Configuring Platform SSO in Microsoft Intune for macOS devices to enable Windows-like SSO features on macOS

In the ever-evolving landscape of enterprise security and device management, Microsoft Intune continues to innovate. One of the latest enhancements is the Platform SSO for macOS, designed to make using macOS devices more seamless and secure than ever before.

Platform SSO builds upon the existing SSO Extension capabilities for macOS, allowing users to sign into their Macs using passwordless credentials or traditional passwords managed and validated by Microsoft Entra ID. But it doesn’t stop there—this enhancement takes it a step further.

Key Features

• Passwordless Authentication: With Platform SSO, users can go passwordless by using Touch ID to unlock their device. Under the hood, a device-bound cryptographic key ensures secure sign-in to Entra ID. This approach leverages phishing-resistant credentials, similar to what we use for Windows Hello for Business.
• Seamless Integration: The existing Microsoft Enterprise SSO plug-in continues to work its magic, keeping users signed into work apps. However, now it does so with a credential that’s safer and more secure.
• Unified Experience: Platform SSO simplifies the employee onboarding experience on Macs. No more juggling separate passwords or launching additional apps. It’s all seamlessly integrated into the native macOS experience.

Intune configuration

To start configuring the new Platform SSO feature we need to create a new settings catalog profile for macOS. Firstly define a name for the profile:

Then in settings catalog search for „Authentication“ and add the following options:

I’ve added the configurations here so that you can copy them into your configuration profile:

Extension Identifier	com.microsoft.CompanyPortalMac.ssoextension
Authentication Method	Password
User Authorization Mode	Standard
Registration Token
Team Identifier	UBF8T346G9
Type	Redirect
URLs	https://login.microsoftonline.com https://login.microsoft.com https://sts.windows.net https://login.partner.microsoftonline.cn/ https://login.chinacloudapi.cn/ https://login.microsoftonline.us/ https://login-us.microsoftonline.com/

Those settings can also be found in Microsoft Learn.

SSO enrollment on macOS

Now that we have everything setup and applied to our devices firstly the users will see this prompt in the top right side where macOS sends push notifications to:

When hovering with the mouse over the notification we get this „Register“ button. Please click on it to initiate the process:

Now we need to authenticate with our local credentials as this is going to perform a password change:

Now sign in to Entra ID to setup the user connection:

Wait a few seconds for the process to finish:

Now this prompt will already be filled with your upn and you need to enter your Entra ID password again:

Once you`ve clicked on „Sign In“ 1 or 2 seconds later macOS will tell you that your password has been updated and synced with your Entra ID account:

And now we are god to go. With the next time you logon to the device locally you will be able to use your Entra ID password and only have to remember on password – like we did for years on Windows devices.

But there is one more benefit that you get from using Platform SSO on macOS….

Single-Sign On to Microsoft Web services in the browser – just try it out once after you logged in again with your Entra account credentials by navigating to https://outlook.office365.com and you will see that it will automatically sign you in 🙂

-> funny thing in the early days of Platform SSO it said „Login using Windows“ how it looks on a Windows device but that might get fixed anytime later.

Conclusion

For me Platform SSO is a huge Forward in macOS account management and general enterprise management. By enabling passwordless authentication, streamlining onboarding, and integrating seamlessly with the familiar macOS environment, it empowers users while enhancing security. As we move toward a passwordless future, Platform SSO for macOS stands as a testament to Microsoft’s commitment to innovation, user experience, and robust security. Stay tuned for the upcoming public preview, which will work seamlessly with Microsoft Intune, and watch as other MDM providers follow suit.

Remember, with Platform SSO, your macOS devices become not just tools but trusted allies in your organization’s journey toward a more secure and efficient digital workplace.