- Save.
Step 4 — Purview: Create the DLP policy with the Copy rule
- Navigate to
purview.microsoft.com→ DLP > Policies > Create policy. - Under Location, select Managed cloud apps (located at the bottom of the locations list).
- Edit the location and add target apps to the same apps as your CA policy (for example: Exchange Online, SharePoint Online, etc.).
- Set Rule condition = Device is managed or Device is unmanaged (create two rules if you target both device states).
- Set Activity = Copy > Enforcement = Block.
- Enable and save the policy.
If you see a Conditional Access policy not found banner, confirm the settings are corrected for the CA policy and the Edge for Business protection in Step 2 and 3.
Step 5 — Edge Management Service: Enable Protected Clipboard
- Go to the Microsoft 365 admin center and sign in
- In the main left navigation bar, go to Settings > Microsoft Edge.
- Create a configuration policy (defaults are fine).
- Edit the policy > Customization settings > Security settings.
- Set Protected Clipboard = ON > Select enforcement mode (typically Shared Boundary).
- Save and assign.
Step 6 — Wait for propagation, then test
- Browser policies typically apply within ~1 hour; full propagation can take up to a day
- Verify on an unmanaged device (our hero scenario) or device matching the condition set in the policy by signing into a targeted user account, copying from a managed app, and confirming paste is blocked outside the boundary
- Run
edge://policy/in the work profile to confirm Protected Clipboard policies appear as applied
Note
When the Protected Clipboard toggle is configured in the Edge Management Service portal, the Screen Capture Protection policy will also be enabled by default. Refer to the section above for more information.
Common setup failures and how to fix them
| Symptom | Root cause | Resolution |
|---|---|---|
| “Conditional Access policy not found” banner in Purview Or “Edge for Business settings not found” in Purview. |
CA policy config and/or Edge for Business config is missing or incorrect. | Check your CA policy configs and your Edge for Business configs (Step 2 and 3) |
| "Managed cloud apps" location is greyed out in Purview | Same as above | Same fix |
| Policy created but not enforcing | Propagation incomplete | Browser policies typically apply within ~1 hour; full propagation can take up to a day |
| Unpredictable behavior after manually creating a Defender session policy | Manual policy in Defender → Policies → Conditional Access conflicts with the auto-triggered policy | Delete the manual policy. The Purview policy auto-triggers MDA — manual creation is not required |
Edge tabs redirecting to *.mcas.ms URLs |
Hybrid fallback engaged because the policy includes actions Edge can't enforce in-browser | Expected for unsupported actions; review policy if undesired |
| Screenshot still works on a managed app page | Copy:Block rule isn't active on that specific URL/app | SCP is per-site/per-app on the E5 path. Verify the Purview rule's app/condition coverage |
Additional Customization (Coming Soon)
Protected Clipboard and related policy controls are currently in Preview. Additional customization options are planned for future releases, developed in close collaboration with the Microsoft Purview team. These improvements will allow for more granular enforcement and flexibility, and provide admins with greater control over data protection scenarios to fit unique business needs, user groups, and compliance requirements, delivering a more robust and adaptable security posture.
Please refer to the Microsoft 365 roadmap for Edge for Business for the most up to date information on feature availability.
Note
As these features are in Preview, functionality and availability may change. For the latest updates, refer to official Microsoft documentation and roadmap communications.
Feedback and support
This experience is supported by Microsoft Support. You can reach out to Microsoft Support to report issues or give feedback. You can also leave feedback in our TechCommunity forum.