Mobile, News, Windows Blog

Introducing secure password deployment in Microsoft Edge for Business

Posted on by [email protected]
11
Jun
In many organizations today, employees often resort to sharing passwords via sticky notes or emails. This not only exposes sensitive credentials to unintended recipients, but also increases the risk of those passwords being forwarded or misused. To address this concern, Microsoft Edge for Business offers secure password deployment—now generally available—as an enterprise-grade solution that helps enhance security and simplify access at no additional cost.

What is secure password deployment?

Secure password deployment allows administrators to deploy encrypted shared passwords to a set of users within their organization. With this feature, users will receive the deployed passwords on their device and can seamlessly log into websites. This helps reduce the risk of unauthorized access by preventing end-users from copying or sharing passwords to unintended audiences, therefore enhancing the overall security posture of the organization.

How does it work?

The secure password deployment feature is integrated into the Microsoft Edge management service within the Microsoft 365 admin center. Here, administrators can easily configure and manage browser settings for their organizations through configuration policies. Within a policy, admins can choose to deploy encrypted passwords to a specific group of users. By extending the familiar Autofill experience, admins are given a streamlined and intuitive interface to add, update, and revoke credentials as needed.

The Microsoft 365 admin center site, showing the Add credentials sidebar that's used to deploy credentials.

End-user experience

When a password is shared with an end-user, it appears in their Edge password manager, ready for autofill whenever they visit the corresponding site.

An email sign-in input on a website. The Edge password manager autofill box is displayed, showing the deployed credentials.

These passwords are accessible within Edge but cannot be viewed, edited, or deleted (unless a website allows it), or exported from the password manager. The admin-deployed passwords will automatically show up in the work profile in Edge, on managed Windows devices, ensuring a seamless and secure login experience.

Note that motivated users may use developer tools to reveal the passwords; you may restrict access to developer tools by configuring the DeveloperToolsAvailability policy.

The Wallet page in Microsoft Edge, showing the Passwords section. The pointer is hovering over a stored password and a tooltip indicates: Your organization has disabled the ability to view or copy this shared password.

Security and encryption

From the Edge management service

To ensure enterprise-grade security for credential deployment, the secure password deployment feature in the Microsoft Edge Management service integrates with the Microsoft Information Protection SDK (Protection SDK). This SDK enables identity-bound encryption, meaning that encrypted credentials can only be accessed by authenticated users within the organization.

By leveraging the Protection SDK, passwords are encrypted using strong, standards-based algorithms and are persistently protected wherever they reside. The encryption is tightly coupled with Entra identities, ensuring that access is automatically enforced based on organizational policies—without requiring manual key management or additional infrastructure.

This integration brings the power of Microsoft’s data protection platform directly into the Edge Management experience, giving administrators a seamless way to deploy credentials securely while aligning with Zero Trust principles and compliance requirements.

From Edge for Business

Edge for Business also integrates the Microsoft Information Protection SDK to securely decrypt credentials at runtime. When a user accesses a site that requires a deployed password, the browser uses the SDK to validate the user’s identity and then decrypts the credential using the same identity-bound protection applied during encryption.

This ensures that credentials are only accessible to authorized users, even on the endpoint. The decryption process is seamless and unobtrusive to the user, maintaining a familiar Autofill experience while enforcing strict access controls behind the scenes. Because the encryption is tied to Entra ID identities, the credentials remain protected even if copied or moved outside the browser context.

By embedding the Protection SDK directly into Edge for Business, we extend Microsoft’s data protection capabilities all the way to the endpoint—ensuring that sensitive information is safeguarded from configuration to consumption.

Get started with secure password deployment

To start using secure password deployment, first navigate to the Edge management service in the Microsoft 365 admin center. From there, choose an existing configuration policy or create a new configuration policy. Once inside the policy, navigate to the Customization Settings tab and then to the Secure password deployment page. This feature is available for Microsoft 365 Business Premium, E3, and E5 subscriptions, and requires the Edge admin or Global admin role.

Edge for Business continues to innovate, providing robust security features to meet the evolving needs of modern organizations. Embrace secure password deployment today and take a step towards a safer digital environment.

Go to Source
Author: Microsoft Edge Team

[email protected]

This site uses cookies to offer you a better browsing experience. By browsing this website, you agree to our use of cookies. Click More Info to view Privacy Policy.
More info Accept