Deploying Platform SSO using Intune
Updated: 2 hours ago
In this article, I'll provide the steps to configure Platform SSO using the password authentication method, information about the Enterprise SSO App Extension, and some troubleshooting tips from issues I've faced.
Table of Contents
Disclaimer
What Happens After I Deploy Platform SSO?
Once a device completes the Platform SSO registration process, the following happens:
Password Synchronization: PSSO syncs the user's local login password with Entra ID meaning you don't have to use Directory Utility, the user does not have to be on the corporate network for their passwords to sync, and there are fewer passwords the user has to remember.
SSO with Applications: After enabling and configuring the enterprise SSO app extension plugin, users can experience SSO in supporting applications and web browsers.
Entra ID Joined Status: Previously, macOS devices had the device state of Entra ID Registered in Entra ID. Upon completion of Platform SSO, devices will change their status to Entra ID Joined and receive a workplace joined certificate which will be used for conditional access policies.
What is the Enterprise SSO App Extension?
While configuring and researching Platform SSO, you will see the following terms: Enterprise SSO App Extension and Enterprise SSO Plugin. For example, see the quote from Microsoft below:
The Microsoft Enterprise SSO plug-in in Microsoft Entra ID includes two SSO features - Platform SSO and the SSO app extension.
What are App Extensions?
First, let's review what an app extension is. Apple allows applications to extend their functionality and data outside of themselves by providing the app extension framework. Simply put, the framework enables applications to offer their content and services to other apps. The Authentication Services app extension framework allows an application to provide its redirect SSO or credential SSO services to other applications so the user doesn't have to enter the same credentials in each application.
What is Microsoft's SSO App Extension?
When the Company Portal application is installed on a device, the enterprise SSO plugin is also installed. Microsoft created an app extension for their Enterprise SSO plugin for the purpose of SSO. Here is how it works:
Microsoft uses Apple's authentication services app extension framework to redirect applications' or websites' login requests to the Microsoft Enterprise SSO plugin (installed when you install the Company Portal app).
The Microsoft Enterprise SSO plugin will then facilitate the login process with the IDP and send back the response and tokens.
Knowing this, we can better understand the quote above. The Microsoft Enterprise SSO plug-in is installed when the Intune Company Portal application is installed. By having the plugin installed on a macOS device, you can now deploy and configure Platform SSO (the ability to sync your local login password with the user's Entra ID password) and the SSO app extension (the plugin's app extension that facilitates the login process for other apps and websites, providing an SSO experience for the user).
Deployment Process
Part 1: Prerequisites
Before deploying Platform SSO to your macOS devices, ensure that the following requirements are met:
Devices are running macOS 13.0Â or newer.
Devices have version 5.2404.0 or newer of the Intune Company Portal app installed.
Devices are enrolled in Intune.
Part 2: Deploy the latest version of the Company Portal App
I know this is a prerequisite, but now would be a good time to double-check that all your targeted macOS devices have version 5.2404.0 or newer of the Intune Company Portal App. Click here to download the latest version.
Part 3: Create the Platform SSO Configuration Profile
Launch the Intune portal.
Navigate to Devices > macOS > Configuration.
Select +Create and then select +New Policy.
Platform: macOS
Profile Type: Settings Catalog
Select Create.
Name the configuration profile and optionally add a description.
On the Configuration Settings page, select + Add settings.
Expand Authentication and select Extensible Single Sign On (SSO).
In the list of configuration settings, check the box next to the following items:
Authentication Method (Deprecated) (select this if you have devices running macOS 13)
Extension Identifier
Expand Platform SSO:
Select Authentication Method (select this if you have devices running macOS 14 or newer)
Select Token To User Mapping
Select Use Shared Device Keys
Registration Token
Screen Locked Behavior
Team Identifier
Type
URLs
Close the settings picker by selecting the X icon in the top right corner.
Based on Microsoft's documentation, we selected and will configure the settings above to deploy platform SSO and activate the enterprise SSO app extension; there are more settings that you can configure, however. Also, please note that the platform SSO configuration profile can be deployed simultaneously to both macOS 13 and macOS 14+ devices in your environment. Ensure to select and configure both Authentication Method (Deprecated) and Authentication Method.
