Implementing seamless single sign-on (SSO) for Google Chrome can be an effective way to improve productivity and user experience in a corporate environment.
You can use Intune to distribute either the SSO extension (Addin Windows Accounts) or, more recently, the specific Google Chrome setting for SSO for the Azure AD.

Table of Contents

Google Chrome - mit vs ohne Single Sign ON

Google Chrome mit Default Einstellungen

In the default settings you have to enter both user and password when logging in. Neither single sign on (SSO) nor the transfer of your login address from Windows works:

Google Chrome ohne SSO

If Single Sign On is configured, the browser behaves as follows with the same access:

Google Chrome with Azure AD SSO

And it can be so beautiful:

Google Chrome mit SSO

Intune configuration for Google Chrome SSO

The old way

With Google Chrome, the extension "Windows accounts" to be installed.
The extension can be installed manually per user device or much easier via Intune and a Settings Catalog profile. To do this, we first need the extension ID, which we find out by opening the extension in the "Chrome Web Store". Then it can be seen in the URL:

Windows Accounts Extension ID
Extension ID: ppnbnpeolgkicgegkbkbjmhlideopiji

You create the profile under:
Devices > Windows > Configuration profiles ... + Create profile (Windows 10 and later, Settings catalog)

Here you assign a meaningful name and optionally a description:

Settings catalog, Google Chrome

In the next step you add the setting "Configure the list of force-installed apps and extensions" added:

Configure the list of force-installed apps and extensions

Activate this option and insert the extension ID: ppnbnpeolgkicgegkbkbjmhlideopiji

Chrome Extension, Microsoft SSO

Once the extension is active, Google Chrome will support SSO.
The login then works seamless with an integrated account in Windows.

If you have connected multiple accounts, you can choose which one you want to use for the sign-in:

The new way 🥳

With version 111 of Google Chrome, the Identity Provider was integrated into the browser and the ADMX. The add-on is no longer necessary!

To activate the "new way" create a new Settings Catalog profile or add to your existing one.
In this you only have to select the option "Allow automatic sign-in to Microsoft® cloud identity providers"
--> So my wish 😉

Juni 2023: Unfortunately we still have to make a small detour via ADMX import.

You can find the current Google Chrome ADMX files here: 1. Download bundle - Chrome Enterprise and Education Help (

You have to upload (in this order):

  1. From your local current Windows 11 (if not already done)
  2. Configuration\admx\google.admx
  3. Configuration\admx\GoogleUpdate.admx
  4. Configuration\admx\chrome.admx

Now we can create a new policy in the templates with "Imported Administrative Templates":

Intune Profil

Here, as always, we give the guideline a name and optionally a description.

And now all we would have to do is enable the option and assign the policies. That's it.
Option: Allow automatic sign-in to Microsoft® cloud identity providers

Chrome SSO ADMX, Intune


The "Windows Accounts" add-on is finally no longer necessary and the configuration can be made a bit nicer via ADMX. In local environments (GPO's), where the settings have to be imported anyway, that's no extra work and it's great. Hopefully, the new setting will soon be integrated into the Intune Settings Catalog, so that you really only need one click for the configuration.