![Full Logo.png]](https://help.devicie.com/hs-fs/hubfs/Full%20Logo.png?height=30&name=Full%20Logo.png){kind=small}
Overview
This configuration enables Platform SSO with Microsoft Entra ID, using the user's Entra ID password as the method for authentication.
- Replaces the local account password with the Microsoft Entra ID password, and ensures that the two passwords are kept in sync
- Enables SSO to be used for authentication across all supported apps and websites.
Note: An alternate Platform SSO configuration is available, that uses the Secure Enclave authentication method. The Secure Enclave method will leave the local account password as-is, and instead uses hardware-bound cryptographic keys to authenticate with Microsoft Entra ID. This configuration is suggested for organisations pursuing password-less authentication for their users.
🔎 For further information about Platform SSO with Secure Enclave, check out macOS Foundation - Platform SSO using Secure Enclave Authentication
User Experience
Shortly after first login, users will be prompted to register with Platform SSO.
To register, they must sign in with Microsoft Entra ID and complete multi-factor authentication (MFA), if required.
They are then asked to authenticate with their local computer password. This will update the computer password to be the same as their Entra ID password, and finalise registration.
On completion all SSO enabled browsers and apps will automatically authenticate the user into Entra ID. This applies to all Microsoft and Apple applications, and any third-party applications that support SSO.
Both Google Chrome and Firefox need to have SSO enabled via configuration policy, which is covered in Devicie's standard policy offering for both apps.
Pre-requisites
Users cannot have per-user MFA enabled. Use Conditional Access MFA instead.
🔎 More information available here: https://learn.microsoft.com/en-us/entra/identity/monitoring-health/recommendation-turn-off-per-user-mfa
Only available for Microsoft Entra join deployments. Hybrid-join unsupported.
Troubleshooting Notes
Ensure that if you configure any password complexity requirements to your Mac that it matches your Entra ID password requirements.
Ensure that users have the permission to both join and register devices to Entra ID.
From your Microsoft Entra admin centre, under Microsoft Entra ID join and registration settings, ensure that the All option is selected in the toggle menu for Users may join devices to Microsoft Entra
If a user's password is reset by an IT admin they must use another device to log in and set up their new password. Logging in with a temporary password is not supported.
What is being deployed
Policy Name
macOS Foundation - PlatformSSO with Password Sync
Recommended Assignment Targets
All Devices, exclude Shared Devices
Policy Variables
|
Variable |
Description |
Value |
Computer accounts to exclude from Platform SSO |
An array of computer usernames to exclude from Platform SSO registration. |
|
Policy Settings
|
Setting |
Description |
Value |
|
|
Bundle identifier for the Microsoft Enterprise SSO extension |
|
|
|
Apple Team ID for validating the SSO extension |
|
|
|
SSO extension mode |
|
|
|
SSO behavior when screen is locked |
|
|
|
Microsoft Entra ID login endpoints |
https://login.microsoft.comhttps://sts.windows.nethttps://login-us.microsoftonline.comhttps://login.microsoftonline.ushttps://login.usgovcloudapi.net |
|
|
Share cryptographic keys across users |
|
|
|
Display name shown to users |
|
|
|
Authentication method used by Platform SSO |
|
|
|
Include device identifiers in attestation |
|
|
|
Authentication behavior at FileVault unlock |
|
|
|
Authentication behavior at macOS login |
|
|
|
Authentication behavior for unlock |
|
|
|
Online grace period (seconds) |
|
|
|
Offline grace period (seconds) |
|
|
|
Enable browser SSO interaction |
|
|
|
Disable explicit app prompts |
|
|
|
Allowed bundle ID prefixes |
|
|
|
Device registration token |
|