ANAVEM
EnglishFrancais
ANAVEM
Languagefr
How to Configure Google Chrome SSO with Azure AD Using Microsoft Intune

How to Configure Google Chrome SSO with Azure AD Using Microsoft Intune

Set up seamless single sign-on for Google Chrome in corporate environments using Microsoft Intune and Entra ID. Configure native Chrome SSO policies for automatic authentication.

March 21, 2026 15 min 0
mediumintune 8 steps 15 min

Why Configure Chrome SSO with Entra ID Through Intune?

Single sign-on (SSO) for Google Chrome in enterprise environments eliminates the friction of repeated authentication when accessing Microsoft cloud services. Instead of users manually entering credentials every time they visit Office 365, Azure portal, or other Microsoft services, Chrome can automatically authenticate them using their existing Entra ID (Azure AD) identity.

This tutorial focuses on the modern, native approach using Microsoft Intune's imported ADMX templates. This method has replaced legacy extension-based solutions and provides a more reliable, centrally managed SSO experience. The configuration leverages Chrome's built-in CloudAPAuthEnabled policy, which integrates directly with Windows' cloud authentication provider.

What Makes This Configuration Method Superior?

The native Chrome SSO configuration through Intune offers several advantages over previous methods. First, it eliminates the need to deploy and manage browser extensions, reducing complexity and potential security vulnerabilities. Second, it provides centralized policy management through Intune, allowing IT administrators to deploy, monitor, and troubleshoot SSO settings across thousands of devices from a single console.

The configuration works seamlessly with Entra ID Joined, Hybrid-Joined, and Entra ID Registered devices, making it suitable for various enterprise deployment scenarios. Once configured, users experience transparent authentication when accessing Microsoft cloud services, improving productivity while maintaining security through proper identity verification.

Related: Sync SharePoint Libraries Using Microsoft Intune

Related: Configure Time Zone Settings for Windows Devices Using

Related: How to Configure Outlook Auto-Login using Microsoft Intune

Related: Configure OneDrive Auto Sign-in Using Microsoft Intune

Implementation Guide

Full Procedure

01

Download Chrome ADMX Templates from Google Enterprise

First, you need to download the Chrome ADMX templates that contain the policy definitions for Chrome SSO configuration. These templates are essential for creating the SSO policy in Intune.

Navigate to the Chrome Enterprise website and locate the policy templates section. You'll need to accept the terms and download the following files:

  • Google.admx and Google.adml
  • Chrome.admx and Chrome.adml
  • GoogleUpdate.admx and GoogleUpdate.adml

Download these files to a local folder on your administrative workstation. The ADMX files contain the policy definitions, while the ADML files contain the language-specific text for the policies.

Pro tip: Create a dedicated folder structure like "C:\ChromeADMX" to organize these files. You'll reference them multiple times during the import process.

Verification: Confirm you have all six files (3 ADMX and 3 ADML files) downloaded and accessible on your local machine.

02

Import Chrome ADMX Templates into Microsoft Intune

Now you'll import the Chrome ADMX templates into Intune to make the Chrome policies available for configuration. This step is crucial because without importing these templates, the SSO policy options won't appear in Intune.

Open the Microsoft Intune admin center and navigate to:

Devices > Manage devices > Configuration > Import ADMX tab

Click + Import and upload each ADMX file along with its corresponding ADML file. You need to import them one by one:

  1. Select Google.admx and Google.adml
  2. Click Import and wait for completion
  3. Repeat for Chrome.admx and Chrome.adml
  4. Finally, import GoogleUpdate.admx and GoogleUpdate.adml
Warning: The import process can take several minutes. Don't navigate away from the page until you see the success confirmation for each template.

Verification: After importing, you should see the Chrome templates listed in the Import ADMX section. The status should show as "Imported" for all three template sets.

03

Create a New Device Configuration Policy for Chrome SSO

With the ADMX templates imported, you can now create a device configuration policy that will enable Chrome SSO with Entra ID. This policy will be deployed to your target devices.

