MSEndpointMgr

Enable Microsoft Enterprise SSO plug-in for Apple Devices through Intune

Microsoft Enterprise Single Sign-On, also known purely as SSO, has up until now, been limited on Apple iOS/macOS devices. But with the new (public preview) SSO plug-in for the Microsoft Authenticator App, this all changes.

The Microsoft Enterprise SSO plug-in for Apple devices provides single sign-on (SSO) for Azure Active Directory (Azure AD) accounts across all applications that support Apple’s Enterprise Single Sign-On feature.

-Microsoft Docs

This blog post will explain how to enable the feature through Microsoft Endpoint Manager Intune, making it a breeze to implement.

UPDATE: This now works in preview for macOS; target macOS instead of iOS/iPadOS.

UPDATE: If your Teams client starts acting strange, try removing your device from being targeted by this policy and reboot the phone.

Overview

The Enterprise SSO plug-in bundled with the Microsoft Authenticator App has a few requirements that must be taken into account.

  • iOS 13 is the minimum OS version supported.
  • The latest version of the Microsoft Authenticator app with your identity configured.
  • The device must be enrolled with Intune or another MDM.
  • The SSO feature must be enabled through a device feature policy pushed from the organization that the device is enrolled in.

How to enable the SSO extension

To enable the plug-in using Microsoft Endpoint Manager Intune, you will go to the MEM portal at https://endpoint.microsoft.com.

Suppose you want to target the macOS platform instead. You can replace the mentions of iOS with macOS throughout the steps below, and some of the data you need to enter is different, but you can get instructions on that from this link:
https://docs.microsoft.com/en-us/mem/intune/configuration/macos-device-features-settings#single-sign-on-app-extension

Step 1: Creating a device feature profile

  1. Click on “Devices
  2. Click on “iOS/iPadOS
How to get to the iOS device list in Microsoft Endpoint Manager Intune
  1. Click on “Configuration profiles.”
  2. Click on “+ Create profile.”
  3. Select the Platform “iOS/iPadOS.”
  4. Select the Profile “Device features.”
  5. Click on “Create
How to create a new device features profile
  1. Fill out the “Name” field.
    My example uses: Enable Microsoft Enterprise SSO plug-in for Apple iOS.
  2. (Optionally) fill out the “Description” field.
    My example uses: Configured according to Michael Mardahl’s blog post (and then the link to this article.)
  3. Click on “Next
Configuring a device features profile with Microsoft Endpoint Manager Intune

Step 2: Configuring the SSO App extension feature

Please pay special attention to the fact that we are configuring the “Single sign-on app extension” and not the “Single Sign On” feature.

  1. Expand the “Single sign-on app extension” accordion item.
  2. Select the SSO app extension type “Redirect.”
  3. Fill out the Extension ID field with “com.microsoft.azureauthenticator.ssoextension
  4. Add the Microsoft SSO URL’s to the “URLs” list. You might only need some of the URL’s if you are not in a special tenant, but you can add them all if you like.

    https://login.microsoftonline.com
    https://login.microsoft.com
    https://sts.windows.net
    https://login.partner.microsoftonline.cn
    https://login.chinacloudapi.cn
    https://login.microsoftonline.de
    https://login.microsoftonline.us
    https://login.usgovcloudapi.net
    https://login-us.microsoftonline.com

  5. Add the Key “browser_sso_interaction_enabled” as Type “Integer” with a value of “1” in the Additional configuration area to enable the plug-in for all webpages.
  6. Add the Key “disable_explicit_app_prompt” as Type “Integer” with a value of “1” in the Additional configuration area to suppress credential prompts in some apps.

    NB: Copy-pasting might not make the Intune validator happy, so if it complains, type a letter after the text you pasted and delete it again.
Configuring the “Single sign-on app extension” for apple device features in Microsoft Endpoint Manager Intune

Step 3 Assign the policy to your pilot users group

  1. Select whom to assign this profile to. If you select anything other than “Selected groups“, you can skip to the next section.
  2. Click on “+ Select groups to include“.
  3. Search for and select the groups you wish to assign the profile to.
  4. Verify that the groups you selected are in the “Selected items” area.
  5. Click on “Select“.
  6. Click on “Next“.
Assigning a profile to selected groups using MEM Intune
  1. Review the Summary section, to confirm every detail that you just entered is there.
  2. Click on “Create
Reviewing profile setting in Microsoft Endpoint Manager Intune

You have completed all the required steps to enable Microsoft Enterprise SSO plug-in for Apple Devices through Intune!

Now, you will either have to wait for your device to do a policy refresh or use one of the many options to force a sync, which is not the subject of this blog post.

Testing the Single Sign-On experience

Testing this should be simple, right? So in this example, you will use the good old Office 365 portal: http://portal.office.com in Safari for iOS to test if you got Single Sing-On to work.

