Listen to this Post

Introduction:
Apple Platform SSO has long promised a native identity bridge between macOS and enterprise identity providers, but adoption lagged due to limited IdP support and complex setup. With Microsoft Company Portal 5.2604.0 now officially supporting Platform SSO using Simplified Setup for Microsoft Entra ID (formerly Azure AD), organizations standardized on Intune and Entra can finally provision, authenticate, and manage Mac users without third‑party overlays or brittle scripts. This update integrates Secure Enclave‑backed passwordless authentication, automatic device registration, and local account creation directly into the macOS login window and Setup Assistant.
Learning Objectives:
- Understand how Microsoft Company Portal 5.2604.0 integrates with Apple Platform SSO to enable native Entra ID authentication on macOS.
- Configure and deploy Microsoft Entra Simplified Setup for Platform SSO using Intune or Jamf, including Secure Enclave passkey support.
- Implement and troubleshoot automatic device registration, local account provisioning, and credential lifecycle management across Windows and Mac hybrid environments.
You Should Know:
- What Is Apple Platform SSO and Why Microsoft’s Implementation Matters
Apple Platform SSO is a native framework (introduced in macOS 13 Ventura) that allows an identity provider’s extension to handle authentication at the operating system level — including login window, screensaver unlock, and Safari SSO. Before this update, Microsoft Entra required custom login overlays (e.g., Intune Company Portal app‑only auth) or third‑party solutions like Jamf Connect, XCreds, or Iru Passport. With Company Portal 5.2604.0, the Platform SSO extension now speaks Entra ID natively, leveraging Secure Enclave for passkey‑based passwordless authentication and syncing the local account password with the cloud identity.
Step‑by‑step verification and setup:
- Prerequisites: macOS Ventura 13.0+ (Sonoma recommended), Microsoft Company Portal 5.2604.0+ installed, device enrolled in Intune (or Jamf with Intune integration), and an Entra ID tenant with Platform SSO enabled (Preview → Enabled).
2. Check current Company Portal version (Terminal):
macOS – check installed Company Portal version defaults read /Applications/Company\ Portal.app/Contents/Info.plist CFBundleShortVersionString Expected: 5.2604.0 or higher
3. Verify Secure Enclave presence (required for passkeys):
system_profiler SPHardwareDataType | grep "Chip" Apple M1/M2/M3 or T2 chip includes Secure Enclave ioreg -l | grep -i "secure enclave" | head -1
4. Deploy Platform SSO profile via Intune:
- In Microsoft Intune admin center → Devices → macOS → Configuration profiles → Create profile → “Platform SSO” (Settings catalog).
- Set Extension Identifier: `com.microsoft.CompanyPortal.extensions.sso`
– Team Identifier: `UBF8T346G9` (Microsoft’s Apple Team ID) - Configuration: Enable “Passwordless SSO” and “Use Secure Enclave for passkeys”
- Assign to device group.
5. Validate profile installation:
sudo profiles list -output stdout-xml | grep -A 5 "PlatformSSO"
- Configuring Microsoft Entra Simplified Setup for macOS Login
Simplified Setup means that during macOS Setup Assistant (or after enrollment), the user is prompted directly for their Microsoft Entra username and password — no additional Company Portal sign‑in window. The extension then communicates with Entra ID, creates a local account (using the user’s UPN as the local username by default), and registers the device in Entra under the “macOS” category. This eliminates the need for Jamf Connect’s login window or XCreds’ synchronization agent.
Step‑by‑step configuration for Intune & Jamf:
- Intune method (recommended):
- In the same Platform SSO profile, enable “Registration in Setup Assistant” and “Create local account automatically”.
- Set “Authentication method” to “Passwordless with passkey (Secure Enclave)”.
- Under “Additional settings”, map Entra attributes to local account fields: use `userPrincipalName` for username, `displayName` for real name.
- Deploy the profile. The next time a Mac runs Setup Assistant (or a user signs out), they’ll see an Entra branded login screen.
