How to Configure Microsoft Platform SSO in Addigy – Addigy

What is Microsoft Platform SSO?

Microsoft Platform Single Sign-On (PSSO) is a feature that allows macOS users to sign in using their Microsoft Entra ID credentials at the macOS login screen. Once signed in, their authentication carries over into Microsoft apps and services without requiring repeated logins.

PSSO simplifies device access by securely linking macOS authentication to Microsoft’s cloud-based identity platform. This reduces the need for multiple passwords, improves security, and provides a seamless user experience.

At the time of publishing, Platform SSO is still in Public Preview with Microsoft Entra ID. It supports features like password syncing. (Target GA date from Microsoft on the Microsoft roadmap here)

This guide focuses on setting up Microsoft Platform SSO with Entra ID in Addigy.

Platform SSO Requirements
Setting Up Microsoft Platform SSO in Addigy
Verifying and Troubleshooting Microsoft Platform SSO
- Verification Steps
- Common Troubleshooting Steps
Summary
Additional Resources

Platform SSO Requirements

Before you configure Platform SSO, ensure you meet the following requirements:

Component Requirements

macOS: Microsoft recommends using macOS 13 or later for the best experience.
MDM Profile: Configure Extensible SSO MDM Profile with Platform SSO configured. Also include the Associated Domains MDM Profile.
eSSO App Extension: The associated app must support PSSO and list all IdP URLs.
IdP PSSO Application: Use Company Portal version 5.2404.0 or later.
Company Portal Installation: Must be installed in /Applications, but does not need to be logged in.
Cannot test with Virtual Machines.

Network Requirements

Ensure the following URLs are allowed on your network:

app-site-association.cdn-apple.com
app-site-association.networking.apple
login.microsoftonline.com
login.microsoft.com
sts.windows.net
login.partner.microsoftonline.cn
login.chinacloudapi.cn
login.microsoftonline.us
login-us.microsoftonline.com
config.edge.skype.com

Entra ID Considerations

Users must be registered for Microsoft Entra multifactor authentication.
Google Chrome users should install the Microsoft Single Sign-On extension.
Avoid deploying MDM password restriction profiles alongside PSSO to prevent conflicts.
Use Entra MFA settings instead of per-user MFA.
PSSO is designed for cloud-based Entra ID, not Active Directory.
Ensure an admin user is set up before deploying PSSO.
Deploy the Company Portal app as early as possible to prevent registration issues.

Setting Up Microsoft Platform SSO in Addigy

1. Choose Your Authentication Method

When configuring your Extensible SSO profile, select one of the following authentication modes:

Password: Syncs the user's Microsoft Entra ID password with the local macOS account.
Secure Enclave: Uses a hardware-backed cryptographic key for authentication without syncing passwords.

2. Create Your Extensible Single Sign-On Configuration Profile

To enable Microsoft Platform SSO:

Navigate to Catalog and select MDM Profiles in Addigy.
Click on New.
Go to Extensible SSO.
Enter the required IdP details, including:
- Payload Name
- Extension identifier: com.microsoft.CompanyPortalMac.ssoextension
- SSO Type: Redirect
Scroll to the bottom and check the box next to Platform SSO to expose the other fields needed.
Enter the required IdP details, including:
- Team identifier: UBF8T346G9
- URLs: Include all required Microsoft authentication URLs.
  1. https://login.microsoftonline.com
  2. https://login.microsoft.com
  3. https://sts.windows.net
  4. https://login.partner.microsoftonline.cn
  5. https://login.chinacloudapi.cn
  6. https://login.microsoftonline.us
  7. https://login-us.microsoftonline.com
- Screen locked behavior: Do not handle.
- Authentication method: Choose between password sync and Secure Enclave.
- Registration token: {{deviceregistration}}
- Enable user creation at login: (Optional) Automatically create new users based on IdP credentials.
- Enable authorization: Ensures proper authentication handling.

3. Deploy Microsoft Platform SSO Profiles

Deploy the configuration profile to your managed macOS devices via Addigy.

4. Deploy the Microsoft Intune Company Portal for macOS

Mass deploy the Microsoft Intune Company Portal for macOS. It is recommended to deploy this app automatically rather than making it user-initiated.

If you are using Microsoft Conditional Access via Partner compliance management with Addigy via the integration, Company Portal is automatically deployed to macOS devices already.

5. Complete the macOS ESSO Registration Flow

After deployment:

The Microsoft registration popup should appear within 15 minutes.
If it does not appear, manually trigger it by navigating to System Settings > Users & Groups > Click Edit next to Network account server > Click Register next to Mac SSO Extension.

Verifying and Troubleshooting Microsoft Platform SSO

Verification Steps

To confirm Platform SSO is working:

Open a new private Safari window and visit https://portal.office.com/.
If configured correctly, users should not need to log in again after initial authentication.

Common Troubleshooting Steps

Check Platform SSO state: Run the following command in Terminal:

app-sso platform -s

Ensure Secure Enclave authentication is enabled if using Secure Enclave.
Repair PSSO connection:
- Go to System Settings > Users & Groups > Click Edit next to Network account server > Click Repair.

Summary

Microsoft Platform SSO allows seamless authentication for macOS users using Entra ID credentials. By deploying the correct configuration profiles in Addigy and ensuring all prerequisites are met, organizations can improve security and user experience.

For the latest updates on Platform SSO support and troubleshooting, refer to Microsoft's official documentation or contact Addigy Support.

Additional Resources