Quick Guides, Microsoft Intune June 6, 2023 6

Quick Guide: Enable Single Sign On (SSO) for Chrome and Firefox

Enabling Single Sign-On (SSO) for third-party browsers like Google Chrome and Firefox offers several benefits. Firstly, users won’t have to repeatedly authenticate when working from different browsers. However from a security perspective, when SSO is enabled, Microsoft Intune is able to assess the device’s compliance status. Without implementing SSO, conditional access will consider the device as non-compliant while working from a third-party browser.

In this Quick Guide, I will guide you through the steps on how to configure SSO for Google Chrome and Firefox by utilizing Microsoft Intune’s configuration policies.

Enable Single Sign on for Google Chrome 

In March 2022, Microsoft introduced Google Chrome settings to the Settings Catalog in Microsoft Intune. As a result, we can now manage Google Chrome settings without the need to ingest ADMX files or configure custom URIs.

  1. Firstly, let’s start navigating to the Microsoft Intune admin center > Devices > Configuration Profiles > +Create Profile
  2. Select the Platform Windows 10 and later, the Profile type Settings catalog, and click Create.
  1. Enter a name and description for your policy and click Next.
  2. Click Add settings > search and select the Google Chrome Extensions settings > select Configure the list of force-installed apps and extension (user).
  1. Enable the policy settings and copy/paste the extension ID below and click Next.
ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx
  1. Assign users to the policy and finish by creating it.

Enable Single Sign on for Firefox

Unfortunately, Microsoft hasn’t added Firefox settings to the Settings Catalog in Microsoft Intune yet. This means we’ll have ingest ADMX files and configure a custom URI, but we will do this as efficiently as possible in one single configuration profile.

  1. Firstly, let’s start navigating to the Microsoft Intune admin center > Devices > Configuration Profiles > +Create Profile
  2. Select the Platform Windows 10 and later, the Profile type Templates, the Template name Custom, and click Create.
  1. Enter a name and description for your policy.
  2. Add an OMA-URI Setting, use below settings and click Save.
NameFirefox ADMX ingestion
OMA-URI./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Firefox/Policy/Firefox
Data typeString
ValueInsert the contents of the latest firefox.admx file here (download link)
  1. Add another OMA-URI Setting, use below settings and click Save.
NameFirefox SSO
OMA-URI./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/WindowsSSO
Data typeString
Value<enabled />
  1. Assign users to the policy and finish by creating it.

User Experience 

Once the configuration profiles have been deployed, you will notice the Windows Accounts extension added to the Google Chrome Browser. As this extension is managed by Microsoft Intune, users won’t have the ability to disable it.

In Firefox, you will find that Single Sign On has been configured in the Privacy & Security section of the settings. You will notice that the option is grayed out, preventing users from disabling it.

If you have followed this Quick Guide, users won’t have to authenticate anymore while working from Google Chrome or Firefox. Also more importantly Microsoft Intune can asses device compliance and conditional access policies can be enforced.

Productivity + Security = 🎉

Quick Guide: Enable Single Sign On for Chrome and Firefox

, , ,

About the author

Myron Helgering:

6 Comments

  1. Nobi Jonker

    August 1, 2023
    Reply

    Hi Myron,

    Did you also tried the new way where you can import the ADMX files and create an administrative import template and you can setup all your settings for Firefox and Chrome?

    • Myron Helgering

      August 1, 2023
      Reply

      Hi Nobi! Yes, I am familiar with importing the ADMX files, and managing the browser settings that way. But, since the Google Chrome settings (and hopefully Firefox settings soon) are now directly integrated in the settings catalog, I prefer this method instead. It makes the importing of ADMX files unnecessary, at least for Google Chrome, which makes this method a little bit more efficient. But thank you for your comment and don't worry, it is definitely not wrong doing it this way!

  2. Paul Mitchell

    November 22, 2023
    Reply

    I don't suppose you have ever received an error 65000 when attempting to deploy the Google Chrome settings?

    • Myron Helgering

      December 22, 2023
      Reply

      This error could be coming from the fact that the ADMX settings are not available on the device itself.
      Which would be strange to me because the ADMX should have been automatically ingested with the policy.
      Sadly I haven't seen this error during google chrome settings deployment, is your device on a recent build?
      EDIT: You could read this blog from Rudy Ooms, where he explains the error 65000 in detail but while being in a different situation.

  3. Jarred

    December 20, 2023
    Reply

    Thanks for this post. I've enabled this extension however it still prompts for sign-in and MFA. Does something need to be configured in conditional access to allow for this to work without the sing-in and MFA prompt?

    • Myron Helgering

      December 22, 2023
      Reply

      No, Conditional Access is not required for SSO to be working properly.
      Is SSO functioning while being signed in from the MS Edge browser? If not, you might have a problem with the workplace join.
      You can troubleshoot this by using the "dsregcmd /status" command in CMD from the device.
      If not, do you perhaps have a Conditional Access policy with the "sign-in frequency" enabled?

Would you like to share your thoughts?

Your email address will not be published. Required fields are marked *

Leave a Reply