Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Enable Chrome to satisfy “Require device to be marked as compliant” Conditional Access without extensions (CloudAPAuthEnabled)

            Created by Rohit Yadav, Modified on Fri, 5 Sep at 2:15 PM by Rohit Yadav

            Owner: IT – Endpoint & Identity

            Audience: IT Admins / Service Desk (L1–L3)

            Last Updated: 03‑Sep‑2025

            Applies to: Windows 10/11 (1703+), Google Chrome (managed), Microsoft Entra ID (Azure AD), Microsoft Intune

            Related Policy: Management compliance policy (Conditional Access)

            Summary

            • Issue: Chrome users are blocked by Conditional Access (CA) when accessing Microsoft 365 apps, with a prompt to install an extension.

            • Root Cause: Chrome does not natively send device identity signals (Device ID, join type, compliance) to Microsoft Entra during sign-in, unlike Edge.

            • Resolution: Set the registry policy CloudAPAuthEnabled=1 for Chrome. This enables Chrome to send device identity, allowing CA to evaluate compliance—no extension required.

            Scope

            • In Scope: Windows 10/11 devices, Intune-enrolled and compliant, signed in with work accounts, using Chrome.

            • Out of Scope: macOS (use Microsoft SSO extension + Company Portal), unmanaged/personal PCs, Windows <1703.

            Symptoms

            • Chrome is blocked by CA, but Edge works on the same device.

            • Entra sign-in logs show missing Device ID or “Unregistered/Unknown” for Chrome.

            Prerequisites

            1. Device is Microsoft Entra joined/Hybrid joined with valid PRT (AzureAdJoined: YES, AzureAdPrt: YES via dsregcmd /status).

            2. Device is Compliant in Intune.

            3. OS is Windows 10/11 (1703+).

            Implementation (Intune Script Deployment)


            PowerShell Script:

            # Enable Chrome device-based authentication for Conditional Access $regPath = 'HKLM:\SOFTWARE\Policies\Google\Chrome' New-Item -Path $regPath -Force | Out-Null New-ItemProperty -Path $regPath -Name 'CloudAPAuthEnabled' -Type DWord -Value 1 -Force

            Intune Script Settings:

            • Run using logged-on credentials: No

            • Enforce script signature check: No (or Yes if signed)

            • Run script in 64-bit PowerShell Host: Yes

            • Assign to Windows device groups

            Validation

            • Check chrome://policy → Confirm CloudAPAuthEnabled = 1

            • Test sign-in at office.com in Chrome

            • Verify Entra sign-in logs for Device ID and compliance evaluation


            Rollback

            Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Google\Chrome' -Name 'CloudAPAuthEnabled' -ErrorAction SilentlyContinue


            Security Notes

            • This policy does not weaken security; it only enables Chrome to present existing Windows device identity to Microsoft Entra (like Edge).

            • Conditional Access and MFA are still enforced.



            Connect with Us

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0