Chrome Enterprise Core: Quickstart for Integrating with Microsoft Entra ID

There are various ways to integrate Chrome Enterprise Core with your existing Microsoft environment. If you prefer not to use your Google Admin console to create users, you can instead automatically provision users and get a managed Chrome profile using your existing Entra ID infrastructure.

Requirements

• Your organization's primary IdP provider is Microsoft Entra ID.
• A Microsoft Entra tenant. One of the following roles should exist in the tenant:
  • Application Administrator
  • Cloud Application Administrator
  • Application Owner
• You might need to work with other admins in your organization to configure the tools:
  • Intermediate/advanced knowledge of Entra ID
  • Intermediate/advanced knowledge of Google Workspace

How to

There are multiple ways to configure Microsoft Identity—Active Directory or Entra—to work with Chrome Enterprise Core. Here we describe just one way of getting you up and running. Some of these steps might be outside of your core competency. If so, give us feedback so that we can try to simplify the process.

This article is intended for organizations between 300-3000 employees. If your organization is larger, contact us.

Step 1: (Admin console) Get Chrome Enterprise Core

I already have access to Admin console

Add the Chrome Enterprise Core subscription:

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Billing > Subscriptions.

   Requires having the Billing Management administrator privilege. 

3. Click Add or upgrade a subscription.
4. On the left, click Devices & Browser.
5. Under Chrome Enterprise Core, click Get Started.
6. Review your selection and click Checkout.
7. Click Place Order.

I don't have access to the Admin console

You'll need to create an admin account and sign up for Chrome Enterprise Core. Use your work email, such as name@company.com, for sign-up—Not your personal email address.

Step 2: (Admin Console) Verify your domain

From time to time, verifying your domain can be a challenging step. For instructions on how to verify your domain, see Verify your domain for Google Workspace.

If you're having difficulties, sign in to the Admin console and file a support ticket.

Note: Do not proceed to the next step until you have verified your domain.

Step 3: (Microsoft InTune) Configure automatic user provisioning—InTune to Admin Console

Follow the steps in Microsoft documentation: Tutorial: Configure G Suite for automatic user provisioning.

Note: Once you have finished configuring automatic user provisioning, you can always remove users from the Admin console if they're not needed.

Step 4: (Admin Console) Confirm that user provisioning is working as expected

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Directory > Users.
3. If necessary, click at the upper left of the Users list to see the organizational tree.
4. Check to make sure that organization units and users are appearing as expected.

Step 5: (Admin Console) Configure profile management and reporting

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to  Menu  Devices > Chrome > Settings. The User & browser settings page opens by default.

   Requires having the Mobile Device Management administrator privilege.

   If you signed up for Chrome Enterprise Core, go to Menu  Chrome browser > Settings.

3. (Optional) To apply the setting only to some users and enrolled browsers, at the side, select an organizational unit (often used for departments) or configuration group (advanced). Show me how

   Group settings override organizational units. Learn more

4. Configure automatic sign-in to Microsoft cloud identity providers:
   1. Scroll to Sign-in settings.
   2. Click Azure Cloud Authentication.
   3. Select Enable Azure cloud authentication.
   4. Click Save.
5. Configure enterprise profile separation:
   1. Scroll to Sign-in settings.
   2. Click Enterprise profile separation.
   3. Select Enforce profile separation.
   4. Click Save.
      Note: This policy applies only to managed browsers.

6. Turn on Chrome cloud reporting for managed profiles

   1. Scroll to Browser reporting.
   2. Click Managed profile reporting.
   3. Select Enable managed profile cloud reporting.
   4. Click Save.

Step 6: Communicate to your users

Send an email to your users letting them know that they can now sign into Chrome browser using their work account.

Step 7: (Admin console) View app and extension usage details

It can take up to 24 hours for data to show up in reports.

1. Sign in with an administrator account to the Google Admin console.

   If you aren’t using an administrator account, you can’t access the Admin console.

2. Go to Menu  Devices > Chrome > Reports > Apps & extensions usage.

   Requires having the Chrome administrator privilege.

3. (Optional) On the left, select an organizational unit. By default, all extensions are shown.
4. View details about apps and extensions that users have installed in Chrome browser.

Related topics

• Set up Chrome Enterprise Core
• Get support
• View app and extension usage details

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.