Below are the settings we just picked and the values we need to enter provided by Microsoft:
Name | Configuration value | Description |
Authentication Method (Deprecated) | Password | (macOS 13 only) |
Extension Identifier | com.microsoft.CompanyPortalMac.ssoextension | Copy and paste this value in the setting. This ID is the SSO app extension that the profile needs for SSO to work. The Extension Identifier and Team Identifier values work together. |
Platform SSO > Authentication Method | Password | (macOS 14+) |
Platform SSO > Use Shared Device Keys (macOS 14+) | Enabled | When enabled, Platform SSO uses the same signing and encryption keys for all users on the same device. |
Registration token | {{DEVICEREGISTRATION}} | Copy and paste this value in the setting. You must include the curly braces. To learn more about this registration token, go to Configure Microsoft Entra device registration. |
Screen Locked Behavior | Do Not Handle | When set to Do Not Handle, the request continues without SSO. |
Token To User Mapping > Account Name | preferred_username | Copy and paste this value in the setting. This token specifies that the Entra preferred_username attribute value is used for the macOS account's Account Name value. |
Team Identifier | UBF8T346G9 | Copy and paste this value in the setting. This identifier is the team identifier of the Enterprise SSO plug-in app extension. |
Type | Redirect | |
URLs | Copy and paste all the following URLs: https://login.microsoftonline.com If your environment needs to allow sovereign cloud domains, like Azure Government or Azure China 21Vianet, then also add the following URLs: https://login.partner.microsoftonline.cn https://login.chinacloudapi.cn | These URL prefixes are the identity providers that do SSO app extensions. The URLs are required for redirect payloads and are ignored for credential payloads. For more information on these URLs, go to Microsoft Enterprise SSO plug-in for Apple devices. |
Once done, you should see something similar to this:
Once finished, select Next.
Optionally, select scope tags.
Add the appropriate assignment and Review + Create the profile.
Part 4: Unassign any Previously Deployed SSO App Extension Profiles
If you previously created and deployed the SSO App Extension configuration profile, you must unassign it from the devices assigned to the Platform SSO configuration profile. If you are unsure whether you deployed the SSO App Extension profile, click here for a refresher on what it is.
Part 5: The Registration Process
Once you've created and assigned the Platform SSO configuration profile to your enrolled devices, the users will see a registration notification the next time their devices check-in (see image below).
Users must select this notification, enter their Entra ID password, and provide MFA (if needed).
The users will then see a Single Sign-On window; they'll enter their local login password here.
Finally, the users may see a Microsoft Entra window; they'll enter their Entra ID password here.
Once done, the end users should log out and then log back in. Their login password should now be the same as their Entra ID password. Also, the device will receive a PRT (primary refresh token) after logging out and then in; the PRT will be used by the SSO app extension plugin to prevent the user from having to continually provide their credentials.
Troubleshooting Platform SSO
If the PSSO registration process fails, or if PSSO is set but the user is getting constant popups after a password reset event and the passwords aren't syncing, try using the troubleshooting steps below:
Issue: the Microsoft Entra authentication window shakes
If the Microsoft Entra authentication window shakes after a user inputs their Entra ID password during the Platform SSO registration process or after a password reset, follow the steps below to troubleshoot:
First, ensure the user is typing in their current Entra ID password.
Next, if you previously used Directory Utility to add the computer to Active Directory, then ensure the following criteria are met before the PSSO registration process and then after the process during password reset events.
The device can contact the AD server (if users are remote, they may need to connect to a VPN).
The device is still an object within AD. (If the device was removed from AD, then rejoin it using Directory Utility).
Issue: your password does not meet the local password policy requirements
You may receive the error message below if the user's current Entra ID password does not meet the requirements of a local password policy. Because it doesn't meet the requirements, the Entra ID password is unable to be set as the local login password.
If the account is a mobile directory account, then the local password policy is most likely set in Group Policy.
Also, you may be deploying a local password policy via Intune.
To resolve this error, either ask the user to use a password that will meet the requirements of both password policies or change the local password policy to match the requirements of Entra ID.
Issue: the login password is not syncing with Entra ID
According to Microsoft, the PSSO registration process may fail if the user is prompted for MFA in the last Microsoft Entra window.
If a user has per-user MFA enabled on the account where PSSO is being set up, you won't be able to enter Microsoft Entra ID credentials in the next steps, causing an error. To avoid this error, admins should ensure they have Conditional Access MFA enabled in accordance with Microsoft Entra ID recommendations. This suppresses MFA during enrollment so that password synchronization can be completed successfully. — Microsoft
Ensure the user does not have Per-User MFA enabled on their account.
Launch the Entra ID portal.
Navigate to Users > All Users .
Search for the user and select the checkbox next to their name.
In the menu bar, select Per-user MFA.
This will open the Per-user MFA page. Search for the user again and ensure their per-user MFA status is disabled.
Review your conditional access policies to ensure the user doesn't have to provide MFA during each authentication prompt. Remember that you may have multiple policies depending on location, device ownership, etc.
Export and Review the SSO Logs
If none of the steps above resolve the issue, try exporting and reviewing the logs related to SSO. Open Terminal and run the command below, replacing the file path as needed.
sudo log show --predicate 'subsystem == "com.apple.AppSSO"' > ~/Desktop/PSSOLogs.txtCover Picture provided by Freepik
