The three C’s – Conditional Access, Chrome and Coronavirus

Coronavirus or COVID-19 or whatever else its called, seems to be having a massive impact across the globe. The things I’m really noticing is a lack of toilet roll in the shops, and a massive increase on companies implementing processes to help their users work from home – should it come to that.

I can’t help you with the lack of toilet roll in this bog blog, but I can help you with a handy tip for Conditional Access and Chrome. Which is one of the things you need to look at implementing ASAP.

I’ve literally just been speaking to a customer who has implemented Conditional Access but was seeing some behaviour that wasn’t expected (or that THEY didn’t expect)

Their conditional access policy was quite simple:

Basically, they wanted to grant access to cloud resources/apps as long as one of the conditions was met; either MFA was satisfied OR the machine was Hybrid Azure AD Joined.

For the majority of users, this was working great. They took their machines home and worked with no MFA prompts at all – the machines were Hybrid Azure AD Joined.

However, for a handful of users, they were getting MFA prompts. The usual checks were done:

  • Are the machines Hybrid Azure AD Joined? Yes.
  • Are the Cloud Apps included in the policy? Yes
  • Are the users included in the policy? Yes
  • If the MFA prompt coming from a different policy? No.

So I jumped on a call with the customer, and after assessing all of the above scenarios we checked out the User Sign Ins in Azure Portal.

We could see that most users were not being prompted for MFA, as their machines were being correctly identified as Hybrid Azure AD Joined:

Conditional_Access_MFA_or_Hybrid_Azure_AD_joined3

Until we investigated the users who were receiving the MFA prompts. We could see that they were accessing Sharepoint Online and being asked to MFA, and we could also see that they were using Chrome and the Join Type was blank:

So because the Join Type could not be determined, then MFA ws being requested.

This document describes the behaviour and fix: https://docs.microsoft.com/en-gb/azure/active-directory/conditional-access/concept-conditional-access-conditions#chrome-support

In a nutshell, Chrome requires the Windows 10 Accounts Extension to work correctly with Conditional Access rules.

This can be installed manually, or deployed via a deployment tool. The easiest way is to deploy the following Registry Key:

PathHKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\ExtensionInstallForcelist
Name1
TypeREG_SZ (String)
Datappnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx

Once this extension has been installed, then Chrome will be able to identify if the devices are Hybrid Azure AD Joined and won’t be prompted for MFA when using Chrome.