Microsoft Enterprise Platform Single Sign-on for macOS

What

With Platform Single Sign-on (Platform SSO), ~~developers~~we can ~~build~~utilize SSO extensions that extend to the macOS login window, allowing users to synchronize local account credentials with an identity provider (IdP). In this case, we are combining what is provided here: Microsoft Enterprise S... | FileWave KB with Platform Single Sign-on for macOS - Apple Support. The local account password is automatically kept in ~~sync,~~sync after this configuration, so the cloud password and local passwords will match. Users ~~can~~will also still be able unlock their Mac with Touch ID and Apple Watch. The end result will allow the user to login with their Entra ID and password or their local account username with their synced Entra ID's password.

When/Why

~~Now~~An Administrator who is managing a fleet of MacBooks may want to use this for another level of security or for taking advantage of the full integration that wemacOS ~~know~~now ~~what~~offers ~~this~~with ~~function~~SSO. isYou ~~used~~are ~~for,~~offered ~~when/why~~the ~~would~~same webenefits ~~use~~as ~~it?~~listed in: Microsoft Enterprise S... | FileWave KB except with the added layer of further syncing the local account with your identity provider account.

How

~~And~~Below ~~now,~~are ~~since~~the wefollowing ~~know~~requirements ~~everything~~and ~~else,~~configuration ~~how~~creation dosteps wefor deployment.

Platform SSO Requirements:

macOS 13 or later

A mobile device management (MDM) solution that supports the Extensible Single Sign-on payload which includes support for Platform SSO (enrolled in FileWave via DEP or User approved enrollment in our case).

Support from the IdP for the Platform SSO authentication protocol

One of two supported authentication methods:
- Authentication with a Secure Enclave–backed key: With this method, a user who logs in to their Mac can use ~~this~~a ~~function~~Secure Enclave–backed key to doauthenticate ~~something~~with ~~special?~~the IdP without a password. The Secure Enclave key is set up with the IdP during the user registration process.
- Password authentication: With this method, a user authenticates with a local password or an IdP password.

Note: If the Mac is unenrolled from the MDM solution, it’s also unregistered from the IdP.

macOS

Insert here links to any articles that relate to this content.

Digging Deeper

Want to provide more detail or other examples? Want to wax poetic? Do that here, and keep the top of these documents crisp and clean.