Microsoft Intune now allows you to configure Platform SSO (Single Sign-On) for Apple macOS devices. Platform SSO is an extension to the existing Microsoft Enterprise SSO plug-in that brought single sign-on (SSO) to macOS using Microsoft Entra ID accounts.
Benefits of Platform SSO on macOS
Compared to the aforementioned Microsoft Enterprise SSO plug-in, however, Platform SSO has some fairly significant advantages. One of the main advantages is that logging in with Platform SSO can be phishing-resistant thanks to the secure enclave, which was not possible with the Microsoft Enterprise SSO plug-in.
The principle of how Platform SSO works is very similar to Windows Hello for Business. A user can use biometrics (Touch ID / Face ID) to log in to macOS. When secure enclave is set as the authentication method, hardware-backed cryptographic keys are used in the background, which are then used to authenticate the user instead of the standard Microsoft Entra ID credentials and tokens. This provides phishing-resistant authentication.
Features of Platform SSO on macOS
Platform SSO is considered password-less and meets phish-resistant multifactor (MFA) requirements when used in authentication using a secure enclave.
The local account username and password is unchanged and the end user still uses the password for the first login after a macOS reboot. This is due to the way Apple FileVault works, where the local user’s password is used to unlock the encryption key. After the first login, the user can use biometrics (Touch ID) for authentication.
After the Touch ID unlock, the device gets the hardware-backed Primary Refresh Token (PRT) for device-wide SSO. This PRT can then be used as a passkey in web browsers thanks to the WebAuthN API.
Also, as with Windows Hello for Business on Windows, Platform SSO enables the creation and usage of Microsoft Entra ID passkeys.
How to configure Platform SSO for macOS using Microsoft Intune
Open the Microsoft Intune admin center and go to Devices – Configuration – Create – New policy. Select macOS as the Platform and select Settings Catalog as the Profile Type. On the next page, set any name and description.
In Configuration settings, select Add settings. In the settings picker, expand Authentication, and select Extensible Single Sign On (SSO). Check the following options:
- Extension Identifier
- Expand Platform SSO:
- Select Authentication Method (macOS 14+)
- Select Use Shared Device Keys
- Registration Token
- Screen Locked Behavior
- Team Identifier
- Type
- URLs
Enter the following values in the settings:
| Extension Identifier | com.microsoft.CompanyPortalMac.ssoextension |
| Authentication Method | UseSecureEnclaveKey |
| Use Shared Devices Keys | Enabled |
| Registration Token | {{DEVICEREGISTRATION}} |
| Screen Locked Behavior | Do Not Handle |
| Team Identifier | UBF8T346G9 |
| Type | Redirect |
Enter the following addresses in the URL:
https://login.microsoftonline.comhttps://login.microsoft.comhttps://sts.windows.nethttps://login.partner.microsoftonline.cnhttps://login.chinacloudapi.cnhttps://login.microsoftonline.ushttps://login-us.microsoftonline.com
The basic setup for Platform SSO is now complete. You can also add a few more optional settings, such as:
- Account Display Name to set the organization name for the device enrollment process,
- Enable Create User At Login to enable user login using Microsoft Entra ID credentials,
- New User Authorization Mode to set one-time permissions for a new user at initial login,
- User Authorization Mode to set persistent permissions for a new user.
Disabling the Microsoft Enterprise SSO plug-in
It is important to note that you cannot have both Platform SSO and Microsoft Enterprise SSO plug-in active at the same time. In this case, you will see error 10002: Multiple SSO payloads configured in Intune. So you need to disable the assignment of the configuration profile with the Microsoft Enterprise SSO plug-in on those devices where you will apply the Platform SSO configuration profile.
Applying the Platform SSO Profile to macOS devices
At this point, just apply the newly created profile to your users or devices. The profile can be applied to new devices as well as to existing devices that are already managed by Microsoft Intune.
After the device receives this new configuration profile, the Microsoft Company Portal app on macOS prompts the user to register the device. After the user goes through the device registration process, the device’s Microsoft Entra ID status changes from the original Microsoft Entra registered status to the new Microsoft Entra joined status.
Verifying the status of Platform SSO
If you want to verify that Platform SSO has actually been applied to your device, you can go to Settings – Privacy and security – Profiles on macOS. Your Platform SSO profile is shown under com.apple.extensiblesso Profile. Select the profile to see the settings you configured, including the URLs.
You can find a detailed video showing all the settings with spoken commentary describing each configuration option in detail on my Patreon. By subscribing you also support my work. Thank you!
