There’s a common Conditional Access policy, referred to as Block Legacy Authentication, that prevents access to Microsoft365 if the user’s session is not using a Modern Authentication method. Although Edge Chromium supports modern auth by default, Google Chrome does not. In order to allow your users to continue using Google Chrome if they wish, we need to deploy an extension known as Windows Accounts.
There are two easy ways to do this, and it depends on whether all your machines are in Intune or not. For my current situation, only half of the environment is modern managed, and the rest are only using Active Directory. If this is your case as well, read on. If you just want to do this in Intune and not use Google’s ADMX template, check out MVP Peter van der Woude’s post at https://www.petervanderwoude.nl/post/further-simplifying-management-of-the-google-chrome-browser-on-windows-devices/ . Less systems mean less steps, and Peter’s guide is great.
Step 1: Download the Google Chrome ADMX Templates.
To add a Chrome extension, we first need the Group Policy Templates. These can be downloaded from https://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip.
Step 2: Add the template to the AD Central Store.
Open the policy_templates.zip file and browse to the Windows\admx folder. Here, we’re concerned about the chrome.admx and google.admx files, as well as the folder for the language that’s configured on your client operating systems. In my case, it’s en-US and fr-FR.
In another file explorer window, browse to \\corp.checkyourlogs.com\SYSVOL\corp.checkyourlogs.com\Policies\PolicyDefinitions folder, replacing corp.checkyourlogs.com with your AD domain. In this folder, place the two ADMX files from the ZIP.
Next, browse to policy_templates.zip\Windows\admx\en-US and copy the two .adml files over to \\corp.checkyourlogs.com\SYSVOL\corp.checkyourlogs.com\Policies\PolicyDefinitions\en-US. Repeat the process for any other required languages.
Step 3: Create the Google Chrome Windows Accounts Extension GPO.
Launch Group Policy Management Console and create a new Group Policy Object called Google Chrome Windows Accounts Extension.
Edit the Group Policy Object and navigate to User Configuration -> Administrative Templates -> Google -> Google Chrome -> Extensions.
Edit the “Configure the list of force-installed apps and extensions” setting, and make it Enabled.
In the Extension/App installed section, click the “Show…” button and paste in the following:
ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx
Step 4: Back up the GPO.
Click ok twice to save the changes to the GPO, and close Group Policy Editor.
Back in Group Policy Management Console, right click on the Google Chrome Windows Accounts Extension and choose Back up.
Choose an appropriate location and click ok.
Step 5: Import GPO and Migrate to Device Configuration Profile.
Go to https://intune.microsoft.com and navigate to Devices -> Group Policy analytics.
Click Import and browse to the folder specified in the previous step.
Double-click the GUID folder and you should see 3 xml files as well as some subfolders. The file we need is called GPReport.xml.
Double click GPReport.xml and it will proceed to validate and import the policy.
After successful validation, close the “Import Group Policy Object files” tile by clicking the top-right X.
Click the Import button. Click next on each screen, ensuring you make the profile Required for your Test Devices group.
Sync your test devices, and after a few moments we should be able to launch Chrome, click the jigsaw puzzle icon to the right of the address bar, and see the Windows Accounts extension added.
As a final test, log into https://portal.office.com and SSO should log you right in.
