Starting with Google Chrome 111, support for signing in to Microsoft cloud identity providers (Entra ID, formerly Azure AD) is built into the browser and exposed via ADMX. You no longer need the âWindows Accountsâ browser extension: Chrome can use the userâs Windows sign-in to automatically authenticate to Microsoft 365, SharePoint, and other Microsoft cloud services. To turn this on for managed devices, you configure the policy âAllow automatic sign-in to MicrosoftÂŽ cloud identity providersâ in Microsoft Intune. Today that requires importing Chromeâs ADMX/ADML files into Intune and creating an Administrative Templates profile; if Microsoft adds this setting to the Intune Settings catalog later, you could enable it without ADMX import. This guide covers the current approach: downloading the Chrome ADMX bundle, importing the files in the correct order, and creating and assigning the policy.
Prerequisites
Devices must run Chrome 111 or newer and Windows 10 or 11. They must be Entra ID (Azure AD) joined or hybrid Azure AD joined so the Windows identity is available to Chrome. Users need an appropriate Microsoft Intune license so the configuration profile can deploy. If devices are not joined to Entra ID, Chrome cannot use the Windows account for automatic sign-in.
Download the Chrome ADMX Bundle
Google publishes the Chrome Enterprise and Education ADMX/ADML files in a single bundle. Download the latest bundle from Chrome Enterprise and Education Help â Download bundle. Extract the ZIP; you will use files from Configuration\admx and Configuration\admx\en-US (or your language folder). You also need the Windows ADMX/ADML pair from a current Windows 11 (or Windows 10) machine: C:\Windows\PolicyDefinitions\Windows.admx and C:\Windows\PolicyDefinitions\en-US\Windows.adml. If you have already imported the Windows pair into Intune for other policies, you can skip that step.
Import ADMX and ADML Files into Intune
In the Microsoft Intune admin center, go to Devices â Windows â Configuration profiles. Under the Administrative Templates section, use the option to upload or manage ADMX files (often under a dedicated âImportâ or âAdministrative templatesâ node). Upload order matters: Intune may depend on the sequence for references between ADMX files. Upload in this order:
- Windows (if not already present):
Windows.admx, thenWindows.admlfromen-US. - Google (base): from the Chrome bundle,
Configuration\admx\google.admxandConfiguration\admx\en-US\google.adml. - Google Update:
Configuration\admx\GoogleUpdate.admxandConfiguration\admx\en-US\GoogleUpdate.adml. - Chrome:
Configuration\admx\chrome.admxandConfiguration\admx\en-US\chrome.adml.
After all uploads, the Administrative Templates list should include the imported Chrome policies.
/1.png)
/2.png)
/3.png)
/4.png)
Create a Configuration Profile from Imported Templates
Still under Devices â Windows â Configuration profiles, create a new profile. When prompted for type, choose Administrative Templates (or Imported Administrative Templates, depending on the UI). This lets you pick from the Chrome policies you just imported.
/5.png)
On Basics, give the profile a name (e.g. âChrome SSO â Allow automatic sign-in to Microsoft cloudâ) and an optional description. On the configuration settings page, browse or search for Allow automatic sign-in to MicrosoftÂŽ cloud identity providers, open it, and set it to Enabled. Save the profile and go to Assignments. Assign the profile to the device or user groups that should have Chrome SSO (e.g. all Windows devices or a pilot group).
/6.png)
/7.png)
What Happens After the Policy Applies
Once the profile is applied, Chrome uses the signed-in Windows (Entra ID) identity to automatically sign the user into Microsoft cloud services when they visit Microsoft 365, SharePoint, Teams on the web, or other Microsoft sites. Users do not need to enter work credentials again in the browser for those sites, and the Windows Accounts extension is no longer required. The behavior is enforced by the browserâs native integration rather than an add-on, which can simplify deployment and reduce extension-related issues.
Verification and Troubleshooting
On a managed device, open Chrome and go to a Microsoft service (e.g. https://www.office.com or a SharePoint URL). If SSO is working, the user should be signed in without a credential prompt. You can also check chrome://settings/people to see identity and sync state. If the policy does not apply, confirm that the ADMX/ADML files were imported in the order above and that the profile is assigned to the device or user. If users are still prompted, verify that the device is Entra ID joined or hybrid joined and that Chrome is version 111 or later. If another Chrome or browser policy disables sign-in or extensions, it could conflict. Review other Administrative Template or Settings catalog policies that affect Chrome.
If the Setting Appears in the Settings Catalog Later
If Microsoft adds âAllow automatic sign-in to MicrosoftÂŽ cloud identity providersâ to the Intune Settings catalog, you can create a Settings catalog profile (Windows 10 and later), search for that setting, enable it, and assign it. No ADMX import needed. Until then, the Administrative Templates approach above is the way to manage this setting centrally in Intune.
Summary
To configure Google Chrome single sign-on with Entra ID and Microsoft Intune: ensure devices run Chrome 111+ and are Entra ID or hybrid joined; download the Chrome Enterprise ADMX bundle and the Windows ADMX/ADML pair; in Intune, under Devices â Windows â Configuration profiles â Administrative Templates, import Windows (if needed), then Google, Google Update, and Chrome ADMX/ADML in that order; create a new Administrative Templates profile, enable Allow automatic sign-in to MicrosoftÂŽ cloud identity providers, and assign the profile to the desired groups. Chrome will then use the Windows identity for automatic sign-in to Microsoft cloud services without the Windows Accounts add-on.
