I did a trace on the sign in process and it looks like an interactive sign in involves these URL's
Chrome-initiated browser login hits these:
POST 2017.01.31 14:44:48 https://accounts.google.com/_/common/diagnostics/?hl=en&_reqid=NNNNN&rt=j
In contrast going to gmail in a browser hits these
Relaunching Chrome if you've ever connected your account to Chrome will hit these sites:
My guess based on this is that blocking
might be a good way to prevent new folks from logging in and connecting their Chrome.
Might be reasonable ways to block re-login's.
Note also that logging into Chrome also makes it generate a lot of https://mtalk.google.com:5228 traffic if chat is enabled for that google account. If you have to block instant messaging in your environment, this sure causes a lot of noise in logs, which is another nice reason to block users from associating their user account to Chrome.
That guess, however would be wrong. LOL. Further datapoints necessary apparently. The blocks above don't work and some combo of
client*.google.com and www.googleapis.com appears to be the likely path of blocking. That will have a lot of collateral damage though, I reckon.
I'll post if I figure it out.