Microsoft Entra (Azure) device wide single sign on for Macs

Earlier this year Microsoft released Microsoft’s Enterprise SSO plug-in for Apple’s Extensible Single Sign-on extension. The configuration is delivered via profile or MDM solution such as JAMF and allows Apple Mac users to leverage single sign-on for Microsoft apps and websites.

This plugin is limited to SSO capabilities after the user logs in and cannot be used for the secure login of the Mac using a 365/Entra ID. Users that require this can still use JAMF Connect, which still allows MS 365 MFA but will not allow SSO with Touch ID.

This is all about to change with the announcement that Microsoft will extend the capabilities of the SSO plugin to support Platform SSO for the Mac, allowing the Mac user to login to their Mac using their 365/Entra ID and leverage platform-wide SSO. Touch ID is supported, finally bringing biometric login for the Mac using a centralised account directory, allowing login as Windows users have had for some time with Windows Hello for Business.

As with JAMF Connect, the 365 account will map to a local account, avoiding the problems Active Directory Binding causes.

Microsoft Platform SSO is currently on public preview and limited to Intune, but Microsoft has announced other MDM providers such as JAMF will be supported on release.