Michael MardahlMicrosoft Enterprise Single Sign-On, also known purely as SSO, has up until now, been limited on Apple iOS/macOS devices. But with the new (public preview) SSO plug-in for the Microsoft Authenticator App, this all changes.
The Microsoft Enterprise SSO plug-in for Apple devices provides single sign-on (SSO) for Azure Active Directory (Azure AD) accounts across all applications that support Apple’s Enterprise Single Sign-On feature.
-Microsoft Docs
This blog post will explain how to enable the feature through Microsoft Endpoint Manager Intune, making it a breeze to implement.
UPDATE: This now works in preview for macOS; target macOS instead of iOS/iPadOS.
UPDATE: If your Teams client starts acting strange, try removing your device from being targeted by this policy and reboot the phone.
Overview
The Enterprise SSO plug-in bundled with the Microsoft Authenticator App has a few requirements that must be taken into account.
- iOS 13 is the minimum OS version supported.
- The latest version of the Microsoft Authenticator app with your identity configured.
- The device must be enrolled with Intune or another MDM.
- The SSO feature must be enabled through a device feature policy pushed from the organization that the device is enrolled in.
How to enable the SSO extension
To enable the plug-in using Microsoft Endpoint Manager Intune, you will go to the MEM portal at https://endpoint.microsoft.com.
Suppose you want to target the macOS platform instead. You can replace the mentions of iOS with macOS throughout the steps below, and some of the data you need to enter is different, but you can get instructions on that from this link:
https://docs.microsoft.com/en-us/mem/intune/configuration/macos-device-features-settings#single-sign-on-app-extension
Step 1: Creating a device feature profile
- Click on “Devices“
- Click on “iOS/iPadOS“
- Click on “Configuration profiles.”
- Click on “+ Create profile.”
- Select the Platform “iOS/iPadOS.”
- Select the Profile “Device features.”
- Click on “Create“
- Fill out the “Name” field.
My example uses: Enable Microsoft Enterprise SSO plug-in for Apple iOS. - (Optionally) fill out the “Description” field.
My example uses: Configured according to Michael Mardahl’s blog post (and then the link to this article.) - Click on “Next“
Step 2: Configuring the SSO App extension feature
Please pay special attention to the fact that we are configuring the “Single sign-on app extension” and not the “Single Sign On” feature.
- Expand the “Single sign-on app extension” accordion item.
- Select the SSO app extension type “Redirect.”
- Fill out the Extension ID field with “com.microsoft.azureauthenticator.ssoextension“
- Add the Microsoft SSO URL’s to the “URLs” list. You might only need some of the URL’s if you are not in a special tenant, but you can add them all if you like.
https://login.microsoftonline.com
https://login.microsoft.com
https://sts.windows.net
https://login.partner.microsoftonline.cn
https://login.chinacloudapi.cn
https://login.microsoftonline.de
https://login.microsoftonline.us
https://login.usgovcloudapi.net
https://login-us.microsoftonline.com - Add the Key “browser_sso_interaction_enabled” as Type “Integer” with a value of “1” in the Additional configuration area to enable the plug-in for all webpages.
- Add the Key “disable_explicit_app_prompt” as Type “Integer” with a value of “1” in the Additional configuration area to suppress credential prompts in some apps.
NB: Copy-pasting might not make the Intune validator happy, so if it complains, type a letter after the text you pasted and delete it again.
Step 3 Assign the policy to your pilot users group
- Select whom to assign this profile to. If you select anything other than “Selected groups“, you can skip to the next section.
- Click on “+ Select groups to include“.
- Search for and select the groups you wish to assign the profile to.
- Verify that the groups you selected are in the “Selected items” area.
- Click on “Select“.
- Click on “Next“.
- Review the Summary section, to confirm every detail that you just entered is there.
- Click on “Create“
You have completed all the required steps to enable Microsoft Enterprise SSO plug-in for Apple Devices through Intune!
Now, you will either have to wait for your device to do a policy refresh or use one of the many options to force a sync, which is not the subject of this blog post.
Testing the Single Sign-On experience
Testing this should be simple, right? So in this example, you will use the good old Office 365 portal: http://portal.office.com in Safari for iOS to test if you got Single Sing-On to work.
But before you rush off to test, please make sure that you don’t have any cached credentials, because that would just defeat the purpose! This guide from Apple support should get you sorted out.
So, now if you have confirmed that your device has received the configuration profile and the cache in Safari is cleared. You should see the following type of SSO login prompt when accessing the Office 365 Portal.
I just love the “Connected to Windows” text.
