Search
Clear search
Close search
Google apps
Main menu

Integrate with Microsoft Active Directory

This document is for IT administrators integrating Chrome devices with a Microsoft Active Directory server.  For information on how to contact support, see Support options.

Important: Already have an account with Admin console access? You can’t use your existing Chrome Enterprise, Chrome Education, or G Suite account to integrate Chrome devices with Active Directory. If you want to set up and manage integrated devices, you need to create a new (separate) Chrome Enterprise domain and account (steps below).

Step 1: Set up a Chrome Enterprise domain

To create a Chrome Enterprise domain and administrator account, you need to provide a name, email address, phone number, business name, and account name (domain prefix). You’ll be emailed a verification link to complete the signup and configure your account password. You can then access the Google Admin console to manage your devices.

  1. Sign up for a Chrome Enterprise domain.

    The email address you enter in the sign-up process is automatically set as the recovery email for your administrator account.

  2. Click the link in the verification email to configure your account password.
  3. Sign in to the Google Admin console using your account name and password.
  4. Create multiple users and assign them administrator roles.
Step 2: Enroll Chrome devices

When you set up a Chrome Enterprise domain, you automatically get 10 trial Chrome Enterprise licenses. Each Chrome device that you want to integrate with Microsoft Active Directory uses one of these licenses.

Note: Use your Chrome Enterprise domain account credentials to perform the steps in this section.

  1. Sign in to the Google Admin console.
  2. Click Device Management > Chrome Devices, and verify that you have 10 licenses available
  3. For each device you have, follow the steps in Enroll your Chrome devices to enroll your devices with your Google server.

If you want to continue using Chrome Microsoft Active directory integration after your trial period, you need to buy additional licenses from one of our Chrome partners. Please note that only Chrome Enterprise annual licenses are applicable for this integration.

Step 3: Join your Chrome device to the domain

After you enroll a device with the Google server, the device displays the domain joining screen.

  1. Enter a device name for your Chromebook.

    This name will identify the device in the Microsoft Active Directory server.

  2. To authenticate the domain joining request, enter your Microsoft Active Directory credentials.
  3. Confirm that the Chrome device appears under the Users and Computers tool in Microsoft Active Directory.
  4. Move the device to the correct organizational unit to ensures that the correct organizational unit settings are applied to your device.

The device should now display the sign in screen that allows users to sign in directly with their Microsoft Active Directory user credentials.

Step 4: Configure Group Policy Objects to manage users and devices

You can use Group Policy Objects (GPOs) to manage domain joined Chrome devices and users.

  1. Download the Chrome OS ADMX templates.
  2. (Optional) For information on the various policies you can use to configure your Chrome user and device policies, consult the policy list documentation.
  3. Create GPOs and push them to the relevant organizational units and groups for your users and devices.
Step 5: Configure your domain for Google Play Store access
  1. To enable Android applications for your domain:
    1. Sign in to the Google Admin console.
    2. Go to Device Management > Chrome management > Android application settings.
    3. Select Enable Android applications for your domain.
  2. Configure Relying Party Trust on Microsoft Windows server.

    Note: Before you begin this step, ensure that an ADFS server has been set up.

    1. In the AD FS Management console, go to AD FS > Trust Relationships > Relying Party Trust, select Add Relying Trust Party. Click Start.
    2. Select Import data about the relying party published online or on local network.
    3. Set the Federation metadata address to https://m.google.com/devicemanagement/data/api/SAML2
    4. Click Next repeatedly. Click Close.
    5. In the Edit Claim Rules dialog box click Add Rule….
    6. Make sure Send LDAP Attributes as Claims is selected. Click Next.
    7. Under Attribute Store, select Active Directory.
    8. Under LDAP Attribute, type objectGUID.
    9. Under Outgoing Claim Type, select Name ID.
    10. Click Finish. Click OK.

    For more information on settings up relying party trust on Microsoft Windows Server, see Microsoft’s official documentation.

  3. Configure SAML settings in the Google Admin console:
    1. Download the AD FS metadata from https://your_ADFS_server_name/federationmetadata/2007-06/federationmetadata.xml.
    2. Sign in to the Google Admin console.
    3. Go to Device Management > Chrome management > MicrosoftⓇ Active DirectoryⓇ integration settings.
    4. Select Upload Identity Provider Metadata button to upload the AD FS metadata file.

    Note: Before users can start using the Play Store on Chrome devices, they will be redirected for authentication on this configured SAML endpoint.

Step 6: Configure Android applications for users

To approve and configure apps for your users:

  1. Sign in to managed Google Play.
  2. Approve apps for your users. All apps approved for the domain will automatically show up for all your users when they open the Google Play Store. For more information, see the managed Google Play Store help center.
  3. Set the Enable ARC (ArcEnabled) policy to true, to enable Play Store access for your users.
  4. Set up the Configure ARC (ArcPolicy) policy to force the installation of apps to your users and apply managed configurations to them.
  5. Use the Pinned apps (PinnedLauncherApps) policy to pin Android apps (as well as Chrome apps) to the launcher.
Was this article helpful?
How can we improve it?