メインコンテンツへスキップ

Single Sign-On (SSO)

Last Updated: May 2025
Implementation Effort: Medium – Requires Intune profile configuration and deployment, but no ongoing user or infrastructure changes.
User Impact: Low – Users benefit from seamless sign-in without needing to take action.


Introduction

Single Sign-On (SSO) enables macOS users to authenticate once and gain seamless access to corporate apps and services without repeated credential prompts. In Intune-managed macOS environments, Microsoft supports multiple SSO mechanisms, including the Enterprise SSO plug-in, Platform SSO, and Kerberos SSO. These technologies reduce friction, improve security, and support Zero Trust by enforcing strong, identity-based access controls.

This section helps administrators understand and evaluate the available SSO options for macOS and how to align them with Zero Trust principles.


Why This Matters

  • Reduces password fatigue and improves user experience.
  • Supports passwordless and phishing-resistant authentication.
  • Enables Conditional Access enforcement across apps and browsers.
  • Strengthens identity assurance by binding authentication to the device.
  • Supports Zero Trust by ensuring that access is based on verified identity and device trust.

Key Considerations

Platform SSO (Microsoft Entra ID)

  • Introduced in macOS 13+ and enhanced in macOS 14.6+.
  • Allows users to sign in to their Mac using Microsoft Entra ID credentials, Touch ID, or smart cards.
  • Recommended: Secure Enclave-backed authentication, which provisions a hardware-bound cryptographic key for phishing-resistant, passwordless authentication.
  • Does not sync Entra ID password with the local account.
  • Acts as broker for Conditional Access, device compliance, and Workplace Join (WPJ) certificate-based authentication.

From a Zero Trust perspective:
Platform SSO with Secure Enclave ensures phishing-resistant, hardware-bound authentication, and guarantees that access is granted only to verified users on compliant devices.

Learn more


SSO App Extension (Enterprise SSO Plug-in)

  • Enables SSO to Microsoft Entra ID-protected apps and websites using the native macOS authentication framework.
  • Supports Safari, Edge, and Chrome (with the Microsoft SSO extension).
  • Deployable via Intune using a configuration profile or settings catalog.

From a Zero Trust perspective:
The SSO app extension ensures consistent identity enforcement across apps and browsers, reducing the risk of credential reuse or bypass.

Learn more


Kerberos SSO (via Platform SSO)

  • Supports access to on-premises Active Directory resources.
  • Useful for hybrid environments.
  • Requires configuration of a Kerberos SSO MDM profile and deployment of Microsoft Entra Kerberos for cloud-based Kerberos trust.

From a Zero Trust perspective:
Kerberos SSO enables secure, token-based access to legacy resources without exposing passwords, supporting least privilege and identity assurance.

Learn more


Browser Support and Deployment

  • Safari supports SSO natively.
  • Chrome and Edge require the Microsoft Enterprise SSO extension, deployable via Intune using a managed preference (.plist).
  • Ensure the extension is force-installed and configured for seamless authentication.

Device and OS Requirements

  • Platform SSO requires:
    • macOS 13.0 or later (macOS 14.6+ for Kerberos SSO)
    • Intune Company Portal version 5.2404.0 or later
    • Microsoft Entra ID (formerly Azure AD)
  • Devices must be Entra-joined and enrolled in Intune to enable full SSO capabilities.

Zero Trust Considerations

  • Verify explicitly: Access is granted only after verifying both user identity and device trust.
  • Assume breach: Passwordless and certificate-based SSO reduces the risk of phishing and credential theft.
  • Least privilege: SSO tokens are scoped and time-bound, reducing the risk of long-lived access.
  • Continuous trust: SSO integrates with Conditional Access and compliance policies to continuously evaluate trust.
  • Defense in depth: SSO complements other identity and device controls, ensuring layered protection across the authentication stack.

Recommendations

  • Deploy Platform SSO with Secure Enclave for all supported macOS devices.
  • Use the SSO app extension to enforce consistent identity across browsers and apps.
  • Configure Kerberos SSO if users require access to on-premises Active Directory resources.
  • Ensure browser support by deploying the Microsoft SSO extension for Chrome and Edge.
  • Use phishing-resistant credentials (e.g., Touch ID, smart cards) where possible.
  • Monitor SSO usage and failures to detect anomalies and improve user experience.

References