Microsoft Enterprise Single Sign-On, also known purely as SSO, has up until now, been limited on Apple iOS/macOS devices. But with the new (public preview) SSO plug-in for the Microsoft Authenticator App, this all changes.
The Microsoft Enterprise SSO plug-in for Apple devices provides single sign-on (SSO) for Azure Active Directory (Azure AD) accounts across all applications that support Apple’s Enterprise Single Sign-On feature.-Microsoft Docs
This blog post will explain how to enable the feature through Microsoft Endpoint Manager Intune, making it a breeze to implement.
UPDATE: This now works in preview for macOS; target macOS instead of iOS/iPadOS.
UPDATE: If your Teams client starts acting strange, try removing your device from being targeted by this policy and reboot the phone.
The Enterprise SSO plug-in bundled with the Microsoft Authenticator App has a few requirements that must be taken into account.
- iOS 13 is the minimum OS version supported.
- The latest version of the Microsoft Authenticator app with your identity configured.
- The device must be enrolled with Intune or another MDM.
- The SSO feature must be enabled through a device feature policy pushed from the organization that the device is enrolled in.
How to enable the SSO extension
To enable the plug-in using Microsoft Endpoint Manager Intune, you will go to the MEM portal at https://endpoint.microsoft.com.
Suppose you want to target the macOS platform instead. You can replace the mentions of iOS with macOS throughout the steps below, and some of the data you need to enter is different, but you can get instructions on that from this link:
Step 1: Creating a device feature profile
- Click on “Devices“
- Click on “iOS/iPadOS“
- Click on “Configuration profiles.”
- Click on “+ Create profile.”
- Select the Platform “iOS/iPadOS.”
- Select the Profile “Device features.”
- Click on “Create“
- Fill out the “Name” field.
My example uses: Enable Microsoft Enterprise SSO plug-in for Apple iOS.
- (Optionally) fill out the “Description” field.
My example uses: Configured according to Michael Mardahl’s blog post (and then the link to this article.)
- Click on “Next“
Step 2: Configuring the SSO App extension feature
Please pay special attention to the fact that we are configuring the “Single sign-on app extension” and not the “Single Sign On” feature.
- Expand the “Single sign-on app extension” accordion item.
- Select the SSO app extension type “Redirect.”
- Fill out the Extension ID field with “com.microsoft.azureauthenticator.ssoextension“
- Add the Microsoft SSO URL’s to the “URLs” list. You might only need some of the URL’s if you are not in a special tenant, but you can add them all if you like.
- Add the Key “browser_sso_interaction_enabled” as Type “Integer” with a value of “1” in the Additional configuration area to enable the plug-in for all webpages.
- Add the Key “disable_explicit_app_prompt” as Type “Integer” with a value of “1” in the Additional configuration area to suppress credential prompts in some apps.
NB: Copy-pasting might not make the Intune validator happy, so if it complains, type a letter after the text you pasted and delete it again.
Step 3 Assign the policy to your pilot users group
- Select whom to assign this profile to. If you select anything other than “Selected groups“, you can skip to the next section.
- Click on “+ Select groups to include“.
- Search for and select the groups you wish to assign the profile to.
- Verify that the groups you selected are in the “Selected items” area.
- Click on “Select“.
- Click on “Next“.
- Review the Summary section, to confirm every detail that you just entered is there.
- Click on “Create“
You have completed all the required steps to enable Microsoft Enterprise SSO plug-in for Apple Devices through Intune!
Now, you will either have to wait for your device to do a policy refresh or use one of the many options to force a sync, which is not the subject of this blog post.
Testing the Single Sign-On experience
Testing this should be simple, right? So in this example, you will use the good old Office 365 portal: http://portal.office.com in Safari for iOS to test if you got Single Sing-On to work.
But before you rush off to test, please make sure that you don’t have any cached credentials, because that would just defeat the purpose! This guide from Apple support should get you sorted out.
So, now if you have confirmed that your device has received the configuration profile and the cache in Safari is cleared. You should see the following type of SSO login prompt when accessing the Office 365 Portal.
I just love the “Connected to Windows” text.
For in-depth reading on the subject of the Microsoft Enterprise SSO plug-in for Apple iOS and macOS, I suggest the following Docs:
Thank you for reading!