![Full Logo.png]](https://help.devicie.com/hs-fs/hubfs/Full%20Logo.png?height=30&name=Full%20Logo.png){kind=small}
Overview:
Platform SSO is a Microsoft Entra feature that enhances the Microsoft Enterprise SSO plug-in and the SSO app extension.
When the device receives the policy, there's a Registration required notification that shows in the Notification Center.
End users select this notification, sign in to the Microsoft Entra ID plug-in with their organization account, and complete multi-factor authentication (MFA), if required.
Pre-Requisites:
Ensure that per-user MFA is not enabled for users. Transition to Conditional Access MFA in accordance with Microsoft Entra ID recommendations.
Recommended Assignment Target:
Assign to All Devices, exclude Shared Devices
Variable Settings:
| Name | Purpose | Type | Default Value |
| LAPS Admin Username | The list of local accounts that aren't subject to FileVault Policy, Login Policy, or Unlock Policy. | array of strings | ["ladvc"] |
Base Settings:
| Setting | Description | Value |
| Extension Identifier | The bundle identifier of the app extension that performs SSO for the specified URLs. | com.microsoft.CompanyPortalMac.ssoextension |
| Type | The type of SSO. | Redirect |
| Screen Locked Behavior | If set to Cancel, the system cancels authentication requests when the screen is locked. If set to DoNotHandle, the request continues without SSO instead. | DoNotHandle |
| URLs | An array of URL prefixes of identity providers where the app extension performs SSO. Required for Redirect payloads. | https://login.microsoftonline.com, https://login.microsoft.com, https://sts.windows.net, https://login-us.microsoftonline.com, https://login.microsoftonline.us, https://login.usgovcloudapi.net |
| Platform SSO Use Shared Device Keys | If true, the system uses the same signing and encryption keys for all users. Only supported on the device channel. | True |
| Platform SSO Account Display Name | The display name for the account in notifications and authentication requests. | Microsoft Entra ID |
| Platform SSO Authentication Method | The Platform SSO authentication method to use with the extension. Requires that the SSO Extension also support the method. | Password |
| Platform SSO File Vault Policy | The policy to apply when using Platform SSO at FileVault unlock on a Mac with Apple silicon. Applies when Authentication Methodes Password. | AttemptAuthentication |
| Platform SSO Login Policy | The policy to apply when using Platform SSO at the Login Window. Applies when Authentication Methodes Password. | AttemptAuthentication |
| Platform SSO Unlock Policy | The policy to apply when using Platform SSO at screensaver unlock. Applies when Authentication Methodes Password. | AttemptAuthentication |
| Extension Data browser sso interaction enabled | Keys and values to pass to the app extension. | 1 |
| Extension Data disable explicit app prompt | Keys and values to pass to the app extension. | 1 |
| Extension Data App Prefix Allow List | Keys and values to pass to the app extension. | com.microsoft.,com.apple. |
| Registration Token | The token this device uses for registration with Platform SSO. Use it for silent registration with the Identity Provider. |