What It Is, Why It Matters, and How to Roll It Out

The Big Picture:

On August 12, 2025, Microsoft officially made Platform SSO for macOS generally available. If you’ve been following along since the Public Preview back in May 2024, you’ll know this is a big deal.

In plain English: this means your users can log in to their Mac with their Microsoft Entra ID and immediately be signed in everywhere they need to be Office apps, browsers, the works without re-entering credentials all day.

It’s cleaner, more secure, and a huge step forward if you’re trying to modernize macOS authentication in a Microsoft-heavy environment.

How It Works:

At the heart of Platform SSO is the Microsoft Enterprise SSO plug-in for Apple devices. On macOS, it lives inside the Intune Company Portal app; on iOS/iPadOS, it’s in Microsoft Authenticator.

Here’s what it does:

Intercepts login requests to Microsoft identity endpoints (OAuth, SAML, WS-Fed — all the usual suspects). Injects a valid sign-in session so the user never sees another login screen. Works even for apps that aren’t written with Microsoft’s MSAL libraries.

To make all this work securely, your device gets a Workplace Join (WPJ) certificate. Think of this as the Mac’s official “I belong to this tenant” ID card.

When the user logs in, the plug-in hands over a Primary Refresh Token (PRT), which then silently authenticates apps and browsers.

Your Authentication Options:

When you enable Platform SSO, you have a choice in how people sign in:

Secure Enclave (passwordless) Uses the Mac’s Secure Enclave to store a cryptographic key bound to the device. Users unlock with Touch ID, and the rest just happens. Strongest option for security and user experience. Smart Card / FIDO2 key Ideal if your org is already using physical tokens or cards. Works with YubiKeys, CAC/PIV cards, etc. Password Sync The user’s Entra ID password becomes their Mac login password. Good for easing people into the new setup without changing habits.

What You Need Before You Start:

macOS 13 or newer (14+ recommended for full feature support) Intune Company Portal version 5.2404.0 or later (newer is better) Devices must be MDM enrolled — Intune, ABM, Jamf, whatever you use Your network must allow Microsoft identity endpoints without breaking TLS

How to Deploy It in Intune:

Here’s the 30,000-foot view of the rollout process:

Create a Platform SSO policy in Intune Go to Devices → Configuration → Create Settings Catalog Policy. Platform: macOS. Configure the “Extensible Single Sign-On” settings. Choose your authentication method (Secure Enclave, Smart Card, or Password). If you’ve got a mix of macOS 13 and 14, set both old and new keys to cover everyone. Deploy the Company Portal app Make sure you’re pushing the latest version to all Macs. Enroll your devices For new hardware, use Apple Business Manager automated enrollment. For existing devices, have users install Company Portal and sign in. Watch for the registration prompt Users will see “Registration required” in macOS notifications. Once they sign in, the Mac gets its WPJ certificate and SSO just works. Verify it’s working On the Mac, check System Settings → Privacy & Security → Profiles for the SSO profile. Remove any old SSO extension profiles to avoid conflicts.

Tips from the Field

Stay up to date several early adopters ran into extra MFA prompts until they upgraded to macOS 15.4.1. Plan your authentication method early switching from password sync to Secure Enclave later can cause a little user confusion. Allow the right network traffic if you’re using a TLS-intercepting proxy, whitelist Microsoft identity URLs.

Why You (and Your Users) Will Like It

For users: No more juggling passwords or signing into each app separately. Touch ID unlocks the Mac and everything else just works. For IT: Cleaner onboarding, fewer password resets, and tighter integration with Conditional Access. For security: Built-in phishing resistance and better compliance with modern Zero Trust strategies.

The Bottom Line

Platform SSO on macOS with Microsoft Entra ID brings Mac authentication up to the same modern standard we’ve had on Windows for a while. It’s smoother for end users, stronger for security teams, and finally gives IT admins a proper, supported way to integrate Macs into an Entra-first environment.

If you’ve been holding off because it was “just in preview” now’s the time to start piloting it.