This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.
Today we’re announcing that Platform SSO for macOS is available in public preview with Microsoft Entra ID. Platform SSO is an enhancement to the Microsoft Enterprise SSO plug-in for Apple devices that makes usage and management of Mac devices more seamless and secure.
At the start of public preview, Platform SSO will work with Microsoft Intune. Additional mobile device management (MDM) providers will be added during the public preview. Please contact your MDM provider for more information on support and availability.
As part of this release, we’re introducing Microsoft Entra Join for macOS. This feature uses the Enterprise SSO plug-in to create a hardware-bound device record in Entra ID. Entra Join requires the use of an Entra ID organizational account.
In addition, we’re making three new ways to authenticate available, all configurable with MDM and available as part of Microsoft Entra ID Free:
- Passwordless authentication with Secure Enclave: Like Windows Hello for Business, this method allows the user to interactively sign in to the desktop with their local account and password. Once the user signs in, a hardware-bound cryptographic key stored in the device’s Secure Enclave can be used as a trusted credential with Entra ID, giving the user SSO across applications that use Entra ID for authentication. This method allows users to go passwordless with Touch ID to unlock their device and be signed into Entra ID under the hood using a device-bound key. It can save organizations money by removing the need to purchase security keys, card readers, or other hardware. For information on our security and compliance standards, please see this guide.
- Passwordless authentication with smart cards: With this method, the user signs into the Mac using an external smart card (or smart-card-compatible hard token like Yubikey). Once the device is unlocked, the smart card is further used with Entra ID to grant SSO across apps that use Entra ID for authentication.
- Password synchronization with the local account: This method enables the user to interactively sign into the local machine account with their Entra ID password, granting SSO across apps that use Entra ID. The user no longer needs to remember separate passwords, and any changes to the Entra ID password are synchronized to the local machine.
Getting started
Starting today, you’ll find updated documentation and tutorials for Platform SSO for MacOS on Microsoft Learn to guide you through setup, deployment, usage, and troubleshooting.
If you haven’t already, you’ll want to take the following steps to help your organization prepare:
- Update devices to use Company Portal 5.2404.0 or newer.
- Deploy the Enterprise SSO plug-in.
- Ensure users are registered for Microsoft Entra multifactor authentication. For the best experience, we recommend using Microsoft Authenticator.
- For Google Chrome users, install the Microsoft Single Sign On extension.
- Update macOS devices to macOS 13** (Ventura) or later. MacOS 14 (Sonoma) is recommended for the best user experience and feature set.
** Note that migration from non-shared keys on macOS 13 to shared keys (supported on macOS 14+) requires user re-registration of the device.
Even more capabilities on the way
Through incremental releases over public preview, we’ll gradually introduce additional controls, reports, audit, and sign–in logging capabilities, plus APIs in Microsoft Graph to configure, query, and manage them. Please note that like Windows Hello for Business, some features may require a premium Entra ID license.
Brian Melton-Grace
Senior Product Manager, Microsoft
Read more on this topic
Learn more about Microsoft Entra
Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.