Single Sign-On (SSO)
Last Updated: May 2025
Implementation Effort: Medium – Requires Intune profile configuration and deployment, but no ongoing user or infrastructure changes.
User Impact: Low – Users benefit from seamless sign-in without needing to take action.
Introduction
Single Sign-On (SSO) enables macOS users to authenticate once and gain seamless access to corporate apps and services without repeated credential prompts. In Intune-managed macOS environments, Microsoft supports multiple SSO mechanisms, including the Enterprise SSO plug-in, Platform SSO, and Kerberos SSO. These technologies reduce friction, improve security, and support Zero Trust by enforcing strong, identity-based access controls.
This section helps administrators understand and evaluate the available SSO options for macOS and how to align them with Zero Trust principles.
Why This Matters
- Reduces password fatigue and improves user experience.
- Supports passwordless and phishing-resistant authentication.
- Enables Conditional Access enforcement across apps and browsers.
- Strengthens identity assurance by binding authentication to the device.
- Supports Zero Trust by ensuring that access is based on verified identity and device trust.
Key Considerations
Platform SSO (Microsoft Entra ID)
- Introduced in macOS 13+ and enhanced in macOS 14.6+.
- Allows users to sign in to their Mac using Microsoft Entra ID credentials, Touch ID, or smart cards.
- Recommended: Secure Enclave-backed authentication, which provisions a hardware-bound cryptographic key for phishing-resistant, passwordless authentication.
- Does not sync Entra ID password with the local account.
- Acts as broker for Conditional Access, device compliance, and Workplace Join (WPJ) certificate-based authentication.
From a Zero Trust perspective:
Platform SSO with Secure Enclave ensures phishing-resistant, hardware-bound authentication, and guarantees that access is granted only to verified users on compliant devices.
SSO App Extension (Enterprise SSO Plug-in)
- Enables SSO to Microsoft Entra ID-protected apps and websites using the native macOS authentication framework.
- Supports Safari, Edge, and Chrome (with the Microsoft SSO extension).
- Deployable via Intune using a configuration profile or settings catalog.
From a Zero Trust perspective:
The SSO app extension ensures consistent identity enforcement across apps and browsers, reducing the risk of credential reuse or bypass.
Kerberos SSO (via Platform SSO)
- Supports access to on-premises Active Directory resources.
- Useful for hybrid environments.
- Requires configuration of a Kerberos SSO MDM profile and deployment of Microsoft Entra Kerberos for cloud-based Kerberos trust.
From a Zero Trust perspective:
Kerberos SSO enables secure, token-based access to legacy resources without exposing passwords, supporting least privilege and identity assurance.