Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
macOS Platform Single Sign-on (PSSO) is a new feature powered by Microsoft’s Enterprise SSO plug-in, Platform Credentials for macOS that enables users to sign in to Mac devices using their Microsoft Entra ID credentials. This feature provides benefits for admins by simplifying the sign-in process for users and reducing the number of passwords they need to remember. It also allows users to authenticate with Microsoft Entra ID with a smart card or hardware-bound key. This feature improves the end-user experience by not having to remember two separate passwords and diminishes the need for admins to manage the local account password.
There are three different authentication methods that determine the end-user experience;
- Platform Credential for macOS: Provisions a secure enclave backed hardware-bound cryptographic key that is used for SSO across apps that use Microsoft Entra ID for authentication. The user’s local account password isn't affected and is required to sign in to the Mac.
- Smart card: The user signs in to the machine using an external smart card, or smart card-compatible hard token (for example, Yubikey). Once the device is unlocked, the smart card is used with Microsoft Entra ID to grant SSO across apps that use Microsoft Entra ID for authentication.
- Password as authentication method: Syncs the user’s Microsoft Entra ID password with the local account and enables SSO across apps that use Microsoft Entra ID for authentication.
Powered by the Microsoft Enterprise SSO plug in Apple devices, PSSO;
- Allows users to go passwordless by using Touch ID.
- Uses phish resistant credentials, based on Windows Hello for Business technology.
- Saves customer organizations money by removing the need for security keys.
- Advances Zero Trust objectives using integration with the Secure Enclave.
To enable it, an administrator needs to configure PSSO through Microsoft Intune or other supported MDM. Depending on how the device is configured, the end-user can set up their device with PSSO via secure enclave, smart card, or password based authentication method.
Requirements
To deploy Platform SSO for macOS, you need the meet following minimum requirements.
- A recommended minimum version of macOS 14 Sonoma. While macOS 13 Ventura is supported, we strongly recommend using macOS 14 Sonoma for the best experience.
- Microsoft Authenticator
- Microsoft Intune Company Portal app version 5.2404.0 or later installed. This version is required before users are targeted for PSSO.
- Users must have sufficient permissions to register and join devices to Microsoft Entra ID.
Configuration
You can find more information and instructions on how to configure in these articles:
Note
If you are configuring Platform SSO for macOS devices using a 3rd party MDM, refer to the documentation provided by your MDM vendor for specific instructions on how to configure Platform SSO.
If you are a developer of a 3rd party MDM solution, refer to the Integrate macOS Platform Single Sign On (PSSO) into your MDM solution guide for more information on how to integrate PSSO into your MDM solution.
Deployment
You can find more information and instructions on how to deploy Platform SSO for macOS in these articles.
- Join a Mac device with Microsoft Entra ID during the out of box experience
- Join a Mac device with Microsoft Entra ID using Company Portal
Kerberos SSO to on-premises Active Directory and Microsoft Entra ID Kerberos resources
macOS allows users to configure Platform SSO to support Kerberos-based SSO to on-premises and cloud resources, in addition to SSO to Microsoft Entra ID. Kerberos SSO is an optional capability within Platform SSO, but it's recommended if users still need to access on-premises Active Directory resources that use Kerberos for authentication.
To learn more, see Kerberos SSO to on-premises Active Directory and Microsoft Entra ID Kerberos resources.
Graph API support
You can use the Microsoft Graph API to manage the PlatformCredential authentication method.
The following APIs are available:
- platformCredentialAuthenticationMethod resource type.
- List platformCredentialAuthenticationMethods.
- Delete platformCredentialAuthenticationMethod.
National Institute of Standards and Technology (NIST)
The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the U.S. Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in managing cost-effective programs to protect their information and information systems.
Troubleshooting
If you experience issues when implementing macOS Platform SSO, refer to our documentation on macOS Platform single sign-on known issues and troubleshooting