Azure Conditional Access policies not working in Google Chrome

Microsoft offers many solutions and services to defend your Microsoft 365 tenancy. One of the most touted features available in Azure AD Premium P1 (and higher) is Azure Conditional Access. Conditional Access allows you to set policies that determine what type of devices, which users, and under what conditions a request to access a service may be allowed or blocked.

Author
Recent Posts

Robert Pearman

Robert is a small business specialist from the UK and currently works as a system administrator. He was a Microsoft MVP for eight years and has worked as a technical reviewer for Microsoft Press. You can follow Robert on Twitter and in his blog.

Latest posts by Robert Pearman (see all)

Remove or block Chrome extensions with PowerShell - Thu, May 12 2022
Chrome: Manage extensions with PowerShell - Fri, Apr 15 2022
Azure Conditional Access policies not working in Google Chrome - Tue, Apr 12 2022

For example, you can set up a policy to allow any request from a trusted location (an IP address) and block access from any other location.

Conditional Access policies can be incredibly versatile, but they can also go wrong, and locking yourself out of a tenant would not be a good idea. Thus, Microsoft offers a report-only mode in which a rule is evaluated but not enforced. You can read more about Conditional Access here.

One popular way to deploy Conditional Access is to use it in conjunction with Microsoft Intune. Intune enables you to set compliance policies on devices, whether they use BitLocker or have a specific version of Windows or antivirus enabled. You can then configure a conditional access rule to grant access only to compliant devices.

Using Conditional Access to limit access only to compliant devices

This works very well and is easy to set up and deploy—until a device is denied access and you can't see why.

This issue came up for me recently. A user was denied access to SharePoint, even though the device showed as compliant. To make things more confusing, it worked perfectly on the same device using Microsoft Edge.

After successfully passing the username and password and the MFA challenge, the following was displayed.

Conditional Access failure message

To troubleshoot this further, we head into Azure Active Directory and select Users > Sign-in logs.

Use Azure AD sign in logs to troubleshoot login failures

We can set a filter to look for only the specific user we are interested in.

Setting a filter for usernames

From the list of sign-in activities, we can find a successful sign-in, open it, and look at the device details.

This is an example from Microsoft Edge. Note that it shows the version and that the device is Hybrid Azure AD joined and compliant.

Contrast this with a login on the same device but using Google Chrome.

Activity Details Sign in

You can clearly see that Chrome has not passed the device state through to Azure.

The solution, luckily, is straightforward enough. Microsoft released a Chrome extension called Windows Accounts that links your logged-on user and device info, and allows it to be passed through to Microsoft services.

Once this extension is deployed to the browser, your device state is correctly passed through, and your Conditional Access policies are extended to support Chrome.