This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
The Microsoft Enterprise SSO plug-in is a feature in Microsoft Entra ID that provides single sign-on (SSO) features for Apple devices. This plug-in uses the Apple single sign-on app extension framework.
The SSO app extension provides single sign-on to apps and websites that use Microsoft Entra ID for authentication, including Microsoft 365 apps. It reduces the number of authentication prompts users get when using devices managed by Mobile Device Management (MDM), including any MDM that supports configuring SSO profiles.
This feature applies to:
macOS
For iOS/iPadOS, go to Use the Microsoft Enterprise SSO plug-in on iOS/iPadOS devices.
On macOS devices, you can configure SSO app extension settings in two places in Intune:
Device features template (this article) - This option configures only the SSO app extension and uses your MDM provider, like Intune, to deploy the settings to devices.
Use this article if you only want to configure the SSO app extension settings and don't want to also configure Platform SSO.
Settings Catalog - This option configures Platform SSO and the SSO app extension together. You use Intune to deploy the settings to your devices.
Use the settings catalog settings if you want to configure both the Platform SSO and SSO app extension settings. For more information, go to Configure platform SSO for macOS devices in Microsoft Intune.
For an overview of your SSO options on Apple devices, go to SSO overview and options for Apple devices in Microsoft Intune.
This article shows how to create an SSO app extension configuration policy for macOS Apple devices with Intune, Jamf Pro, and other MDM solutions.
If you want to configure Platform SSO and SSO app extension settings together, then go to Configure platform SSO for macOS devices in Microsoft Intune.
For your apps to use the Microsoft Enterprise SSO plug-in, you have two options:
Option 1 - MSAL: Apps that support the Microsoft Authentication Library (MSAL) automatically take advantage of the Microsoft Enterprise SSO plug-in. For example, Microsoft 365 apps support MSAL. So, they automatically use the plug-in.
If your organization creates its own apps, then your app developer can add a dependency to the MSAL. This dependency enables your app to use the Microsoft Enterprise SSO plug-in.
For a sample tutorial, go to Tutorial: Sign in users and call Microsoft Graph from an iOS or macOS app.
Option 2 - AllowList: Apps that don't support or weren't developed with MSAL can use the SSO app extension. These apps include browsers like Safari and apps that use Safari web view APIs.
For these non-MSAL apps, add the application bundle ID or prefix to the extension configuration in your Intune SSO app extension policy (in this article).
For example, to allow a Microsoft app that doesn't support MSAL, add com.microsoft. to the AppPrefixAllowList property in your Intune policy. Be careful with the apps you allow, they can bypass interactive sign-in prompts for the signed in user.
For more information, go to Microsoft Enterprise SSO plug-in for Apple devices - apps that don't use MSAL.
To use the Microsoft Enterprise SSO plug-in on macOS devices:
The device is managed by Jamf Pro.
The device must support the plug-in:
The Microsoft Company Portal app must be installed on the device.
Users can install the Company Portal app manually. Or, admins can deploy the app using Jamf Pro. For a list of options on how to install the Company Portal app, go to Package Management - Adding a Package to Jamf Admin (opens Jamf Pro's web site).
Note
On macOS devices, Apple requires the Company Portal app be installed. Users don't need to use or configure the Company Portal app, it just needs to be installed on the device.
The Enterprise SSO plug-in requirements are configured, including the Apple network configuration URLs.
When you use the SSO app extension, you use the SSO or Kerberos Payload Type for authentication. The SSO app extension is designed to improve the sign-in experience for apps and websites that use these authentication methods.
The Microsoft Enterprise SSO plug-in uses the SSO Payload Type with Redirect authentication. The SSO Redirect and Kerberos extension types can both be used on a device at the same time. Be sure to create separate device profiles for each extension type you plan to use on your devices.
To determine the correct SSO extension type for your scenario, use the following table:
| Microsoft Enterprise SSO plug-in for Apple Devices | Single sign-on app extension with Kerberos |
|---|---|
| Uses the Microsoft Entra ID SSO app extension type | Uses the Kerberos SSO app extension type |
| Supports the following apps: - Microsoft 365 - Apps, websites or services integrated with Microsoft Entra ID |
Supports the following apps: - Apps, websites or services integrated with AD |
For more information on the SSO app extension, go to SSO overview and options for Apple devices in Microsoft Intune.
This section shows how to create an SSO app extension policy. For information on platform SSO, go to Configure platform SSO for macOS devices in Microsoft Intune.
In the Jamf Pro portal, you create a Computer configuration profile. This profile includes the settings to configure the SSO app extension on devices.
