Configuring Platform SSO with Microsoft Entra ID

By Dennis King

Learn to configure Platform SSO with Microsoft Entra ID and Kandji

What is Platform SSO?

Platform SSO is a capability that allows users to sign in to their Mac devices using a hardware-bound key, smart card, or their IdP password. This feature enhances the Microsoft Enterprise SSO plug-in for Apple devices, providing single sign-on for Microsoft Entra ID accounts on macOS 14 and later.

Platform SSO with Microsoft Entra ID is currently in Preview. For more information, see Microsoft's macOS Platform Single Sign-on overview.

Add and Configure the Company Portal Auto App

  1. Navigate to Library in the left-hand navigation bar.
  2. Click Add New on the top-right, and choose Microsoft Company Portal.
  3. Click Add & Configure.
  4. Assign to your desired Assignment Maps or Classic Blueprints
  5. Optionally, configure Assignment Rules for Classic Blueprints.
  6. Set your Installation Method to Continuously Enforce.
  7. Specify your Version Enforcement settings.
  8. Save your Library Item.

Add and Configure a Login Window Library Item

  1. Navigate to Library in the left-hand navigation bar.
  2. Click Add New on the top-right, and choose Login Window.
  3. Click Add & Configure.
  4. Give your Login Window Library Item a Name.
  5. Assign to your desired Assignment Maps or Classic Blueprints
  6. Optionally, configure Assignment Rules for Classic Blueprints.
  7. Under User Visibility, set the radio button for Display username and password fields.
  8. Save your Library Item.

Add and Configure a Single Sign-on Extension Library Item

  1. Navigate to Library in the left-hand navigation bar.
  2. Click Add New on the top-right, and choose Single Sign-on Extension.
  3. Click Add & Configure.
  4. Give the new Library Item a Name
  5. Select Mac as the Install on platform.
  6. Assign to your desired Assignment Maps or Classic Blueprints
  7. Optionally, configure Assignment Rules for Classic Blueprints.
  8. Under Extension type, select Redirect.
  9. For the Extension identifier, enter com.microsoft.CompanyPortalMac.ssoextension
  10. Paste UBF8T346G9 into the Team identifier text box.
  11. Paste the following URLs into the URLs fields.
    • https://login.microsoftonline.com
    • https://login.microsoft.com
    • https://sts.windows.net
  12. Optionally, if using sovereign cloud domains, you will need to include additional URLs.
    • https://login.partner.microsoftonline.cn
    • https://login.chinacloudapi.cn
    • https://login.microsoftonline.us
    • https://login-us.microsoftonline.com
       
  13. Toggle the switch for Platform SSO.
  14. Select your Authentication Method. For information on which method to use for your organization, refer to Microsoft's support article.
  15. Set default permissions for Existing Users.
  16. Set default permissions for New Users.
  17. Check the box for Shared Device Keys.
  18. Enable Allow authorization (with identity provider account). This will allow users to interact with system authorization prompts using their Microsoft Entra ID credentials.
  19. If you want to automatically create local accounts for users, enable Allow creation of new users at login. 
    To create a local account, the device must be connected to the internet at the login screen with FileVault unlocked, and Kandji must have a valid Bootstrap token for that device.
  20. Enter an Account display name.
  21. Specify the number of seconds after which to Require full login.
  22. In the Token mapping fields, enter preferred_username for the AccountName, and name for the FullName.
  23. If desired, configure Admin Groups, Additional Groups, and User Groups.
    Microsoft currently only supports using static Standard and Admin values for new and existing users.
    • Admin groups are groups from Microsoft Entra ID that should have administrator access on the device. These groups are used to grant elevated permissions to specific users
    • Additional groups are custom groups you'd like to create in the device's local directory. These groups can be used to organize users and apply specific settings or permissions
    • User groups are particularly useful, allowing you to map specific macOS system rights to custom groups created in the local directory. For example, you can use user groups to grant 'sudo' access or manage printer permissions
  24. Save your configuration