Month: January 2025

Mastering URL Allow Lists in Microsoft Edge

/ Konkretor / Leave a comment

URL allow lists are a crucial part of managing web access in enterprise environments, but they can be tricky to configure correctly, especially when it comes to handling subdomains in Microsoft Edge via Intune. Let’s dive into a common issue that many IT administrators face and its surprisingly simple solution.

The Challenge

Imagine you’re managing a corporate environment where you need to allow access to multiple subdomains. For example:

  • app1.contoso.com
  • app2.contoso.com
  • app3.contoso.com
  • portal.contoso.com

The Common Mistake

Most administrators’ first instinct is to use wildcards, resulting in something like:

*.contoso.com

This seems logical, but if you’ve tried this in Edge’s URL Allow List policy, you’ve probably found that it doesn’t work as expected. Your websites remain blocked, and you’re left wondering what went wrong.

The Solution

Here’s the surprising part: the solution is simpler than you might think. Instead of using wildcards, you just need to list the base domain:

contoso.com

This single entry automatically allows:

  • The base domain (contoso.com)
  • All subdomains (www.contoso.com, app.contoso.com)
  • Even nested subdomains (test.app.contoso.com)

The Dot Prefix: Exact Matching

Sometimes you want to match only a specific domain without including its subdomains. For this, add a dot prefix:

.portal.example.com

This matches only that exact domain, not its subdomains.

Practical Configuration Examples

Here’s how to structure your allow list properly:

# Allow all subdomains
example.com
contoso.com

# Exact matches only
.portal.example.net
.login.contoso.com

# IP addresses (wildcards still work here)
172.16.*
192.168.*

Best Practices

  1. Avoid using wildcards (*) for domains
  2. Use the base domain to allow all subdomains
  3. Add a dot prefix for exact domain matches
  4. Keep IP address wildcards as they are
  5. Document your URL patterns for future reference

Important Notes

  • IP addresses are the only place where wildcards still work as expected
  • The dot prefix method is particularly useful for specific service endpoints
  • This behavior is specific to Edge’s URL Allow List policy in Intune

Final Thoughts

Understanding how Edge’s URL filtering works can save you hours of troubleshooting and configuration time. Sometimes the simplest solution is the most effective one – in this case, less really is more.

Have you encountered similar issues with URL allow lists? How did you handle them? Share your experiences in the comments below!