Posted on

Platform SSO for macOS with Microsoft Entra ID

What It Is, Why It Matters, and How to Roll It Out

The Big Picture:

On August 12, 2025, Microsoft officially made Platform SSO for macOS generally available. If you’ve been following along since the Public Preview back in May 2024, you’ll know this is a big deal.

In plain English: this means your users can log in to their Mac with their Microsoft Entra ID and immediately be signed in everywhere they need to be Office apps, browsers, the works without re-entering credentials all day.

It’s cleaner, more secure, and a huge step forward if you’re trying to modernize macOS authentication in a Microsoft-heavy environment.

How It Works:

At the heart of Platform SSO is the Microsoft Enterprise SSO plug-in for Apple devices. On macOS, it lives inside the Intune Company Portal app; on iOS/iPadOS, it’s in Microsoft Authenticator.

Here’s what it does:

Intercepts login requests to Microsoft identity endpoints (OAuth, SAML, WS-Fed — all the usual suspects). Injects a valid sign-in session so the user never sees another login screen. Works even for apps that aren’t written with Microsoft’s MSAL libraries.

To make all this work securely, your device gets a Workplace Join (WPJ) certificate. Think of this as the Mac’s official “I belong to this tenant” ID card.

When the user logs in, the plug-in hands over a Primary Refresh Token (PRT), which then silently authenticates apps and browsers.

Your Authentication Options:

When you enable Platform SSO, you have a choice in how people sign in:

Secure Enclave (passwordless) Uses the Mac’s Secure Enclave to store a cryptographic key bound to the device. Users unlock with Touch ID, and the rest just happens. Strongest option for security and user experience. Smart Card / FIDO2 key Ideal if your org is already using physical tokens or cards. Works with YubiKeys, CAC/PIV cards, etc. Password Sync The user’s Entra ID password becomes their Mac login password. Good for easing people into the new setup without changing habits.

What You Need Before You Start:

macOS 13 or newer (14+ recommended for full feature support) Intune Company Portal version 5.2404.0 or later (newer is better) Devices must be MDM enrolled — Intune, ABM, Jamf, whatever you use Your network must allow Microsoft identity endpoints without breaking TLS

How to Deploy It in Intune:

Here’s the 30,000-foot view of the rollout process:

Create a Platform SSO policy in Intune Go to Devices → Configuration → Create Settings Catalog Policy. Platform: macOS. Configure the “Extensible Single Sign-On” settings. Choose your authentication method (Secure Enclave, Smart Card, or Password). If you’ve got a mix of macOS 13 and 14, set both old and new keys to cover everyone. Deploy the Company Portal app Make sure you’re pushing the latest version to all Macs. Enroll your devices For new hardware, use Apple Business Manager automated enrollment. For existing devices, have users install Company Portal and sign in. Watch for the registration prompt Users will see “Registration required” in macOS notifications. Once they sign in, the Mac gets its WPJ certificate and SSO just works. Verify it’s working On the Mac, check System Settings → Privacy & Security → Profiles for the SSO profile. Remove any old SSO extension profiles to avoid conflicts.

Tips from the Field

Stay up to date several early adopters ran into extra MFA prompts until they upgraded to macOS 15.4.1. Plan your authentication method early switching from password sync to Secure Enclave later can cause a little user confusion. Allow the right network traffic if you’re using a TLS-intercepting proxy, whitelist Microsoft identity URLs.

Why You (and Your Users) Will Like It

For users: No more juggling passwords or signing into each app separately. Touch ID unlocks the Mac and everything else just works. For IT: Cleaner onboarding, fewer password resets, and tighter integration with Conditional Access. For security: Built-in phishing resistance and better compliance with modern Zero Trust strategies.

The Bottom Line

Platform SSO on macOS with Microsoft Entra ID brings Mac authentication up to the same modern standard we’ve had on Windows for a while. It’s smoother for end users, stronger for security teams, and finally gives IT admins a proper, supported way to integrate Macs into an Entra-first environment.

If you’ve been holding off because it was “just in preview” now’s the time to start piloting it.

Posted on

Deploy Templates in Azure Stack using PowerShell

In this example, you run a script to deploy a virtual machine to Azure Stack Development Kit using a Resource Manager template. Before proceeding, ensure you have configured PowerShell

The VHD used in this example template is WindowsServer-2012-R2-Datacenter.

  1. Go to http://aka.ms/AzureStackGitHub, search for the 101-simple-windows-vm template, and save it to the following location: c:\templates\azuredeploy-101-simple-windows-vm.json.
  2. In PowerShell, run the following deployment script. Replace username and password with your username and password. On subsequent uses, increment the value for the $myNum parameter to prevent overwriting your deployment.
    PowerShellCopy
        # Set Deployment Variables
    $myNum = "001" #Modify this per deployment
    $RGName = "myRG$myNum"
    $myLocation = "local"

    # Create Resource Group for Template Deployment
    New-AzureRmResourceGroup -Name $RGName -Location $myLocation

    # Deploy Simple IaaS Template
    New-AzureRmResourceGroupDeployment `
        -Name myDeployment$myNum `
        -ResourceGroupName $RGName `
        -TemplateFile c:\templates\azuredeploy-101-simple-windows-vm.json `
        -NewStorageAccountName mystorage$myNum `
        -DnsNameForPublicIP mydns$myNum `
        -AdminUsername <username> `
        -AdminPassword ("<password>" | ConvertTo-SecureString -AsPlainText -Force) `
        -VmName myVM$myNum `
        -WindowsOSVersion 2012-R2-Datacenter
  3. Open the Azure Stack portal, click Browse, click Virtual machines, and look for your new virtual machine (myDeployment001).
Posted on

Working with Azure Storage Tables from PowerShell

azure_migrate-to-azure_migrate-to-azureAzure Storage Tables is one of the four Microsoft Azure Storage abstractions available (Blobs, Queues and Azure Files are the other ones) at the time that this blog was written. It is basically a way to store data in a structured way on a non relational database system (meaning, not an RDBMS system).

Since up to today there are no official cmdlets to support entity/row management inside the tables from Azure PowerShell module, I decided to create this simple module to help IT Pros to leverage this service without having knowledge of .NET framework through some simple cmdlets as follows:
Continue reading → Working with Azure Storage Tables from PowerShell