Chrome with Azure AD Conditional Access and Hybrid Azure AD Join

by | Feb 9, 2019 | Office 365 | 1 comment

Azure_AD-and-Chrome

I see more and more enabling MFA (Multifactor Authentication) to secure access to Office 365. The challenge is to make the environment more secure but still keeping the users productive and asking for MFA several times a day is not a way of doing it – we want Single Sign-On as much as possible with as many apps as possible.

Consider the following scenario: You configure an Azure AD Conditional Access policy that requires either MFA or a Hybrid Azure AD joined device. The result would be that during their normal working day they will get Single Sign-On but from any other device they will get prompted for MFA.

Conditional_Access_MFA_or_Hybrid_Azure_AD_joined1

Testing this out using IE and Edge works and Azure AD Sign-ins log is your friend here to show it works and, as expected, it can identity device browser, the Conditional Access Succeed and MFA is not required:

Conditional_Access_MFA_or_Hybrid_Azure_AD_joined2

The details > Device info reveals it could successfully identify the Join Type as Hybrid Azure AD joined:

Conditional_Access_MFA_or_Hybrid_Azure_AD_joined3

But what about Chrome? This will challenge for MFA:

Conditional_Access_MFA_or_Hybrid_Azure_AD_joined4

It seems like the log can’t see the device is Hybrid Azure AD joined:

Conditional_Access_MFA_or_Hybrid_Azure_AD_joined5-chrome-fail

Conditional_Access_MFA_or_Hybrid_Azure_AD_joined5-chrome-fail-details

Seems like this is by design. Sure, Microsoft tells us it’s supported but scroll down and you see it requires Windows 10 Creators Update (version 1703) or later, and installing this extension. To automatically deploy this extension to Chrome browsers, create the following registry key:

  • Path: HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\ExtensionInstallForcelist
  • Name: 1
  • Type: REG_SZ (String)
  • Data: ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx

Check this blog post out how to perform it automatically via GPO or this blog post using PowerShell scripts and Intune.

There’s one other thing. If you want the same functionality in Windows Server 2016 (if you’re running Remote Desktop environments), you will notice the support says Coming soon (however, on 2019 Mar 22, they removed this column according to Github but it still does not work properly):

Conditional_Access_MFA_or_Hybrid_Azure_AD_joined6

Vote on the user voice if you want it.

I also wish that Google would include this functionality by default so we wouldn’t need to deploy the extension to all clients.

1 Comment

  1. Dorian
    Dorian on March 2, 2020 at 5:09 pm

    I have similar issue.
    Scenario: MFA conditional policy is enabled to set of users, regardless of their device or location.

    MFA general settings “Skip when accessing from internal network” checkbox is checked.
    It works fine with chrome, but with Edge its still prompting MFA.
    Any ideas?

Submit a Comment

Your email address will not be published. Required fields are marked *