While testing MFA, Conditional Access and all the other good stuff Azure AD provides, I came across this scenario:
Conditional Access configured to require MFA if the user wasn’t on an Azure AD Hybrid PC, or coming from an internal IP.
User on an Azure AD Hybrid PC, but on an external IP.
User uses Chrome to access a Microsoft resource, and gets challenged despite being on the Azure AD Hybrid PC.
It seems that the sign-in process isn’t aware of the state of the computer when using Chrome- but there is an easy fix: deploy Windows 10 Accounts extensions for Chrome.
This is really easy to do via Group Policy.
- If you don’t already have them, get the ADMX Group Policy files for Google Chrome and deploy into your environment
- Under User Configuration > Policies > Administrative Templates > Google > Google Chrome > Extensions, configure the policy ‘Configure the list of force-installed apps and extensions’:
3. Change the radio button to enabled, click ‘Show’ and enter the value for the add-in
4. Do your normal process of configuring the Group Policy object to target the users you want, run a gpupdate and see the addin silently turn up in Chrome. The only user impact will be a visible Windows logo to the left of the Google Accounts area in the top bar of Chrome.
Peter van de Woude has documented how to do this via registry, so read his post if you want info on how to do that – as well as how to then deploy via Intune and PowerShell script.
Worth doing if you use Azure AD connect, and highly recommended if you’re using Conditional Access.