Platform SSO for macOS devices in Microsoft Intune

On your macOS devices, you can configure Platform SSO to enable single sign-on (SSO) using passwordless authentication, Microsoft Entra ID user accounts, or smart cards. Platform SSO is an enhancement to the Microsoft Enterprise SSO plug-in and the SSO app extension. Platform SSO can sign users into their managed Mac devices using their Microsoft Entra ID credentials and Touch ID.

Some benefits of Platform SSO include:

• Includes the SSO app extension. You don't configure the SSO app extension separately.
• Go passwordless with phishing-resistant credentials that are hardware-bound to the Mac device.
• The sign in experience is similar to signing into a Windows device with a work or school account, like users do with Windows Hello for Business.
• Helps minimize the number of times users need to enter their Microsoft Entra ID credentials.
• Helps reduce the number of passwords users need to remember.
• Get the benefits of Microsoft Entra join, which allows any organization user to sign into the device.
• Included with all Microsoft Intune licensing plans.

When Mac devices join a Microsoft Entra ID tenant, the devices get a workplace join (WPJ) certificate that is hardware-bound and only accessible by the Microsoft Enterprise SSO plug-in. To access resources protected using Conditional Access, apps and web browsers need this WPJ certificate. With Platform SSO configured, the SSO app extension acts as the broker for Microsoft Entra ID authentication and Conditional Access.

Platform SSO can be configured using settings catalog. When the policy is ready, you assign the policy to your users. Microsoft recommends you assign the policy when the user enrolls the device in Intune. But, it can be assigned at any time, including on existing devices.

Secure Enclave

When you configure Platform SSO with the Secure Enclave authentication method, the SSO plug-in uses hardware-bound cryptographic keys. It doesn't use the Microsoft Entra credentials to authenticate the user to apps and websites.

Is considered password-less and meets phish-resistant multifactor (MFA) requirements. It's conceptually similar to Windows Hello for Business. It can also use the same features as Windows Hello for Business, like Conditional Access.
Leaves the local account username and password as-is. These values aren't changed.
 Note

This behavior is by design due to Apple's FileVault disk encryption, which uses the local password as the unlock key.

• The Microsoft Entra ID password replaces the local account password, and the two passwords are kept in sync.

•  

  The local account username isn't changed and stays as-is.

•  

  End users can use Touch ID to sign in to the device.

•  

  There are fewer passwords for users and admins to remember and manage.

•  

  Users must enter their Microsoft Entra ID password after a device reboots. After this initial machine unlock, Touch ID can unlock the device.

•  

  After the unlock, the device gets the hardware-bound Primary Refresh Token (PRT) credential for Microsoft Entra ID SSO

When you configure Platform SSO with the Password authentication method, users sign in to the device with their Microsoft Entra ID user account instead of their local account password.

This option enables SSO across apps that use Microsoft Entra ID for authentication.

With the Password authentication method:

• The Microsoft Entra ID password​ replaces the local account password, and the two passwords are kept in sync.

• The local account username isn't changed and stays as-is.

• End users can use Touch ID to sign in to the device.

• There are fewer passwords for users and admins to remember and manage.​

• Users must enter their Microsoft Entra ID password after a device reboots. After this initial machine unlock​, Touch ID can unlock the device.

• After the unlock, the device gets the hardware-bound Primary Refresh Token (PRT) credential for Microsoft Entra ID SSO.​