Azure does not see that your device is Azure AD joined via the Google Chrome browser.
Because of this the user needs to sing in to Office 365 (& MFA) every time when the browser is closed.
Microsoft Edge does not has this behavior, Edge keeps the user signed in.
When you troubleshoot this issue and are gonne view the Sing-in Logs of Azure AD you see that when using Google Chrome to sing in to Office 365 the Join Type is empty.
To resolve this problem you need to install the Windows 10 Accounts extension in Google Chrome.
“For Chrome support in Windows 10 Creators Update (version 1703) or later, install the Windows 10 Accounts extension. This extension is required when a Conditional Access policy requires device-specific details.”
Before the extension is installed, Browser is Chrome and the Join Type is blank.
After the extension is insalled, browser is Chrome & the join type is filled with the correct information, in this case the Sign-in log shows Azure AD Joined.
The Windows 10 accounts extension can be installed manually via the Google Chrome store.
It’s also possible to automatically deploy this extension to Chrome (enterprise) browsers.
To do this we need to create the following registry key:
Path HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\ExtensionInstallForcelist Name 1 Type REG_SZ (String) Data ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx
After successful installation you may check if Windows 10 accounts shows up at the installed extensions page in Chrome, via this link :
4 thoughts on “Google Chrome (always sign-in issue) & Azure Conditional Access”
We are still getting the same issue even after installing the Windows account extension. Azure sign in logs show no device ID and Join type.
How do we force sign in to windows account extension? Also whenever there is a new update for Chrome, users start to face the same issue.
I don’t have this issue anymore.
Although we are now in migration phase to the new Edge because with Office 365 and Intune management this is the preferred and better manageable way for us to go.
I wil check later in if I can reproduce your issue.
Kind of seems like anti-competitive behavior on Microsoft’s part, doesn’t it? They just make it annoying to use Chrome at your workplace.
we still have issues with the add-in. On all our systems (doesn`t matter if fresh installed via autopilot or hybridy joined devices) the add-in is enabled in Chrome but still doesn`t hand over the device id and join type. Any idea how to debug this?