– Jamf Pro method (via Custom Configuration Profile):
– Upload a custom .mobileconfig with the Platform SSO payload. Example payload key:
<key>platformSSO</key> <dict> <key>extensionIdentifier</key> <string>com.microsoft.CompanyPortal.extensions.sso</string> <key>teamIdentifier</key> <string>UBF8T346G9</string> <key>registrationInSetupAssistant</key> <true/> <key>createLocalAccount</key> <true/> </dict>
– Deploy via Jamf → Configuration Profiles → Upload.
– Verify registration in Entra:
Windows/Linux (Azure CLI) – list registered devices az login --tenant yourtenant.onmicrosoft.com az ad device list --filter "displayName eq 'MacBook-Pro-User'"
– Troubleshooting logs on Mac:
log show --predicate 'subsystem == "com.apple.extensiblesso"' --last 30m --info log stream --predicate 'subsystem contains "CompanyPortal"' --level debug
3. Native Passwordless Authentication Using Secure Enclave
Secure Enclave is a hardware‑isolated coprocessor on Apple Silicon and T2‑chip Macs that stores cryptographic keys inaccessible to the main OS. Microsoft’s Platform SSO extension now generates a passkey (WebAuthn credential) bound to the Secure Enclave, allowing the user to authenticate to Entra ID via Touch ID, Apple Watch, or simply the device’s presence. This satisfies phishing‑resistant MFA requirements (per NIST AAL3) without needing a FIDO2 security key.
How it works during login:
- User enters their Entra username at macOS login window.
- Platform SSO extension prompts Secure Enclave to sign a challenge from Entra.
- Secure Enclave uses the stored passkey private key → token returned → user logged in.
- Local account password is synchronised with Entra’s password hash (optional, but supported).
Commands to verify and manage Secure Enclave passkeys:
- List existing passkeys (requires admin):
security dump-keychain | grep -A 5 "Passkey"
- Check Secure Enclave diagnostics:
sudo /usr/libexec/remotediagnostics list | grep "SEP" Shows Secure Enclave Processor health
- Monitor authentication events:
sudo log stream --predicate 'eventMessage contains "PlatformSSO" or eventMessage contains "passkey"' --level debug
- Force re‑registration of passkey (if a user gets a new Mac):
- User must sign out, click “Forgot passkey?” on login window, then re‑authenticate with Entra password + MFA.
- Lifecycle Management and Credential Sync Between macOS and Entra ID
One of the biggest operational pains has been keeping the local macOS password and the Entra ID password in sync. With Platform SSO, the extension handles both initial provisioning and ongoing changes: when the user changes their Entra password via Microsoft My Account or a Windows machine, the macOS local password is automatically updated the next time the user unlocks the screen (on‑behalf of the user via the SSO extension). Similarly, password rotation policies (e.g., 90‑day expiration) trigger a macOS‑native dialog to change the password, which then updates Entra.
Step‑by‑step sync troubleshooting:
- Force manual sync via command line:
Kick the SSO extension to refresh token sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/credsync -v
- Check local account password last set time:
dscl . read /Users/username passwordLastSetTime
- Compare with Entra ID password last update (Azure CLI):
PowerShell on Windows or cross‑platform Connect-MgGraph -Scopes "User.Read.All" Get-MgUser -UserId "[email protected]" | Select-Object Id, UserPrincipalName, PasswordPolicies
- View sync logs:
sudo log stream --predicate '(subsystem contains "com.microsoft.CompanyPortal") && (eventMessage contains "token" || eventMessage contains "sync")'
- Recovering from offline scenario: If a Mac is offline for weeks and the Entra password changed, the extension caches a refresh token (secured inside Secure Enclave). Once online, it re‑authenticates silently. If token expiry is reached, user must reconnect to corporate network and login again.
