Easily configuring the Microsoft Enterprise SSO plug-in for Apple devices

This week is all about the Microsoft Enterprise SSO plug-in for Apple devices. Both, iOS/iPadOS and macOS devices. That plug-in provides single sign-on (SSO) for Azure AD accounts across all apps that support the enterprise SSO feature of Apple. The plug-in is provided on iOS/iPadOS devices as an extension of the Microsoft Authenticator app and the plug-in is provided on macOS devices as an extension of the Company Portal app. The extensions can be enabled by using Microsoft Intune. In this post I’ll start with having a look at the configuration options, followed with the configuration steps. I’ll end this post by having a look at the end-user experience.

Important: Keep in mind that, at the moment of writing, this is still preview functionality.

Configuration options for the Microsoft Enterprise SSO plug-in

Let’s start by having a look at the configuration options for the Microsoft Enterprise SSO plug-in. The Microsoft Enterprise SSO plug-in, is a redirect-type SSO app extension. That plug-in provides SSO for Azure AD accounts across all apps that support the enterprise SSO feature of Apple and that authenticate via Azure AD. That includes accessing websites via supported browsers. In those cases, the SSO plug-in acts as an advanced authentication broker. The SSO plug-in is provided on iOS/iPadOS devices as an extension of the Microsoft Authenticator app and the SSO plug-in is provided on macOS devices as an extension of the Company Portal app. Configuring the SSO app extension will enable the SSO plug-in. The redirect SSO app extension configuration, for iOS/iPadOS and macOS devices, is provided in the table below.

PropertyiOS/iPadOSmacOS
TypeRedirectRedirect
Extension identifiercom.microsoft.azureauthenticator.ssoextensioncom.microsoft.CompanyPortalMac.ssoextension
Team identifierSGGM6D27TKUBF8T346G9
URLshttps://login.microsoftonline.comhttps://login.microsoftonline.com
https://login.microsoft.comhttps://login.microsoft.com
https://sts.windows.nethttps://sts.windows.net
https://login.partner.microsoftonline.cnhttps://login.partner.microsoftonline.cn
https://login.chinacloudapi.cnhttps://login.chinacloudapi.cn
https://login.microsoftonline.dehttps://login.microsoftonline.de
https://login.microsoftonline.ushttps://login.microsoftonline.us
https://login-us.microsoftonline.comhttps://login-us.microsoftonline.com

Note: The information in the table above is taken from a configured iPadOS device (Settings > General > Device Management > Management Profile > More Details > Authenticator) and a configured macOS device (System Preferences > Profiles > Extensible Single Sign On Profile – {GUID}). Those devices were configured by using the configuration steps provided in this post.

This all means that, to use the SSO app extension, an administrator should make sure that the correct app is installed and that the correct configuration is applied. That configuration can only be applied when the device is managed. Once the correct app is installed and the SSO app extension is configured, users can enter their credentials to sign in, and establish a session on their Apple device. That session is then used across the different supported apps, on their Apple device, without requiring users to authenticate again.

Note: Make sure to use the latest version of the Microsoft Authenticator app (iOS/iPadOS) and the latest version of the Company Portal app (macOS).

In addition to the default behavior, there are additional configuration options available to extend the SSO functionality to additional apps. Those settings are described in the table below and are recommended.

KeyTypeValueDescription
browser_sso_interaction_enabledInteger1This key and value enables non-MSAL apps and Safari browser to do the initial bootstrapping and get a shared credential.
disable_explicit_app_promptInteger1This key and value restricts ability of both native and web applications to force an end-user prompt on the protocol layer and bypass SSO.

Configuring the Microsoft Enterprise SSO plug-in

Once the configuration options and requirements are clear, it’s time to look at the configuration of the Microsoft Enterprise SSO plug-in. The configuration for iOS/iPadOS and macOS devices is identical. Only the platform is different. That platform difference will make sure that the correct configuration is applied to the correct app. The following eight steps walk through the steps to configure the Microsoft Enterprise SSO plug-in.

  1. Open the Microsoft Endpoint Manager admin center portal navigate to Devices Configuration profiles to open the Devices | Configuration profiles blade
  2. On the Devices | Configuration profiles blade, select Create profile to open the Create a profile page
  3. On the Create a profile page, provide the following information and click Create
  • Platform: Depending on the platform of choice select iOS/iPadOS or macOS
  • Profile: Select Device features
  1. On the Basics page, provide the following information and click Next
  • Name: Provide a valid name for the device features profile
  • Description: (Optional) Provide a valid description for the device features profile
  1. On the Configuration settings page, configure at least the Single sign-on app extension section by providing the following information (see Figure 1 for an example configurations for iOS/iPadOS and see Figure 2 for an example configurations for and macOS) and click Next
  • SSO app extension type: Select Microsoft Azure AD
  • Enable shared device mode: Select Not configured
  • App bundle IDs: Add the bundle identifiers of any additional app that should use the Microsoft Azure AD single sign-on extension and that doesn’t use the (latest) Microsoft libraries
  • Additional configuration: Configure the earlier mentioned key-value pairs
    • Key: browser_sso_interaction_enabled; Type: Integer; Value: 1
    • Key: disable_explicit_app_prompt; Type: Integer; Value: 1

Note: When the earlier described configuration is not sufficient, because more URLs are required, configure a SSO app extension type of Redirect, start with providing the described configuration and add the additional URLs.

  1. On the Scope tags page, configure the required scope tags click Next
  2. On the Assignments page, configure the assignment to the required users and/or devices and click Next
  3. On the Review + create page, verify the configuration and click Create

End-user experience with the Microsoft Enterprise SSO plug-in

Now let’s end by having a look at the end-user experience with a configured Microsoft Enterprise SSO plug-in. To create the best picture, I’ve used a Safari browser on a macOS device and the experience was awesome. That experience is shown below, in Figure 3, by navigating to portal.office.com and simply picking the required account.

Note: The end-user experience is identical on iOS/iPadOS devices.

More information

For more information about the Microsoft Enterprise SSO plug-in and configuring device features on iOS/iPadOS and macOS devices, refer to the following docs.