CA policy to Block Sign in from non Compliant Devices

Question

I am testing on Conditional Access policy where non compliant devices restrict the login, but I am having issue with the Google Chrome, It ask for the SSO Extension. but We have also a policy that restrict Google Sign in and SyncDisable from their gmail or any personal mail.

Is there any other way we can set the CA policy where we wouldn't need to add that SSO extension?

Answer 1

Hi, if you want Chrome to pass a Conditional Access policy that requires a “compliant device”, you have only two options:

Install the Microsoft Single Sign On extension (Windows Accounts).

Or, from Chrome 111+, enable the CloudAPAuthEnabled = 1 policy (via GPO or registry).

Without one of these, Chrome won’t send the device ID/PRT, so Conditional Access will block the sign-in. No other CA setting can bypass this.

Why?
The “Require compliant (or Hybrid AADJ) device” check depends on the Primary Refresh Token (PRT).
Edge uses WebAuthn/WAM, so PRT is always available.
Chrome doesn’t, unless you use the extension or enable CloudAPAuthEnabled, which activates WAM integration.

How to avoid the extension:
Set this policy (requires Chrome 111+ on Windows 10/11):

[HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome]
"CloudAPAuthEnabled"=dword:00000001

This won’t affect Chrome Sync or Gmail login — you can manage those via existing Chrome URL/extension policies.

If you really don’t want to touch Chrome:

Use Microsoft Edge as your corporate browser and restrict Chrome via CA (Client apps → Browser → Exclude Edge).

Or remove the “device compliant” requirement for browser access and apply app-enforced restrictions (e.g., MCAS) to limit risky actions like downloads — but you’ll lose strict unmanaged device blocking.

Bottom line:
To keep the “Block non-compliant devices” policy working with Chrome, you must enable PRT transmission — either via the extension or the CloudAPAuthEnabled flag.
There’s no Conditional Access trick to bypass this requirement.

---