- Operational Considerations at Scale: Token Lifecycle, Offline Behavior, Shared Devices, and Conditional Access
Moving to native Platform SSO does not eliminate complexity — it shifts it. Enterprises must now manage token lifetimes (Entra ID default 90 days for refresh tokens), offline authentication when no network is available, shared device scenarios (e.g., lab Macs with multiple transient users), and alignment with Conditional Access policies (e.g., require compliant device or specific location).
Step‑by‑step operational hardening:
- Token lifetime management – Configure Entra ID token policies via PowerShell:
Set max token lifetime to 8 hours for macOS devices (optional) New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"MaxAgeMultiFactor":"PT8H","MaxAgeSingleFactor":"PT8H"}}') ` -DisplayName "MacPlatformSSOTokenPolicy" -Type "TokenLifetimePolicy" - Offline authentication – The extension caches a “offline grace period” (default 30 days) after first online login. Modify via configuration profile key
OfflineGracePeriodDays. - Shared device workflows – For Mac labs, disable “Automatic local account creation” and use “Temporary session” mode where each login creates a ephemeral home folder deleted on logout.
Enable guest-like ephemeral accounts (custom script) sudo sysadminctl -guestAccount on Combine with Platform SSO profile setting "DeleteOnLogout = true"
- Conditional Access alignment – Ensure your CA policy includes “Device Compliance” with Microsoft Intune. Verify compliance status:
On Mac, force compliance check sudo /usr/local/jamf/bin/jamf policy -trigger complianceCheck Or for Intune managed devices: sudo /Applications/Company\ Portal.app/Contents/MacOS/Company\ Portal -checkCompliance
- Recovery workflow when Secure Enclave locks out – If a user fails Touch ID too many times, Secure Enclave may throttle. Recovery requires Entra password + MFA, then the extension regenerates the passkey. Use JAMF’s `renewPlatformSSO` script or Intune’s “Remediate” function.
Windows‑side commands for admins managing hybrid environment:
Azure AD module – check Mac device registration status
Connect-AzureAD
Get-AzureADDevice -All $true | Where-Object {$_.DeviceOSType -eq "macOS"}
What Undercode Say:
- Key Takeaway 1: Microsoft’s native Platform SSO implementation eliminates the need for custom login windows and sync agents – a true “set and forget” identity layer for Macs inside Entra ID environments.
- Key Takeaway 2: Secure Enclave passkeys provide phishing‑resistant, biometric‑backed authentication that meets NIST AAL3 requirements without additional hardware, dramatically reducing credential theft risk.
The removal of third‑party overlays reduces attack surface (no more custom binaries running with elevated privileges) and streamlines user experience. However, organizations must invest in token lifecycle monitoring and offline recovery procedures – native doesn’t mean magic. The shift also pressures legacy Mac admins to learn Intune and Entra ID’s policy architecture instead of relying solely on Jamf Pro’s identity connectors. Expect a wave of migration scripts converting Jamf Connect profiles to Platform SSO payloads. Most importantly, Microsoft is signalling that macOS is now a first‑class citizen in its zero‑trust ecosystem – a strategic move to compete with Okta and Jamf’s partnership.
Prediction:
Within 18 months, the majority of greenfield Mac deployments using Microsoft 365 will adopt Platform SSO over solutions like Jamf Connect or XCreds. Apple and Microsoft will deepen the integration, possibly adding macOS automatic device compliance checks without Intune Company Portal, and extending Platform SSO to Linux via the same Entra passkey model. The shift will accelerate the decline of on‑prem Active Directory binding for Macs, as cloud‑native identity becomes the default. Security teams will see a measurable drop in helpdesk tickets related to forgotten local passwords and Kerberos ticket expiry, but will need to develop new incident response playbooks for passkey revocation and Secure Enclave forensics. Third‑party SSO vendors will pivot to value‑added features like advanced just‑in‑time provisioning and cross‑cloud identity brokering, because the basic “login with cloud” layer is now free and built‑in.
▶️ Related Video (72% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Jeutie Finally – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


