I see more and more enabling MFA (Multifactor Authentication) to secure access to Office 365. The challenge is to make the environment more secure but still keeping the users productive and asking for MFA several times a day is not a way of doing it – we want Single Sign-On as much as possible with as many apps as possible.

Consider the following scenario: You configure an Azure AD Conditional Access policy that requires either MFA or a Hybrid Azure AD joined device. The result would be that during their normal working day they will get Single Sign-On but from any other device they will get prompted for MFA.


Testing this out using IE and Edge works and Azure AD Sign-ins log is your friend here to show it works and, as expected, it can identity device browser, the Conditional Access Succeed and MFA is not required:


The details > Device info reveals it could successfully identify the Join Type as Hybrid Azure AD joined:


But what about Chrome? This will challenge for MFA:


It seems like the log can’t see the device is Hybrid Azure AD joined:



Seems like this is by design. Sure, Microsoft tells us it’s supported but scroll down and you see it requires Windows 10 Creators Update (version 1703) or later, and installing this extension. To automatically deploy this extension to Chrome browsers, create the following registry key:

  • Path: HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\ExtensionInstallForcelist
  • Name: 1
  • Type: REG_SZ (String)
  • Data: ppnbnpeolgkicgegkbkbjmhlideopiji;

Check this blog post out how to perform it automatically via GPO or this blog post using PowerShell scripts and Intune.

There’s one other thing. If you want the same functionality in Windows Server 2016 (if you’re running Remote Desktop environments), you will notice the support says Coming soon (however, on 2019 Mar 22, they removed this column according to Github but it still does not work properly):


Vote on the user voice if you want it.

I also wish that Google would include this functionality by default so we wouldn’t need to deploy the extension to all clients.