Conditional Access with Hybrid Domain Join requires browser extension for Chrome

For Chrome to be compatible with Azure AD conditional access security policies that check for Hybrid Domain Join, you must install a Browser extension from (here) *or* deploy a registry key from (here).

This is because Chrome does not pass the Hybrid Domain Join status, as shown below:

Adding the browser extension or registry keys allows a user to use Chrome to access the SSO via conditional access policy.

Otherwise you will get an error “You can’t get there from here”