Sign in to the Jamf Pro portal.
To create a macOS profile, select Computers > Configuration profiles > New:
In Name, enter a descriptive name for the policy. Name your policies so you can easily identify them later. For example, a good policy name is: macOS-Microsoft Enterprise SSO plug-in.
In the Options column, scroll down and select Single Sign-On Extensions > Add:
Enter the following properties:
com.microsoft.CompanyPortalMac.ssoextension.UBF8T346G9.https://login.microsoftonline.comhttps://login.microsoft.comhttps://sts.windows.nethttps://login.partner.microsoftonline.cnhttps://login.chinacloudapi.cnhttps://login.microsoftonline.ushttps://login-us.microsoftonline.com
In Custom Configuration, you define other required properties. Jamf Pro requires that these properties are configured using an uploaded PLIST file. To see the full list of configurable properties, go to Microsoft Enterprise SSO plug-in for Apple devices documentation.
The following example is a recommended PLIST file that meets the needs of most organizations:
<?xml version="1.0" encoding="UTF-8"?>
<plist version="1.0">
<dict>
<key>AppPrefixAllowList</key>
<string>com.microsoft.,com.apple.,com.jamf.,com.jamfsoftware.</string>
<key>browser_sso_interaction_enabled</key>
<integer>1</integer>
<key>disable_explicit_app_prompt</key>
<integer>1</integer>
</dict>
</plist>
These PLIST settings configure the following SSO Extension options. These properties are the default values used by the SSO app extension, but they can be customized for your organization needs:
| Key | Type | Description |
|---|---|---|
| AppPrefixAllowList | String | Recommended value: com.microsoft.,com.apple.,com.jamf.,com.jamfsoftware. Enter a list of prefixes for apps that don't support MSAL and are allowed to use SSO. For example, enter com.microsoft.,com.apple.,com.jamf.,com.jamfsoftware. to allow all Microsoft, Apple, and Jamf Pro apps.Be sure these apps meet the allowlist requirements. |
| disable_explicit_app_prompt | Integer | Recommended value: 1 Some apps might incorrectly enforce end-user prompts at the protocol layer. If you see this problem, users are prompted to sign in, even though the Microsoft Enterprise SSO plug-in works for other apps. When set to 1 (one), you reduce these prompts. |
Tip
For more information on these properties, and other properties you can configure, go to Microsoft Enterprise SSO plug-in for Apple devices.
Select the Scope tab. Enter the computers or devices that should be targeted to receive the SSO Extension MDM profile.
Select Save.
When the device checks in with the Jamf Pro service, it receives this profile.
Tip
If you use Jamf Connect, it is recommended that you follow the latest Jamf guidance on integrating Jamf Connect with Microsoft Entra ID (opens Jamf Pro's web site). The recommended integration pattern ensures that Jamf Connect works properly with your Conditional Access policies and Microsoft Entra ID Protection.
If you're not deploying the Company Portal app using an app policy, then users must install it manually. Users don't need to use the Company Portal app, it just needs to be installed on the device.
Users sign in to any supported app or website to bootstrap the extension. Bootstrap is the process of signing in for the first time, which sets up the extension.
After users sign in successfully, the extension is automatically used to sign in to any other supported app or website.
You can test single sign-on by opening Safari in private mode (opens Apple's web site) and opening the https://portal.office.com site. No username and password will be required.
On macOS, when users sign in to a work or school app, they're prompted to opt in or out of SSO. They can select Don't ask me again to opt out of SSO and block future requests.
Users can also manage their SSO preferences in the Company Portal app for macOS. To edit preferences, go to the Company Portal app menu bar > Company Portal > Settings. They can select or deselect Don't ask me to sign in with single sign-on for this device.
Tip
Learn more about how the SSO plug-in works and how to troubleshoot the Microsoft Enterprise SSO Extension with the SSO troubleshooting guide for Apple devices.
For information about the Microsoft Enterprise SSO plug-in, go to Microsoft Enterprise SSO plug-in for Apple devices.
For information from Apple on the single sign-on extension payload, go to single sign-on extensions payload settings (opens Apple's web site).
For information on troubleshooting the Microsoft Enterprise SSO Extension, go to Troubleshooting the Microsoft Enterprise SSO Extension plugin on Apple devices.
Training
Module
Using single sign-on (SSO) with Office Add-ins - Training
This module explains how to use single sign-on in Office Add-ins.
Certification
Microsoft 365 Certified: Endpoint Administrator Associate - Certifications
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.