Microsoft Security | Intune | Microsoft Intune MacOs
Managing macOS devices using Microsoft Intune
We already has Platform SSO Enclave in our setup
Office problem with macOS + Intune + Platform SSO
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 88%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJK%3C/text%3E%3C/svg%3E)
Jesper Kristensen
5
Reputation points
Hello community,
We have a large number of Macs in our organization, and we are experiencing an issue where, after a Mac wakes from sleep, Microsoft Office applications and Teams prompt the user to sign in again.
The user can simply click the sign-in button, and everything starts working normally again. However, we would like to understand why this behavior occurs.
Is there a way to prevent this prompt and allow the authentication to happen automatically instead?
Microsoft Security | Intune | Microsoft Intune MacOs
2 answers
Sort by: Most helpful
-
Q&A Assist2026-05-18T12:15:36.79+00:00 AI generated content. This question contains an answer created with AI from Q&A Assist. Learn moreOn macOS with Intune and Microsoft Entra–based auth, repeated sign-in prompts after sleep typically occur because each Office/Teams app is re-establishing its Microsoft Entra session and keychain access when the device wakes. If SSO isn’t fully configured, or if each app is handling auth independently, users see a sign-in button instead of a silent re-authentication.
To reduce or eliminate these prompts and move toward automatic authentication, use single sign-on (SSO) for macOS with Intune and the Microsoft Enterprise SSO plug-in:
- Configure the Microsoft Enterprise SSO plug-in in Intune
- In Intune, create and deploy an SSO policy for macOS using the Platform SSO / SSO app extension options that are part of the Microsoft Enterprise SSO plug-in for Microsoft Entra ID.
- This allows supported apps (including Microsoft 365 apps like Teams and Office) to reuse the same Microsoft Entra session instead of prompting individually.
- Ensure apps support and use SSO
- Most Microsoft 365 apps on macOS support SSO via the plug-in. When combined with the Intune SSO policy, the number of credential prompts is reduced because apps can silently obtain tokens.
- Handle keychain prompts correctly when using Jamf + Intune
- If Jamf Pro is also in use with Intune conditional access, users may see prompts such as:
"Microsoft Teams wants to sign using key 'Microsoft Workplace Join Key' in your keychain."
- In that case, instruct users to choose Always Allow so the app can reuse the stored keychain item and avoid repeated prompts. Each app must be approved once; cached credentials for one app can’t be used by another until it is also set to Always Allow.
- If Jamf Pro is also in use with Intune conditional access, users may see prompts such as:
- Expected behavior after configuration
- With Platform SSO / SSO app extension correctly deployed and users having allowed keychain access, Office apps and Teams should be able to silently refresh tokens after sleep in most cases, significantly reducing or eliminating visible sign-in prompts.
If prompts still appear after SSO is configured, verify that:
- The SSO policy is successfully applied to the device.
- The apps are updated and support the Microsoft Enterprise SSO plug-in.
- Users have not denied keychain access for the relevant Microsoft keys.
References:
- Single sign-on (SSO) overview and options for Apple devices in Microsoft Intune (macos)
- Troubleshooting integration of Jamf Pro with Microsoft Intune
- Why am I having trouble signing in to Microsoft Teams?
- How different technologies affect Microsoft Teams sign-in
- How to troubleshoot issues that you encounter when you sign in to Office apps for Mac, iPad, iPhone, or iPod Touch when using Active Directory Federation Services
- Configure the Microsoft Enterprise SSO plug-in in Intune