In the Intune admin center, navigate to:

Devices > Manage devices > Configuration > Create > New policy

Configure the policy settings as follows:

  • Platform: Windows 10 and later
  • Profile type: Templates
  • Template name: Imported Administrative templates

Click Create to proceed to the policy configuration wizard.

In the Basics tab, provide:

  • Name: "Enable SSO for Chrome with Entra ID using Intune"
  • Description: "Configures Chrome to automatically sign in users with their Entra ID credentials"

Click Next to continue to the configuration settings.

Verification: Ensure you're creating an "Imported Administrative templates" policy type, as this is required to access the Chrome ADMX settings.

04

Configure Chrome SSO Policy Settings

This is the core step where you'll configure the actual SSO setting that enables automatic sign-in to Microsoft cloud identity providers in Chrome.

In the Configuration settings tab, use the search function to locate the SSO policy:

Search: "Allow Automatic Sign"

Navigate to the policy location:

Computer Settings > Google Chrome > Microsoft® Active Directory® management settings

Find and select "Allow automatic sign-in to Microsoft® cloud identity providers"

Configure the policy as follows:

  • Set the policy to Enabled
  • In the dropdown, select "Enable Microsoft® cloud authentication"
  • Click OK to save the setting
Pro tip: This setting specifically enables the CloudAPAuthEnabled policy in Chrome, which you can verify later using chrome://policy.

Click Next to proceed to scope tags configuration.

Verification: The policy should show as "Enabled" with the value "Enable Microsoft® cloud authentication" in your configuration summary.

05

Configure Policy Assignments and Scope

Now you'll assign the policy to the appropriate device groups and configure any necessary scope tags for your organization's management structure.

In the Scope tags section:

  • Add scope tags if your organization uses them for role-based access control
  • If you don't use scope tags, leave this section as default
  • Click Next

In the Assignments section, configure the target devices:

  • Click + Add groups under "Included groups"
  • Select device groups containing Entra ID Joined devices
  • Ensure the selected groups contain devices that meet the prerequisites
Warning: Only assign this policy to Entra ID Joined, Hybrid-Joined, or Entra ID Registered devices. The SSO functionality won't work on domain-only joined devices.

Review your assignments and click Next to proceed to the final review.

Verification: Confirm that your target device groups are listed in the "Included groups" section and that no conflicting exclusions are configured.

06

Deploy and Monitor Policy Application

Complete the policy creation and monitor its deployment to ensure successful application across your target devices.

In the Review + create section:

  • Review all policy settings for accuracy
  • Verify the assignment scope matches your requirements
  • Click Create to deploy the policy

Monitor the policy deployment:

Devices > Monitor > Device configuration > [Your Policy Name]

Check the deployment status and look for any devices showing "Error" or "Conflict" status. The policy typically takes 15-30 minutes to apply to devices after creation.

Pro tip: You can force a policy sync on test devices by going to Settings > Accounts > Access work or school > [Your account] > Info > Sync, or by restarting the device.

Verification: The policy should show "Succeeded" status for target devices in the monitoring dashboard within 30 minutes of deployment.

07

Verify Chrome SSO Configuration on Target Devices

After the policy has been applied, verify that Chrome is properly configured for SSO on your target devices. This verification ensures the policy is working correctly.

On a target device, open Google Chrome and navigate to:

chrome://policy

Look for the following policy in the list:

  • Policy name: CloudAPAuthEnabled
  • Value: 1 (or true)
  • Status: OK

Additionally, check the Windows Event Viewer for confirmation:

Event Viewer > Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin

Look for Event ID 814 with the message containing:

CloudAPAuthEnabled value="1"
Pro tip: If the policy doesn't appear in chrome://policy immediately, try closing and reopening Chrome, or restart the device to force policy refresh.

Verification: Both chrome://policy and Event Viewer should confirm that CloudAPAuthEnabled is set to 1, indicating successful SSO configuration.

08

Test Single Sign-On Functionality

The final step is to test the SSO functionality to ensure users can seamlessly access Microsoft cloud services through Chrome without additional authentication prompts.