But before you rush off to test, please make sure that you don’t have any cached credentials, because that would just defeat the purpose! This guide from Apple support should get you sorted out.

So, now if you have confirmed that your device has received the configuration profile and the cache in Safari is cleared. You should see the following type of SSO login prompt when accessing the Office 365 Portal.

SSO login experience using Microsoft Enterprise plug-in for Authenticator app on Apple iOS

I just love the “Connected to Windows” text.

Read more

For in-depth reading on the subject of the Microsoft Enterprise SSO plug-in for Apple iOS and macOS, I suggest the following Docs:

As always I am open to questions and suggestions through the comments, but more actively on Linkedin or Twitter (@michael_mardahl).

Thank you for reading!

Michael Mardahl

Michael Mardahl is a seasoned IT pro with over 25 years of experience under his belt. He's a Microsoft Certified Cloud Architect at APENTO in Denmark, where he helps customers move from traditional infrastructure to the cloud while keeping security top of mind. When he's not working, Michael's either spending time with his family and friends or passionately blogging about Microsoft cloud technology. His expertise in this area has even earned him the prestigious title of Microsoft Most Valuable Professional (MVP) in both the Enterprise Mobility and Security categories. In short, Michael is the IT equivalent of a rockstar, but don't expect him to act like one - he's way too down-to-earth for that.

20 comments

  • Michael, have you configured this with Kerberos for on premises web based apps, rather than redirect? I have a client that would like to pilot this.

    • Hi Kevin,

      Unfortunately not, this never really caught on with my clients.

  • Just a note about step 3:

    Extension ID for Mac is “com.microsoft.CompanyPortalMac.ssoextension”, not “com.microsoft.azureauthenticator.ssoextension”, and the Team ID which is required is “UBF8T346G9”.

    Also, still broken features are:
    – Azure SSO for M365 desktop apps on Mac (MS should be fixing)
    – Azure SSO for 3rd party apps and browsers (3rd parties should be fixing)

    Essentially, this is Azure SSO for Safari on the Mac side currently. Nice that it’s working now, but not going to be making many peoples lives smoother until the above features are worked out.

    If anyone’s got something working with the M365 desktop apps, or Chrome/Firefox I’d love to hear that I’m wrong though.

  • Has anyone tried to configure the SSO Extension in Jamf instead of Intune? Thanks to this article I got it working in Intune, but now want to try using it with Jamf instead.

    • Yes, Rob. This works with Jamf Pro as well.

      Configurations are most likely the same for Jamf as well.

  • What should be the domain for the plist file for configuring “browser_sso_interaction_enabled” & “disable_explicit_app_prompt” keys while configuring Azure SSO App extension for macOS?

    • Good question, but I have not had time to dive into this extensively. Maybe someone will see your comment and answer?

      • On Jamf at least, you don’t need to specify a domain- you just upload as it as a simple plist, there’s a Custom Configuration section in the SSO Setup section

  • I’ve done this and it works flawlessly with all the Microsoft products, Teams, Edge and so on. but how do I get this to work with the google apps since our school uses both MS and Google, its not auto logging in to google even though the username and passwords are the same because of google sync.

    • I doubt it will work because google will not accept the tokens from Azure AD unless there is some sort of federation?
      As I am not a user of Googles services, I cant test this.

    • I don’t think it is a question of which is best.
      The documentation on using this for iOS instructs us to use the redirect type.
      On the macOS instructions, they are using the Azure AD type. So I am just guessing that it depends on the environment it’s being used in.
      If you experiment with this, please let us know the outcome in the comments so that everyone can learn from your findings 🙂

  • It’s absurd that any of the steps past #2 are necessary at all. This data should auto-populate after steps 1 & 2. Why does Microsoft insist on making everything so difficult?

    • Hi James,
      I agree that there should be a default for setting this. And an advanced mode.
      But let’s not get ahead of ourselves – the fact is that this can be used for many things, not just the obvious login to M365 stuff.

    • Yes and no on that. Microsoft should have a dropdown to populate the data in Intune for Azure SSO, they know that and could easily manage it, but Azure is not the only SSO provider out there and we need to be able to populate this with whatever SSO we are using.

  • Michael good article. If you clear out cached logins where does it pull the initial login to pass through SSO? Is it from Outlook for iOS or the Intune app login?

    • Hi Jeremy,
      The credentials are pulled as a token from the Authenticator App, so the initial login, as you say, is done when you configure the authenticator or enroll the device into MDM.
      Modern authentication SSO is all about tokens, so no regular username/password combination is ever sent using this method.

Sponsors

Categories

MSEndpointMgr.com use cookies to ensure that we give you the best experience on our website.