Configuring Google Chrome for usage with device-based Conditional Access

This week is sort of a follow-up on last week. Last week the focus was on configuring Mozilla Firefox for usage with device-based Conditional Access, while this week the focus is on configuring Google Chrome for usage with device-based Conditional Access. That is already a supported scenario for many years, but in the early days that would require the Windows Accounts extension. That, however, has changed, making it easier to configure without installing a specific extension in the browser. Nowadays, there is a setting available that can be configured to automatically sign-in user accounts backed by a Microsoft Cloud identity provider. So, that’s even easier to configure. Especially when knowing that Microsoft Intune has Google Chrome configuration options directly available via the Settings Catalog. Minor detail, however, that doesn’t contain all the available settings at this moment. That means that to facilitate the required configuration, it’s still required to work with the available Group Policy templates. This blog post will provide a brief overview of importing those settings, followed with the steps to configure the required configuration. This post will end with the user experience. For completeness this post has some overlap with last week.

Important: At the moment of writing, the feature of importing third-party ADMX-files is still in public preview.

Note: There are alternative methods for using third-party ADMX-files. Those methods are referenced in this post.

Importing the Google Chrome ADMX-files

When looking at managing the required settings of Google Chrome, it all starts importing the required third-party ADMX and ADML-files. For that, it’s important to be familiar with the current limitations of this feature that is currently still in public preview. Those limitations will help with determining the usage of the feature.

• A maximum of 20 ADMX-files can be imported (each being 1MB or smaller)
• Each ADMX-file only supports a single language (each can also only be combined with a single ADML-file)

Important: At the moment of writing, only en-us ADML-files are supported.

Once being familiar with the current limitations of importing third-party ADMX-files, it’s time to look at the steps to actually import those ADMX-files. With that it’s important to be familiar with the dependencies of those ADMX-files, as those dependencies should be imported first. That’s also applicable for the configuration of Google Chrome. The configuration requires the chrome.admx file, which depends on the google.admx file and the windows.admx file. The following seven steps walk through the process of importing those ADMX and related ADML-files.

Important: At the moment of writing, the combo box setting type is still not supported.

1. Download the ADMX and ADML-files for Google Chrome here
2. Open the Microsoft Intune admin center portal and navigate to Devices > Configuration 
3. On the Import ADMX tab, select Import to start the process of importing the ADMX-file and ADML-file
4. On the ADMX file upload page, as shown in Figure 1, provide the following information and click Next

• ADMX file (1): Select the google.admx file to import
• ADML file for the default language (2): Select the google.adml file to import
• Specify the language of the ADML file: At this moment English is selected and grayed out

5. On the Review + create page, click Create
6. Once the Status is Available, walk through step 2-4 for the windows.admx file and the windows.adml file
7. Once the Status is Available, walk through step 2-4 for the chrome.admx file and the chrome.adml file

Keep in mind that the challenge will be in keeping the ADMX and ADML-files up-to-date. That’s because when uploading an ADMX-file with settings that are already imported, the upload will fail with a namespace error. That includes a new version of an ADMX-file that contains the same settings as the existing ADMX-file. Besides that, it’s also not possible to remove an ADMX-file when it’s still being referenced in a configuration profile. So, when working with third-party ADMX-files, make sure to think about how to handle updates on those ADMX-files and the related settings.

Configuring the required settings in Google Chrome

After importing the different required ADMX and ADML-files, the available settings within those ADMX-files become available for configuration via Microsoft Intune. That can be achieved by using the configuration template named Imported Administrative templates. That template can be used to easily browse through the available imported settings for managing the configuration of Google Chrome, including the required setting for usage with device-based Conditional Access. The friendly name of that setting is Allow automatic sign-in to Microsoft® cloud identity providers, which translates to CloudAPAuthEnabled as the policy name. The following eight steps walk through the process of configuring that specific setting in Google Chrome.

1. Open the Microsoft Intune admin center portal and navigate to Devices > Configuration
2. On the Devices | Configuration profiles page, click Create profile
3. On the Create a profile blade, provide the following information and click Create

• Platform: Select Windows 10 and later as platform
• Profile type: Select Templates > Imported Administrative templates as profile type

4. On the Basics page, provide at least a unique name and click Next
5. On the Configuration settings page, as shown in Figure 2, configure the following setting and click Next

• Navigate to Computer Settings > Google > Google Chrome > Microsoft® Active Directory® management settings, select Allow automatic sign-in to Microsoft® cloud identity providers (1), and select Enabled (2) > Enable Microsoft® cloud authentication (3)

6. On the Scope tags page, configure the require scope tags and click Next
7. On the Assignments page, configure the required assignment and click Next
8. On the Review + create page, verify the configuration and click Create

Important: Keep in mind that updating the imported ADMX-file can be a challenging process.

In this case, the imported ADMX-file is a valid method to temporarily configure this specific setting. Mainly because most of the other settings are already directly available within Microsoft Intune. Alternatively, when only importing an ADMX-file for a specific setting it might be a better idea to simply look at using custom OMA-URIs. The basics for that process of ingesting third-party ADMX are described here and an easy method for constructing those settings is described here.

Experiencing the new configuration

When the configuration of Google Chrome is in place, it’s time to actually verify the configuration. That can be done in many different ways. As the configuration is ADMX-backed, the verification can be done in the registry, the Settings app, or even the browser itself. The latter actually also provides the most concrete information, as the browser provides direct access to all available configurations and applied configuration (similar to Microsoft Edge). Simply open the Google Chrome, navigate to chrome://policy and scroll to the Chrome Policies section. At least the policy CloudAPAuthEnabled should be shown as a configured policy, as shown below in Figure 3. That includes information about the configured value.

More information

For more information about managing third-party ADMX-files, and Google Chrome ADMX-files, refer to the following docs.

• Conditions in Conditional Access policy – Microsoft Entra ID | Microsoft Learn
• Import custom and third-party partner ADMX templates in Microsoft Intune | Microsoft Learn
• Download de Chrome-browser voor je bedrijf: Chrome Enterprise