Read more
For in-depth reading on the subject of the Microsoft Enterprise SSO plug-in for Apple iOS and macOS, I suggest the following Docs:
- https://docs.microsoft.com/en-us/azure/active-directory/develop/apple-sso-plugin
- https://docs.microsoft.com/en-us/mem/intune/configuration/ios-device-features-settings#single-sign-on-app-extension
- https://docs.microsoft.com/en-us/mem/intune/configuration/macos-device-features-settings#single-sign-on-app-extension
As always I am open to questions and suggestions through the comments, but more actively on Linkedin or Twitter (@michael_mardahl).
Thank you for reading!
Nickolaj Andersen
Maurice Daly
Sandy Zeng
Michael, have you configured this with Kerberos for on premises web based apps, rather than redirect? I have a client that would like to pilot this.
Hi Kevin,
Unfortunately not, this never really caught on with my clients.
Just a note about step 3:
Extension ID for Mac is “com.microsoft.CompanyPortalMac.ssoextension”, not “com.microsoft.azureauthenticator.ssoextension”, and the Team ID which is required is “UBF8T346G9”.
Also, still broken features are:
– Azure SSO for M365 desktop apps on Mac (MS should be fixing)
– Azure SSO for 3rd party apps and browsers (3rd parties should be fixing)
Essentially, this is Azure SSO for Safari on the Mac side currently. Nice that it’s working now, but not going to be making many peoples lives smoother until the above features are worked out.
If anyone’s got something working with the M365 desktop apps, or Chrome/Firefox I’d love to hear that I’m wrong though.
Has anyone tried to configure the SSO Extension in Jamf instead of Intune? Thanks to this article I got it working in Intune, but now want to try using it with Jamf instead.
Yes, Rob. This works with Jamf Pro as well.
Configurations are most likely the same for Jamf as well.
What should be the domain for the plist file for configuring “browser_sso_interaction_enabled” & “disable_explicit_app_prompt” keys while configuring Azure SSO App extension for macOS?
Good question, but I have not had time to dive into this extensively. Maybe someone will see your comment and answer?
On Jamf at least, you don’t need to specify a domain- you just upload as it as a simple plist, there’s a Custom Configuration section in the SSO Setup section
I’ve done this and it works flawlessly with all the Microsoft products, Teams, Edge and so on. but how do I get this to work with the google apps since our school uses both MS and Google, its not auto logging in to google even though the username and passwords are the same because of google sync.
I doubt it will work because google will not accept the tokens from Azure AD unless there is some sort of federation?
As I am not a user of Googles services, I cant test this.
Is this better then the SSO app extension type: Microsoft Azure AD ?
I don’t think it is a question of which is best.
The documentation on using this for iOS instructs us to use the redirect type.
On the macOS instructions, they are using the Azure AD type. So I am just guessing that it depends on the environment it’s being used in.
If you experiment with this, please let us know the outcome in the comments so that everyone can learn from your findings 🙂
Nice write up Michael. Wish there were more detail about using macOS. The link provided is useful but lacks crucial information(Extension ID and Team ID) for the company portal app. Even after using Microsoft own documentation (https://docs.microsoft.com/en-us/mem/intune/configuration/kernel-extensions-settings-macos) to try and find the need information I am left with nothing.
Hi Jeff,
Maybe try the article from Scott Breen – I have not actually had time to verify the macOS part, so I stuck with the iOS part and just added the notes about macOS for inspiration 🙂
https://www.linkedin.com/pulse/simplify-your-macos-logon-experiences-azure-ad-microsoft-scott-breen
It’s absurd that any of the steps past #2 are necessary at all. This data should auto-populate after steps 1 & 2. Why does Microsoft insist on making everything so difficult?
Hi James,
I agree that there should be a default for setting this. And an advanced mode.
But let’s not get ahead of ourselves – the fact is that this can be used for many things, not just the obvious login to M365 stuff.
Yes and no on that. Microsoft should have a dropdown to populate the data in Intune for Azure SSO, they know that and could easily manage it, but Azure is not the only SSO provider out there and we need to be able to populate this with whatever SSO we are using.
That’s exactly what I had in mind.
Michael good article. If you clear out cached logins where does it pull the initial login to pass through SSO? Is it from Outlook for iOS or the Intune app login?
Hi Jeremy,
The credentials are pulled as a token from the Authenticator App, so the initial login, as you say, is done when you configure the authenticator or enroll the device into MDM.
Modern authentication SSO is all about tokens, so no regular username/password combination is ever sent using this method.