Google Chrome (always sign-in issue) & Azure Conditional Access

Azure does not see that your device is Azure AD joined via the Google Chrome browser.

Because of this the user needs to sing in to Office 365 (& MFA) every time when the browser is closed. 

Microsoft Edge does not has this behavior, Edge keeps the user signed in.

When you troubleshoot this issue and are gonne view the Sing-in Logs of Azure AD you see that when using Google Chrome to sing in to Office 365 the Join Type is empty.

To resolve this problem you need to install the Windows 10 Accounts extension in Google Chrome. 

“For Chrome support in Windows 10 Creators Update (version 1703) or later, install the Windows 10 Accounts extension. This extension is required when a Conditional Access policy requires device-specific details.”

Before the extension is installed, Browser is Chrome and the Join Type is blank.

After the extension is insalled, browser is Chrome & the join type is filled with the correct information, in this case the Sign-in log shows Azure AD Joined.

The Windows 10 accounts extension can be installed manually via the Google Chrome store.

https://chrome.google.com/webstore/category/extensions

Extensies 
Windows 10 Accounts 
AangebOden door Microsoft 
Sign in to supported websites with accounts on Windows 10 
408 Productiviteit

It’s also possible to automatically deploy this extension to Chrome (enterprise) browsers.

To do this we need to create the following registry key:

Path HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\ExtensionInstallForcelist 

Name 1 

Type REG_SZ (String) 

Data ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx

After successful installation you may check if Windows 10 accounts shows up at the installed extensions page in Chrome, via this link : 

chrome://extensions/

10

3 thoughts on “Google Chrome (always sign-in issue) & Azure Conditional Access

  1. Gary Reply

    Hi,
    We are still getting the same issue even after installing the Windows account extension. Azure sign in logs show no device ID and Join type.
    How do we force sign in to windows account extension? Also whenever there is a new update for Chrome, users start to face the same issue.

    Please advise.
    Thank you
    Gary

    • yves Post authorReply

      Hi Gary,

      I don’t have this issue anymore.

      Although we are now in migration phase to the new Edge because with Office 365 and Intune management this is the preferred and better manageable way for us to go.

      I wil check later in if I can reproduce your issue.

      regards, Yves

Leave a Reply

Your email address will not be published.