To test SSO functionality:

  1. Ensure the user has a work or school account added to Windows (Settings > Accounts > Access work or school)
  2. Open Chrome and navigate to a Microsoft cloud service like:
https://portal.office.com
https://portal.azure.com
https://admin.microsoft.com

The user should be automatically signed in without being prompted for credentials. If prompted, the SSO configuration may not be working correctly.

Troubleshooting common issues:

  • Still prompted for credentials: Verify the device is properly Entra ID joined and the user account is synchronized
  • Policy not applying: Check device enrollment status in Intune and ensure Chrome is updated to the latest version
  • CloudAPAuthEnabled not showing: Verify ADMX templates were imported correctly and the policy was assigned to the correct device groups
Warning: SSO only works for Microsoft cloud-backed accounts. Local Active Directory accounts without cloud synchronization won't trigger automatic sign-in.

Verification: Users should be able to access Microsoft cloud services in Chrome without entering credentials, and their Entra ID identity should be automatically recognized and authenticated.

Frequently Asked Questions

What devices are compatible with Chrome SSO configuration through Intune?+
Chrome SSO through Intune works on Windows 10 and Windows 11 devices that are Entra ID Joined, Hybrid-Joined, or Entra ID Registered and enrolled in Microsoft Intune. The devices must have the latest version of Google Chrome installed and be able to receive Intune policies. Domain-only joined devices without cloud identity integration are not supported for this SSO configuration.
Why do I need to import Chrome ADMX templates before configuring SSO policies?+
Chrome ADMX templates contain the policy definitions that Intune needs to configure Chrome browser settings. Without importing these templates, the Chrome SSO policy options won't appear in the Intune admin center. The templates include Google.admx, Chrome.admx, and GoogleUpdate.admx files along with their corresponding language files, which define all available Chrome enterprise policies including the CloudAPAuthEnabled setting required for SSO.
How can I verify that Chrome SSO is working correctly on target devices?+
You can verify Chrome SSO functionality in two ways. First, navigate to chrome://policy in the browser and confirm that CloudAPAuthEnabled shows a value of 1 with OK status. Second, check Windows Event Viewer under DeviceManagement-Enterprise-Diagnostics-Provider for Event ID 814 containing CloudAPAuthEnabled value="1". Additionally, test by accessing Microsoft cloud services like portal.office.com to ensure automatic sign-in occurs without credential prompts.
What should I do if the Chrome SSO policy isn't applying to devices?+
If the SSO policy isn't applying, first verify that the target devices are properly enrolled in Intune and meet the Entra ID join requirements. Check the policy assignment scope to ensure the correct device groups are included. Confirm that Chrome ADMX templates were successfully imported in Intune. Force a policy sync on test devices through Settings > Accounts > Access work or school, or restart the devices. Monitor the policy deployment status in the Intune admin center for any error messages.
Can I use this Chrome SSO configuration with on-premises Active Directory accounts?+
Chrome SSO through Intune only works with Microsoft cloud-backed accounts, specifically Entra ID identities. Pure on-premises Active Directory accounts without cloud synchronization will not trigger automatic sign-in. However, if your on-premises accounts are synchronized to Entra ID through Azure AD Connect or similar tools, and users sign in with their cloud-synchronized credentials, the SSO functionality will work properly for accessing Microsoft cloud services.
Tags
#intune#sso#chrome

Further Intelligence

Deepen your knowledge with related resources

How to Enable JavaScript and Cookies in Chrome, Firefox, Safari & Edge
tutorial
Web Development

How to Enable JavaScript and Cookies in Chrome, Firefox, Safari & Edge

Deep Dive
How to Configure Google Chrome SSO with Azure AD Using Microsoft Intune
tutorial
Cloud Computing

How to Configure Google Chrome SSO with Azure AD Using Microsoft Intune

Deep Dive
How to Automate Disk Cleanup for Windows 11 Upgrades Using Intune Remediation
tutorial
DevOps

How to Automate Disk Cleanup for Windows 11 Upgrades Using Intune Remediation

Deep Dive

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account