On one device Chrome CloudAPAuthEnabled setting or Windows Accounts extensions are not working

Robert 61 Reputation points
2024-02-29T20:09:01.0066667+00:00

We have a Conditional Access policy that allow browsers to login from registered devices only. This works nice, except from a single pc and/or user. In order to get this to work in Chrome you need to add a the CloudAPAuthEnabled registry setting: https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-conditions#chrome-support

However the Device ID is always empty and the device status is "unregistered". So the conditional access rule blocks it. On the same device/user (Windows 11), it sometimes works in Edge, but not always. It's always this error:

User's image

I tried all things: re-register the device, dsregcmd /leave, join, update, the Chrome Extension, etc. All looks fine, but it doesn't work. The device is registered fine, it seams because using Edge it works well most of the time. No other devices or users have this issue. I even installed a new Windows 11 device but for this user it resulted in the same problem. Maybe it's in his roaming profile, or anything. On reddit I found comments from people with the same issue, but these are almost a year old and I figured it would be stable by now. https://www.reddit.com/r/gsuite/comments/127qpxb/new_policy_in_chrome_111_cloudapauthenabled/

Any ideas?

Best,
Robert

Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
9,441 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,371 questions
0 comments No comments
{count} votes

Accepted answer
  1. Givary-MSFT 32,311 Reputation points Microsoft Employee
    2024-03-04T07:07:33.5266667+00:00

    @Robert Thank you for reaching out to us, As I understand you are having issues with the conditional access policy with chrome browser and the same has been working fine with edge browser.

    Would recommend the following options before we investigate this further

    • Make sure that Chrome and the extension are both on the latest version

    We can also capture a Fiddler trace and/or a PROCMON capture to better understand what the extension is doing (if anything at all) when the user experiences the issue.

    Also, Navigate to chrome://extensions/?id=ppnbnpeolgkicgegkbkbjmhlideopiji & Choose to allow Incognito, switch to the Incognito mode (Ctrl+Shift+N) and make sure that only 'Windows Accounts' extension is enabled in incognito mode and test the conditional access behavior.

    This would help us to see a clean picture, as neither other unrelated cookies nor other extensions can impact the investigation and would recommend to delete the cookies and verify the issue.

    If the above options doesnt help, we might need to connect offline/work with our support team to troubleshoot further on this issue.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.