While testing MFA, Conditional Access and all the other good stuff Azure AD provides, I came across this scenario:
Conditional Access configured to require MFA if the user wasn’t on an Azure AD Hybrid PC, or coming from an internal IP.
User on an Azure AD Hybrid PC, but on an external IP.
User uses Chrome to access a Microsoft resource, and gets challenged despite being on the Azure AD Hybrid PC.
It seems that the sign-in process isn’t aware of the state of the computer when using Chrome- but there is an easy fix: deploy Windows 10 Accounts extensions for Chrome.
This is really easy to do via Group Policy.
- If you don’t already have them, get the ADMX Group Policy files for Google Chrome and deploy into your environment
- Under User Configuration > Policies > Administrative Templates > Google > Google Chrome > Extensions, configure the policy ‘Configure the list of force-installed apps and extensions’:
3. Change the radio button to enabled, click ‘Show’ and enter the value for the add-in
ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx
4. Do your normal process of configuring the Group Policy object to target the users you want, run a gpupdate and see the addin silently turn up in Chrome. The only user impact will be a visible Windows logo to the left of the Google Accounts area in the top bar of Chrome.
Peter van de Woude has documented how to do this via registry, so read his post if you want info on how to do that – as well as how to then deploy via Intune and PowerShell script.
Worth doing if you use Azure AD connect, and highly recommended if you’re using Conditional Access.
Hello,
Thanks for the article.
I installed the Windows 10 accounts extension, and now, like in Edge or IE, the MFA doesn’t prompt.
But i use a conditionnal acces to require MFA without conditions, so i want to be prompt for the 2 step verification even on IE, Edge and Chrome (with Win 1O account extension), how can i do this please ?
Here is a way to always be ask for MFA with condiotionnal acces (I don’t want to enforce MFAn to keep benefits of conditionnal access)
Thanks
Not sure I fully understand what you’re asking, what benefits of conditional access do you want if you always want to be MFA challenged? You’d just need to change the rules in Conditional Access to match whatever scenario you’d like – feel free to post back with more info!