Extensible SSO for Microsoft Entra – Addigy

Addigy Identity and Extensible SSO can be leveraged to achieve directory connectivity without needing to bind user accounts to Active Directory.

For an in-depth explanation of the points discussed in this article, as well as a live demo, view our Webinar: Identity Management for macOS: Going Beyond Active Directory

Addigy Identity

Addigy Identity allows end-users to use their Identity Provider (IdP) credentials to create and authenticate into local accounts. To learn more about Addigy Identity, check out our knowledge base articles:

SSO Extensible MDM Profile

Provides SSO for IdP accounts across all applications/browsers that support the Apple Enterprise SSO feature
Can be enabled via MDM
Extends SSO to applications that don’t yet use IdP libraries
Extends SSO to applications that use OAuth 2, OpenID, Connect, and SAML

Entra and Microsoft Enterprise SSO Plug-in

To use the Microsoft Enterprise SSO plug-in, devices must support and have installed an application that has the Microsoft SSO plug-in for Apple devices. For macOS, this is the Intune Company Portal App.

Note: the Company Portal App does not need to be accessed by end-users. The installation alone is sufficient.

Configuring the MDM Profile

To view an example Single Sign-On Extensions MDM profile, please see our webinar, linked above. When configuring the profile, note the following:

Single Sign-On Extensions URLs

https://login.microsoftonline.com
https://login.microsoft.com
https://sts.windows.net
https://login.partner.microsoftonline.cn
https://login.chinacloudapi.cn
https://login.microsoftonline.de
https://login.microsoftonline.us
https://login-us.microsoftonline.com

Type

Redirect

TeamIdentifier

UBF8T346G9

ExtensionIdentifier

com.microsoft.CompanyPortalMac.ssoextension

Workflow

Configure Addigy Identity in a policy.
Configure Single Sign-On Extensions MDM Profile via Addigy Catalog.
Upload the Company Portal App as a Smart Software item.
Add the MDM Profile and Smart Software to a policy.

After deploying the policy, users will be able to authenticate into their devices via their IdP provider, using Addigy Identity. After signing into a Microsoft service via SSO, users will also be authenticated into their other Microsoft services.

A note on browser support

For Microsoft Entra SSOe Chrome has an extension to support this function and it may need if you are using Chrome under v135 the extension can be found here:

https://chromewebstore.google.com/detail/microsoft-single-sign-on/ppnbnpeolgkicgegkbkbjmhlideopiji?hl=en

Starting with Chrome v135+ the SSOe support is native

https://support.google.com/chrome/a/answer/15066402?hl=en#:~:text=On%20macOS%2C%20Chrome%20135%20and%[…]ingle%20Sign%20On%20(SSO)%20extension.%C2%A0

Firefox needs to be on v132 or higher for native SSOe support:
https://bugzilla.mozilla.org/show_bug.cgi?id=1768724

Safari supports SSOe out of the box on macOS

Extensible SSO - Profile values example

Extension ID: com.microsoft.CompanyPortalMac.ssoextension
Type: Redirect
Team ID: UBF8T346G9
URLs
- https://login.microsoftonline.com
- https://login.microsoft.com
- https://sts.windows.net
- https://login.partner.microsoftonline.cn
- https://login.chinacloudapi.cn
- https://login.microsoftonline.us
- https://login-us.microsoftonline.com
Extension Data: Microsoft
- App Allow List
  - com.apple.Safari
  - com.addigy.MacManage
  - com.microsoft.CompanyPortalMac
  - If Chrome is used
    - com.google.Chrome
- App Prefix Allow List
  - com.apple.
  - com.addigy.
  - com.microsoft.
  - If Chrome is used
    - com.google.
- Browser SSO Interaction Enabled
  - enabled = On